Archive for the ‘CyberWar’ Category
Operation: ROLLING THUNDER:
It has come to light that the GCHQ (The UK’s NSA) took action against Anonymous by DDoS as well as the use of HUMINT and malware attacks to attempt to dissuade them from further actions. While this may be a surprise to some it is just a matter of action and reaction in the hive mind of the IC. Of course at one time there may have been more trepidation about carrying out direct action against quote unquote “dissidents” as some may call Anonymous but those days are long gone and one of the primary reasons such actions are easily rationalized now is because of terrorism. Terrorism used to mean blowing things up or taking hostages but now, with the 5th domain of cyber, that equation has changed greatly in the eyes of the worlds governments. Of course in this case it was the British carrying out the covert actions against the anonymous servers and users and as many know the Brits don’t have the most stellar first amendment record (D orders) and have a different perspective on what people have the right to do or say that may be considered civil disobedience. However, I should like to point out that it is highly likely that the UK did not act alone here and that it is probable that the NSA and the UKUSA agreements were in play here as well. I once sat on a panel at Defcon where I warned that these types of tactics as well as others would be used by the governments of the world against the Anon’s if push came to shove and it seems that I was not far off the mark. We have crossed the Rubicon and we are all in a new domain where the rules are fluid.
Civil Disobedience vs. Criminality In Anon Actions:
Some have written that these actions now revealed by Snowden show that we are all in danger of censorship and of direct action if we say or do things online that a government or agency doesn’t like and they are correct. It really is a matter of dystopian nightmare import when one stops to think that these were not state actors nor really terrorists by definition (yet) that GCHQ and the JTRIG were carrying out netwar on. The rationale I am sure is that the C&C of Anon needed to be taken out because they were “attacking” sites with DDoS or other actions (hacking in the case of LulzSec) and thus were a clear and present danger to… Well… Money really. While some consider DDoS a form of civil disobedience others see it as a threat to the lifeblood of commerce as well as portents of larger attacks against the infrastructure of the internet itself or perhaps the power grid as we keep hearing about from sources who really haven’t a clue on how these things work. Sure, there were criminal actions taken by Sabu and others within the collective as well as the splinter cell that was LulzSec/Antisec but most of the activity was not anything that I would consider grounds for covert action. That the JTRIG not only used malware but also HUMINT and SIGINT (all things used in nation state covert collections and actions) shows that they were genuinely afraid of the Anon’s and Lulzers and that their only solution was to reciprocate with nation state tools to deny and disrupt their cabal. I think though that most of the aegis that the IC had though was the fact that they “could” do it all without any sanction against them because it was all secret and they hold the keys to all of the data. Of course now that is not the case and they should be held accountable for the actions they took just as the CIA has been or should have been in the past over say the covert action in Nicaragua. I don’t think this will happen though so what will really only come out of this revelation is more distrust of governments and a warning to Anonymous and others about their operational security.
Cyber Warfare and Law:
What this release shows though most of all is that the government is above the law because in reality there is very little real law on the books covering the 5th domain of cyberspace. As we have seen in the last few years there has been a rapid outpace of any kind of lawfare over actions taken in cyberspace either on the nation state level (think APT tit for tat) and criminal actions such as the target hack and all the carding going on. In the case of the US government the military has far outstripped the government where this is concerned with warfare units actively being formed and skills honed. All the while the government(s) has/have failed to create or edit any of the current law out there concerning cyber warfare in any consistent manner. So this leaves us with warfare capabilities and actions being carried out on a global medium that is not nation state owned but globally owned by the people. Of course this is one of the core arguments over the internet, it’s being free and a place of expression whereas corporations want to commoditize it and governments want to control it and make war with it. This all is muddled as the people really do not truly own the infrastructure corporations do and well, who controls what then without solid laws? Increasingly this is all looking more and more like a plot from Ghost in the Shell SAC with government teams carrying out covert actions against alleged terrorists and plots behind every bit passing over the fiber. The upshot though is that as yet the capacity to carry out actions against anyone the government see’s as a threat far outstrips the laws concerning those actions as being illegal just as much as the illegalities of actors like Anonymous. The current law is weak or damaged and no one has really stepped up in the US yet to fix even the CFAA in a serious way as yet.
Covert Actions, HUMINT, and SIGINT:
When I was on the panel at DEFCON I spoke of the governments and agencies likely using disinformation and other covert actions against the digital insurgency that they perceived was being levied against them. Now with the perspective of the Snowden collection it is plain to me that not only will the easily make the call to carry out actions against those they fear but also those actions are myriad. If you are going against the nation state by attacking it’s power elite or its interests expect the actions to be taken against you to be swift and unstoppable. In the case of the DDoS this was just a tit for tat disruptive attack that seemed to have worked on some. The other more subtle attacks of hacking via insertion of malware through phishing and intelligence gathering my using spiked links and leverage against providers shows how willing they were to effect their goals. Now consider all that we have learned from Snowden and conjure up how easy it is today with NSL letters and obfuscated secret court rulings on the collection of data wholesale from the internet and infrastructure.. You should be scared. Add to this the effect of the over-classification of everything and you have a rich environment for abuses against whomever they choose no matter how many in the IC say that they are to be trusted. The base fact is this; The internet is the new battlefield for war as well as espionage not just criminality and law enforcement actions. If you are considered a threat by today’s crazy standards of terrorism is everywhere, then you too can have your data held in Utah where someday someone could make a case against you. Some of that data may in fact come from direct covert actions against you by your government or law enforcement per the rules today as they stand.
The final analysis of this presentation that was leaked and the actions alleged to have been taken against Anonymous is that there is no real accountability and that secrecy is the blanket for covert action against non combatants in any war. We are in a new dystopian nightmare where cyberwar is concerned and there is a lot of fear on the governments part on attacks that could take down grids (misinformed ones really) as well as a ravening by some to be “in” on the ground level for carrying out such warfare. Without proper laws nationally and internationally as well as proper oversight there never will be an equitable solution to actions in cyberspace as either being criminal, grounds for war, or civil disobedience just as there will always be the high chance of reciprocity that far outstrips a common DoS. The crux here is that without the proper laws you as a participant of a DDoS could be sanctioned for attack and then over prosecuted for your actions as we have seen these last few years. Without a solid legal infrastructure and a Geneva Convention of sorts concerning cyber warfare, no one is safe. As an ancillary factor to this I would also say to all those in Anonymous and any other collectives that may rise you should be very careful and step up your OPSEC and technical security measures if you are going to play this game. As we have seen many of those key players in Anonymous and LulzSec were caught up with and are in legal trouble just as much as the guy who just decided to join a DoS for a minute and was fined a huge amount of money for his trouble. Remember, it’s all fun and games until the governments of the world decide that it’s not and want to squash you like a bug.
VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!
Face it.. We are all PWND six ways to Sunday
Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.
*ponder ponder ponder*
Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.
As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”
Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.
I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.
OPSEC! OPSEC! OPSEC!
Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?
If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.
Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.
Fuck this shit.
Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!
Sick. And. Tired.
I really feel like that Shatner skit where he tells the Trekkies to get a life…
Awaiting the DERPOCALYPSE
All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.
RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.
We are well and truly fucked.
So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…
IJPFRH CPAGP EIIL!
CYBER CYBER CYBER!
CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”" is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)
The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.
I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.
As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”
I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?
IW (INFORMATION WARFARE) RUSSIA
The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.
In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.
OUR CHINESE OVERLORDS
Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.
The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.
Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?
Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?
OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.
It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.
All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?
I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.
Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.
We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..
The Global Cyber Game:
I had been meaning to write about this before when I had originally read the text but things got in the way as usual (work, more work, some more work after that, Defcon/Bsides) Now though I am in a space where I can reflect back on this paper and write about it here for you all to see. The Defence Academy (UK) put this together to describe how we might approach “cyberwar” on the level of game play or game theory. They constructed a board and began to set to the task of creating game play and tactics given certain scenarios in the cyber world. (see image of game board below) You can actually play this game if you create a board from this design and work within the rules of game theory but this is not why I find this treatise so important.
What I find most interesting is the actual scenario’s that play out within the game play as well as the end game status that the paper puts it all down to in the end of N-Utopia and N-Dystopia. As one can gather from the inherent meaning of the words, N-Utopia means that we all work out our problems globally and work on bettering society (which in the Nash equations is the best play) or we end up with N-Dystopia, a Balkanization of the net, and warfare that scales all levels up to kinetic and will be the death of us all. Can you guess where I think we are right now on the N-scale? Yes, you’d be right to lean toward the N-Dystopia area. In fact I would even like to see that idea rendered in a new way with an older iconography, that being the Doomsday Clock analogy. Perhaps someone can take that up online and create one for the cyebrwarz eh?
What must be taken into account in the great cyber game is that all of this is centered around power plays. The use of information as power, the use of information to effect actions vis a vis “power” and the varying types of power that are being wielded by the players. This paper covers this idea pretty well and should be required reading for anyone looking to study cyber-warfare along side Clausewitz and other more well known pieces of doctrine. Some however may already be familiar with the ideas of hard and soft power but let’s take that into the electronic warfare arena which is a bit harder to scope today.
- Hard power
- Overt threats and rewards
- Kinetic action
- Soft power
Both of these types of dynamic play off of one another and work in tandem. There actually is a whole spectrum of power plays that can be derived from these basic premises but I will not go into all that here. To date I have seen an abundance of hard power tactics being employed on the game board and I fear that that seems to be what the governments of the world have locked on to as their aegis. I would love for more to try the soft power tactics and methods but I am too much of a realist to hope that it will ever really happen.
The game play today that we are all seeing unfold before us is the hard power of Stuxnet or the ramping up of every piece of malware and 0day conceivable being purchased by the US government or others in an effort to be superior when the battle comes. That is though when they are not using those said same exploits in the darker games of realpolitik that they are prosecuting now. As I see it now we are hurtling towards a massive cyberfail of our own making and the real cost of the bad play will be economies around the world and other collateral damage that may not be an apocalypse as we currently understand them to be.
The power dimensions portion of this paper is quite enlightening and you should broaden the scope of how those plays are made with information and the internet. One must understand the playing field as well as the weapon you wield. This is the main problem I have of late is that all too many people and governments are not understanding the game play, the field of play, nor the tools they are using (pieces) well enough to play the game well. This makes not only for bad play, but in this game there are real world consequences for us all when some government or actor does something immensely stupid.
Cyber Games Today:
So what are we seeing today that has me worried? Well, we have the cybergames with Stuxnet and other malware to start. I liken the release of Stuxnet as skin to the release of a biotoxin or virus that eventually will be re-worked or manipulated into a more fearsome weapon. These are not one use tools, they are in fact re-usable and re-tune-able. Once these things are out there is no controlling them and with the idea of Stuxnet you have something that was used against one target but could affect hundreds more in friendly countries if they had the same configuration.
Another cybergame being played today is the new surveillance state that we find ourselves in. It seems in the case of the US we have people who are interpreting our Constitution to suit their needs under the rubric of protecting the homeland. This cybergame is all about information and the power dimension of controlling it. I have been watching this Snowden affair unfold and frankly I am frightened of the capabilities that the NSA has but I am much more scared that they claim that they are protecting us while a Snowden subverts the very systems they are saying cannot be misused. This particular cybergame when looked at, show’s all of the hard and soft power dimensions at play with the media and the law. This should also be brought into the cyber game play as well.
Yet another cybergame going on is within the public/private sector and I call the “Patriot Games” What I mean by this is that we have non state actors playing rolls of asymmetric warriors online to effect whatever change they see fit. A certain un-named clown for one is a primary actor in this space and really started the trend in my opinion. The cybergamers here are vigilantes nothing more and nothing less and may or may not have an effect on the grander scheme of things on the net and in public policy. For the most part however, these players are on the hard power end of the spectrum and thus just mostly come off as thugs.
Lastly, the cybergame that seems to be the one with the most chance of playing in the larger space is that of Anonymous. Anonymous has been able to leverage many players into semi cogent action and could in the future have a real effect on policy and other dimensions within the cybergame play. The only reason that I place Anon into this game is because of that mobilizing force that they seem to carry. If motivated and able to be cohesive enough this group could affect the greater games being played and have on a microcosmic scale thus far in recent history.
In all, the games that are being played, and they are games, all serve as a means to an end for those paying attention to understand and perhaps help those in the seat of power how not to play the game at all. Our petty squabbling on the internet is just that. The reality is that the net is important and much of our lives today require it to run smoothly but if the net were to go down permanently our society would not utterly collapse. We would survive and we would re-build. The question then becomes would we have learned from it and do things better the next time around?
Cyber-Utopia and Cyber-Dystopia:
The idea of Cyber-Utopia is a far fetched one in my mind and probably many others out there. This would be a great thing if we could make it happen but given the petty nature of our.. well nature.. We will only see this ideal wash up on the rocks and sink into the ocean rather quickly. In the Cyber-Utopia we all work together, we cooperate, and we work towards a better day. … And I just don’t see this happening barring some kind of alien intervention frankly.
Cyber-Dystopia though I am afraid is already the case in many respects. We are seeing an almost Balkanization of the internet today as it is never mind the games being played in reality with Stuxnet and cyberwar. If the N-Dystopia comes to pass we will find ourselves at war with each other constantly in a “cyberworld” much like the episode of STOS “A Taste of Armageddon” where all warfare is carried out via computer simulations and only the casualties report to be disintegrated as a means to balance it all out. Today though we will see attacks on economies as well as infrastructures to effect “war” (economic, political, or other) on our enemies and the real world costs will have to be measured in profit loss or perhaps even actual loss of human life.
The cyber-dystopia though is more than just an outcome of war. It is the outcome from our own inabilities to work with each other and our ability to rationalize warfare through a non apocalyptic destruction of life. It will be a tit for tat war of attrition that will not lead to any clear victories and certainly not elevate our societies in any way and that is the sad truth of it. Ladies and gents we are already in the dystopia. We just may not understand that yet.
Understand the game:
So, I leave you with the paper: The Global Cyber Game pull it down and read it. Learn from it, play the game if you like, and spend some time thinking about it all. We are on the cusp of another evolution in our society that we have seen repeated in every other evolution we have had. We create something, then we weaponize it. Perhaps if more of us understand it and the pitfalls we can prevent the N-Dystopia from becoming any worse.
A mgbkf zugx sbw nrkl wqvrkvuj!
Sun Tzu and The Art of Cyber-War
A while back I decided to throw my hat in the ring for RSAC and Shmoo. I made neither’s list of presentations but I thought this still was worth putting out there for people to see. I had been talking with Jericho and Josh Corman about cyber war because of their presentation at Brucon and this idea popped up in my head because Jericho had pointed out too many people cite Sun Tzu poorly in these types of presentations. Well Jericho is right and often times not many of the tenets of Sun Tzu make it into the presentations. On average you will see maybe one or two and that’s it but The Art of War has many other chapters and quotes that map to general warfare and that includes Cyber-War (so called) Generally however the overall tactics put forth by the Art of War are applicable because this is warfare we are talking about no matter the landscape (electronic) that we are fighting it in. You still have adversaries looking to defeat one another using guile and force today just as in the day of Sun Tzu. The real issue comes down to reading between the lines of the old text and applying the ideas to the modern landscape of the electron, the malware, and the phishing attack.
All of these efforts though will lead to the age old means of kinetic warfare and this is what people seem to not understand so well today. War is war and eventually its all going to be about the guns and bombs and not so much just about the data being stolen or messed with. We have a problem today in the semantic of war in the digital age that needs to be cleared up for the general populace. I hope that this tutorial will not only be historical but also give the reader the tools needed to understand that cyber-war is not the end all be all, it is in fact just a precursor to the type of war that has been waged since man could pick up a rock and throw it.
China, Sun Tzu, & APT
On another level though, I find it amazing that more people have not had the light bulb go on about our situation today with regard to Chinese hacking and espionage. What we have seen is not cyber-war yet but the prelude, the reconnaissance to carry out war and that is all. The Chinese (and others) have begun mapping our networks, prodding our defenses, and assessing our overall readiness by using digital attacks on private and governmental networks and systems. Think of it all as spying and not just one for war footing alone. There is of course the industrial espionage as well but in the case of China in particular they are all means to an end. The “Thousand Grains of Sand” approach is doctrine in China as is the mindset they have always had having had masters like Sun Tzu as their teachers. Look at this slide deck and then take a step back and look at the APT-1 report as well as others. Note that the Chinese military is the state and that the PLA is just an arm of the military unlike in the US where the military is a little more separated and at the behest of POTUS.
Sun Tzu said it best in The Art of War;
“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
It’s time to be more introspective about ourselves as well as the adversary and Sun Tzu is a good way to get there.
//B zrxr wwmpxjnp vf ygwyr jh kur gig vvbxv nf o “yinwf zcnt”. Ilmf xp vv lbi vwwpe grxr mhct sxh ubpifmpxt qzgu o izkruyi nar t tcqjhrgrf. Mpgwf xrlf hawwki, CU’f uoom oehhvgvq lbtmqm, ybywzzcqt, ueq vbyzcvfx nngsk ucvlm. Pbh bxmf e qlf.\\
Threat Intelligence, Counterintelligence, and Corporate | Nation State Espionage
“Threat Intelligence”, a term that is just behind the oft used “Cyber” and God forbid, “Cyber” is all too often put in front of it as well to add more oomph for sales people to sell their brand of security snake oil… “But wait there’s more!” We also have other spook terms being kluged into the INFOSEC world now because, well, it’s cool to those cyber warriors out there. I know, I sound jaded and angry, which, yes, yes, I am, but… Well, it’s just gone completely off the rails out there. I hear people talking about these topics as if they know what they are talking about even with the exceedingly limited scope of digital security matters (i.e. hacking/forensics/defense)
I would like to clear the air here a bit on these terms and how they do really apply to the world of INFOSEC that we in this business now find ourselves in, one littered with military and spook terms that you may not be really familiar with. First off, lets look at the terms that have been thrown around here:
Threat Intelligence: In the spook world, this is the gathering of intelligence (HUMINT/MASINT/SIGINT etc) to determine who has it in for you and perhaps how they plan on getting at you.
Counterintelligence: Spies who hunt other spies (Mole Hunts etc)
Espionage (Nation State and Other) The umbrella under which this whole rubric exists. Nation state and other have the component of “Industrial” as well (i.e. IP theft)
Ok, so, where once we used to only have people in three letter agencies worried about “ThreatIntel” we now have the INFOSEC community looking at “threats” to their environments and calling it “Threat Intelligence” now. While it’s a cool name, does it really apply? What was it before the whole APT thing broke as well as the cyberwar-palooza we have today? For the most part, I can see only half of the term applying to any non state entity or three letter agency and that is of what “threats” are out there today. This means what exploits and pieces of malware are out there that your environment would be susceptible to.
That is unless you suddenly have a company that has decided to launch its own “Intelligence arm” and yes, this has happened, but usually only in larger companies with defense contracts in my experience. Others though, have set them up, like Law firms, who then hire out ex spooks to do the work of counterintelligence as well as intelligence gathering to have an edge over everyone else. Perhaps this is bleeding out into other areas as well in corporate America huh? The point here for me is that unless you have an intelligence arm (not just INFOSEC) you should not be using the term “Threat Intelligence” as an encompassing statement of “there’s malware out there and this is what it is” Point blank here, IF YOU AREN’T DETERMINING WHO YOUR ADVERSARY IS AND WHAT THEIR PLAN IS… IT”S NOT THREAT INTELLIGENCE.
Looking at IP’s on an SIEM and reacting to a triggered event is not threat intelligence. It’s INCIDENT RESPONSE. It’s AFTER THE GOD DAMN FACT OK?
So, stop trying to make it sound cooler than it really is people. To further this idea though, we still have “Counterintelligence” which FOR FUCKS SAKE I have personally seen in a title of a complete MORON at a large company. This fucker sits around all day looking at his stock quotes though, see, it’s just a cool title. It has no meaning. UNLESS you really have an operational INTELLIGENCE UNIT in your company.
*Look around you.. Do you? If not then STFU*
If you do have a real intelligence wing in your org that carries out not only COUNTERINTEL/INTEL/HUMINT/THREATINTEL then more power to you. If not, you’re deluding yourselves with militaristic terms and cyberdouchery… Just sayin.
However, the way things are going with regard to the world, I should think that you might see more of these kinds of intelligence arms springing up in some of the larger corporations of the world. It’s a rough world and the fact that everything is networked and global has primed the pump for these kinds of activities to be a daily operations tool. It’s now the blurring of the lines between what nation states solely had the control and aegis over to now its becoming privatized and incorporated.
William Gibson saw it.. Phramacombinats and all.
False Flags and Disinformation Campaigns
Which brings me to the next level of affairs here. When I was on the DEFCON “Fighting Monsters” panel, I made some statements that seem to have come to pass. I spoke about how Anonymous would have to worry about “False Flags” against their name as well as expand upon the idea that Pandora’s box had been opened. Nothing on the internet would really be the same because we all had moved into the “spook world” by the actions of Anonymous as well as things like Stuxnet. The lines had been blurred and all of us net denizens need to be aware that we are all pawns in a series of greater games being played by corporations and governments.
Since then, we have seen many disinformation campaigns (think sock puppets on social media, fake news stories, rumours, etc) as well as false flag actions where Anonymous may have been blamed or named for actions that the core did not carry out. So many times since then we have seen Anonymous attempt to set the record straight, but, like I said before, who’s gonna believe them because they are “anonymous” and disparate right? Could be anyone… Could be them… And with previous actions, are they to be trusted when they say they did not do it? See, the banner thing (hive mind) has a tremendous proclivity for severe blowback as they have learned.
What’s sauce for the goose though, is also good for the corporate, political, private gander right? How many Acorn operations do you need to see happening in the election cycle to realize that this has been going on for some time and that, now, with the internet, its easier to perform these kinds of operations with a very small group with minimal effort as well? Pandora’s box was not only opened, it was then smashed on the floor and what was once contained inside has been forever unleashed upon us all.
Now, going back to you INFOSEC people, can you then foresee how your companies reputation or security could be damaged by false flag operations and disinformation? A recent example may in fact be the attack purported to be on against Josh Corman of Akamai because he said some things that “some” anonymous players did not like. Were they really out to get him? Were they doing this out of outrage or was there another goal here? What you have to ask yourselves is, what is my company and it’s employees susceptible to in this area? Just as well, this also applies to actual attacks (DDoS etc) they could be signal to noise attacks. While the big attack is going on, another team could be using the fog of war to sneak into the back door silently and un-noticed.
See where I am going there?
In the case of Josh, do they want to D0X him or do they want to force Akamai to maybe flinch and let him go because of bad press, and potential attacks on their infrastructure and management?
Ponder that…There are many aspects to this and you have to have a war mentality to grasp it at times. Not all attacks frontally are the real attack today. Nor are all attacks on players what they may seem to be in reality, the adversaries may in fact have a longer game in mind.
Network Defense and Network OFFENSE
Ok, so back to reality today with many orgs and their INFOSEC programs. You are looking to defend your network and frankly you need not have “cool” names for your program or its players. What you need is to be mindful of your environment and pay attention to the latest attacks available that would affect it. Given today’s pace though, this makes just about everything suspect. You can get yourself an IDS/IPS, an SIEM, Malware protection, and all kinds of things, but, unless you know where shit is and what it is, you lose the big game. So, really, threat intelligence is just a cool name for an SIEM jockey today.
Like I said, unless you are doing some real adversary profiling and deep inspection of attacks, players, motivations etc, you are not doing THREATINTEL. You are minding the store and performing network defense… i.e. your job.
Now, on the other end of the spectrum lately, there have been certain douchenozzles out there saying that they can sell you services to protect your org with “OFFENSE”
Offense you say? Is this some new form of new SPECWAR we aren’t aware of? Firms like the more and more vaporware company “Crowdstrike” seem to be offering these kinds of services, basically mercenaries for hire, to stop those who would do you harm. What means are they going to employ here? Obviously performing what they see as intelligence gathering, but then what? Once you have attribution will there then be “retribution” now like so many Yakuza centric stories in Gibson novels? I’m sorry, but I just don’t see this as viable nor really any kind of a good idea whatsoever… Leave it to the three letter agencies.
Alas though, I fear that these companies and actions are already at work. You can see some of that in the link above to the book I reviewed on private intelligence and corporate espionage. Will your data be a part of a greater corporate or government conspiracy? Some black ops mumbo jumbo over your personal information perhaps? Part of some retribution for some attack perceived to have happened to company A by company B?
Welcome to the shadows and fog of espionage kids.
Going “Off The Reservation”
Overall, I guess I just wanted to lay some things out there and get people’s heads around the amount of douchery going on today. We collectively have gone off the reservation post 9/11 with PII, Privacy (lack thereof) and hacking. That entities like Anonymous came to be and now see the governments and corporations of the world as dark entities isn’t so hard to see when you look at the crap going on out there. What we saw in Team Themis was just one small spec in a larger “Cyber Beltway Banditry” going on today. Look to the other side where you have Fusion centers with private INTEL gathering capacities tossing out absolute crap yet spending BILLIONS of dollars and, well, there you have it.
Monkeys with digital guns.
We are off the reservation already and it’s every man (or woman) for him or herself.
In the end though… If you have a title that says something like “CHIEF INTELLIGENCE OFFICER” on it, you’d best be at a three letter agency.. If not, then you are deluding yourself with EPIC DOUCHERY.
Uso Xqx gukk: Xyc cpu sw zol kz sw tkrbp zpditaeeag rp xyh Gncai.
Zr kq b qrwhyt vj cghc bru gsuvo, e imcb fmkksl vv wrdgrz si wc lwpr. Ycpaf mk lg u ubfacer pj zqeokyc nfkai grq ch pv etaqsox sh byisitrgb.
CYBER CYBER CYBER CYBER WAR! (A new song by Culture Club soon!)
I have been more quiet lately due to being a little burned out on the whole INFOSEC scene. The usual groups of factions are bellowing their usual bloviations and rutting like wild animals online, locking horns with others for dominance. It all frankly makes me just want to step back into my blind and clean my weapon, but, it also gives me pause to think and reflect on it all. It has been in this mode that I have sat and watched the “cyberwars” continue to amp up with the Kaspersky’s of the world finding more and more malware to write neat little papers on how they work and how “nation-statey” they are (oddly though never Russian in origin.. Gee I wonder why?)
Others out there are writing treatises on how “Cyberwar” will work all the while there has been no real definition put down and agreed upon by the masses as to what “cyberwar/Cyber-War/Cyber-Warfare” really is. It has not been codified really, even with the recent UN Tallinn document:
“A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Tallinn Manual on The International Law Applicable to Cyber Warfare – Michael N. Shmitt
Without a common definition we are all left with a great amount of confusion and gray area to move forward and commit actions that may or may not be “war” because there is no set ground rules, law, or definitions. So, here we are, we have all these people making a great hue and cry, plans and deeds, all without really understanding perhaps the potentials for their actions, all eager to get in on the ground floor of the “new war” and yes, you gentle INFOSEC reader are also part and parcel, willing participants to it all as well. The “cyberdouchery” it seems cannot be washed from your hands as well, and this includes me I think.
Mea culpa.. Mea culpa…
While reflecting in my recently infected state (pre-con flu) I sat down with the laptop and watched “Cyberwar: Not what we were expecting” a BruCon presentation that I had a hand in with Josh and Brian. The presentation went well, and as I had seen and thought about the material before, having had discussions with both in the process of creation, I began to have a bit of a paradigm change in thought on this after the final presentation. I looked back at my own mind set and writings on the douchery and realized my own shortsightedness, I too had fallen prey to the “cyberwars” and the only conclusion I could have now is that they are upon us, no matter the definition and I had better think on that.
Let’s face facts here… No matter how many times we call douchery, it’s here…
For all of the high handed railing that I have done in the past, I perhaps had missed the salient fact that people are people, and that we as a society will always latch on to the new “thing” that is super cool, but may in fact be the worst thing for us (think of the iPhone madness) We as a species, tend to go, like many other creatures, say parrots or cockatiels, for the “shiny things” It’s just our nature. So how much more shiny than anything else is the notion of a clean “cyberwar” where we take out the enemy with a click of the button, no, not with kinetic explosions but instead with the lights just going out or a centrifuge breaking.
Yeah, sound familiar?
This neat idea though could in fact cause some dystopian scenarios to happen and yes, in the idea of “war” as we commonly know it, kinetic actions (i.e. tanks and planes and bombs) would likely be employed as well, but, this in fact may not be the end goal of “cyberwar” in the minds eye of those dreaming and plotting it. After all, I would say that we are in the era of the “cyberwars” now in fact, and the only use of kinetic force seems to be only taking place in the non declared wars in Afghanistan and now the Horn of Africa right?
The “cyberwars” though, have been playing out mostly quietly, bits and bytes doing their non kinetic (mostly) damage, stealing data for financial gain or other espionage goals. Both nation state as well as personal, group, non nation state, whatever you decide to name the actors as, they are doing it, right now.. You can almost hear the clicks of the hard drives now right?
It’s really just a war of packet attrition… But then again I hear you thinking,
“But, you said war.. and well, that’s not war.. That’s espionage and maybe sabotage”
Well, yes, but, then there’s this notion of “Cold War” to deal with.
“Christ, I miss the Cold War.” (Cold War vs. Hot War)
The above quote was one of my favorites from “Casino Royale”, the recent re-boot of the James Bond story line. I find it apropos to this discussion as even with Josh and Brian, the idea of the nomenclature of war has been somewhat nebulous really. The idea of a “cold war” seemed elusive to them and perhaps even to me in some way, though I lived through the cold war and was actually in East Germany briefly just before the wall fell. Seeing the “cold war” first hand kind of gives you a new perspective I guess, so I was a little more pliable to the idea that a cold war was in fact a war, just not one where we have outright battles being fought in the “open” and that’s the key here.
Cold War Noun:
A state of political hostility existing between countries, characterized by threats, violent propaganda, subversive activities, and…
The state of political hostility that existed between the Soviet bloc countries and the US-led Western powers from 1945 to 1990.
Cyberwar, is the new “black” of Cold War.
See what I am getting at here? Sure, there can be an all out war that employs a “digital aspect” to it, (i.e. disrupting comms and supply chains) but also, the mainstay thus far of digital warfare is “information war” and this is much closer to “cold warfare” as it has ever been as you can see from the standard definition. Case in point, we are trying to contain Iran from having its own nuclear weapons. What have we been doing? Well, sanctions, propaganda, espionage, and now, post Stuxnet, digital sabotage of their programs as well as great swaths of digital thievery of their data to see just how far along they are.
Now, look up at that definition again and think about it… See what I’m saying here? Of course this is one element though and there are others like the kinetic typical warfare also described. Actions in tandem (digital and physical/kinetic) like that of Estonia but you get the point. It’s mostly, at this point, about cold war tactics to manipulate an enemy without committing to all out warfare and that’s the rub. Of course there are many war planners out there looking at plans to do more than just manipulate an enemy politically, that’s more the bailiwick of the likes of the CIA and other three letter agencies.
Diplomacy it seems, has a new tool in it’s little black bag…. As does the military sector.. Truly “Dual use” technology here.
State vs. Non State, War vs. Non War (What’s in a name?)
In the rubric though of “cyberwar” lately, we have seen arguments made (some unqualified, some quite qualified) about just what it constitutes and one of those factors has been whether or not the actors are “state or non state” actors. I would put it to you right up front, who’s to say who is or is not state actors to start with? Have none of you ever heard about proxy wars? I mean come on people, we lived through the 80′s and the wars being fought by proxy and still you guys don’t get it?
Afghanistan and the Mujahideen
The War on Drugs
The Current War on Drugs with boots on the ground in Mexico (CIA/MIL)
So, you are going to quibble over nation state and non nation state actors in cyber warfare? What’s more, you are going to do so when attribution is so damned hard? Wow, the hubris of it is just stunning on some people’s parts within this community. Talk about douchery, just take a look around people. Sure, there is a lot of douchery going around, but I just have to say look in the mirror here and take a good long look. I think we all could be blamed just as equally here.
Actions taken by entities, in this arena (cyber-warfare) no matter the attribution, which may be wholly wrong mind you, can always have a sliver of doubt attached to them as to whether they are a proxy of a nation. It’s as simple as that. So, in the case of say the Georgia DDoS that happened, who can be sure, unless they have a really solid HUMINT report in hand, that this attack was not in some way or shape condoned or sponsored by the Russian government or factions thereof?
*silence.. baleful stare*
All I’m really saying is that the world is grey and to make great pronouncements of “I know shit” isn’t going to cut it in reality, and that even goes for me. Like they say on the internets, photo’s or it never happened. What can be said though, is that it would seem, from all evidence within the media machine and the rhetoric of the governments of the world, that the Dr. Cyberlove’s of the world are beating the drums for “cyberwar” pretty damn hard… And that the governments are scurrying to get a piece of the action.
“A fool with a tool.. Is still a fool” (Or: Simians flinging digital poo)
Which brings me to my next diatribe. As the title above says, a fool with a tool.. Is still a fool. Folks, we have all kinds of work going on developing 0day’s and plans of action by various warfighting units new and old. It seems that whenever we, as a race, come up with a new way to get over on the other guy, we mass produce and refine it without really thinking about the ramifications of our actions. It’s just human nature it seems, but in cases like this we just rush headlong into it, like we did for so long with biological warfare.
“Surely digital warfare and code is nothing as bad as biological warfare” is what some of you are thinking out there now as you read these lines, and yes, you are right I think on the whole, but, there is always wiggle room for disaster right? The potentials for malware and unforeseen consequences are there and unlike Jericho’s take on the dangers of “cyberwar” now, I can give it a little more room for possible bad outcomes from what’s being created now. What will happen as we all reach the singularity that some are postulating as we network everything? Currently the grid is a big topic as we make the “smart grid”, a model that is already being attacked by hackers as well as perhaps nation states trying to gather intelligence on how it works/will work and how to manipulate it. This type of attack alone could be dual use, like the Stuxnet attack, it could be a way to manipulate a country and its policies, or the prelude to a further physical attack. Who’s to know until it happens right?
All in all, I just have to look on in wonder at the hubris of the whole affair. We truly are monkeys with digital guns. Unfortunately today we have political systems that are short sighted and, in the case of our own here in the US, groups of diametrically opposed morons in a political election cycle that looks much more like a high school election campaign for prom queen. These are the people in the political office that direct the policies and war plans for us, which now include the idealistic ideas of “clean cyber warfare, targeted and with little blowback or collateral damage”
Monkeys with digital guns…
Cyberwar and YOU
Well, so here we are, we are in the age of the “Cyberwars” as much as the term might stick in the craw of many in the community. I would put it to you that as a person with anything online, you are a target. Whether it be the cyberwarfare of the state, or the cyber machinations of the criminal gang seeking to steal your money or your data, we all are under the same threats. Infrastructure as well as your personal PC are targets within a larger game of digital Stratego. Face the fact, live with it a while, and then think about what you can do to insulate yourselves a bit better.
It seems that even if you do not have a computer (some don’t.. no, really!) you still have a digital presence online because the companies that you do business with have one. The governments have their records online and those records are your records! There is no escaping it really, you are a part of the picture and you should get used to the idea. The power that you suck up every day with your digital toys is somewhat vulnerable and a target, and even if the adversary cannot take out the whole country, let me tell you from experience, just take out one state and see the shit fly because people don’t have power. Where I live we had that big storm a year ago and when people could not get their gas to power their generators it started getting hairy, and that was with the power only being out a week or so. Imagine if it were in fact long term? It’s the people’s reactions (base and territorial) that worries me more than the power being off.
So, whether it’s your data, your power, or your money, you too are a cog in the vast cyberwar machine that is all the rage. Will bad things happen? Maybe. Will epic and tragically bad things happen? Maybe. I am not short sighted enough to say it won’t ever happen, nor can I say that these attacks will not be employed by some foreign power or Bondian villain. I’m just saying it is possible, not overly likely, but look at all the work going on at DARPA and other places looking into how to make it a reality.
The cyberwar is upon us and we had best start taking it seriously because people in power are making plans, and like biological warfare, it seems perhaps there could be unforeseen cirucmstances that could trigger bigger and worse things.
Plan accordingly and think a bit more cogently.
Sfy fdh uua ldy lbrld nswgbbm obrkdvq C phmkmye, utn obnm mify ptm mwy vl sbw mgkznwal htn gz jahwz pvvsijs vl dpgfixc.
Lwuq fnlw ug
From Dell’s CTU page
Time is of the essence when protecting your organization’s critical information assets against cyberthreats. However, finding the security intelligence that matters most to your organization consumes precious time and adds strains to in-house resources already stretched too thin. At times, days or even months can pass before vulnerabilities in your environment are patched, increasing business risk and expanding the window of exposure.
Leveraging Dell SecureWorks’ global threat visibility across thousands of customer networks, proprietary toolsets and unmatched expertise, the Dell SecureWorks Counter Threat Unit (CTU) security research team performs in-depth analysis of emerging threats and zero-day vulnerabilities.
Powered by CTU research, the Dell SecureWorks Threat Intelligence service delivers early warnings and actionable security intelligence tailored specifically to your environment, enabling you to quickly protect against threats and vulnerabilities before they impact your organization. The Threat Intelligence service enables you to reduce considerable risk by closing the window of exposure more quickly, and also enables you to spend more time devoted to quickly remediating the risks most pertinent to your organization.
Threat Intelligence services provide:
- Proactive, actionable intelligence tailored to your environment
- Clear, concise threat & vulnerability analyses
- Detailed remediation information & recommendations
- Consultation with our threat experts
- On-demand access to extensive threat & vulnerability databases
- Malware analysis upon request
- XML intelligence feeds
- Integration with other Dell SecureWorks services for correlation and unified reporting
Threat Intelligence: THREATINTEL another acronym or name of something we in the INFOSEC world are now hearing as a mantra of what we need. Vendors are pimping this idea as they “cloud-ify” their solutions (SOPHOS etc) to give you the proper “Threat Intelligence” for your org. Plug in threat intelligence into Google and you will get zillions of hits that are sales pitches right off the bat. However, recently on the LiquidMatrix podcast the question was posed of “just what is the meaning of threat intelligence?”
I think that is a very important question and perhaps there are more of you out there who may not know. Certainly there are C levels out there I am sure who haven’t a clue what it means as well. A basic understanding of English will tell you that this activity involves threats and their detection, but as a company what are the threats that they would be looking for? A person with a military background may have another idea altogether of “Threat Intelligence” as they may not be so much focused on network or computer issues. Instead they may focus on physical security and the threat of individuals. Still others with a mind toward the world of intelligence, may see a more nuanced picture of the same term with bigger pictures and more subtle ideas.
The upshot here is that for each person or group that takes up the idea of monitoring threat intelligence, they first have to know what they are particularly interested in keeping an eye on, and how their organizations need that intelligence to work for them.
Threat Intelligence Takes Many Forms
In today’s world and from where I am seeing (or actually hearing it used most) is in the world of information security. In this instance, and for the thrust of this article I would like to define the types of threat intelligence that we should be paying attention to in no specific order as all are an equal part of the larger picture:
- Malware types and propagation
- Phishing exploits in the wild and their modus operandi
- Vulnerabilities out in the open (new and old)
- Your AV and IDS/HIDS/NIDS capabilities (stratified? Not? Multiple types?)
- SIEM and Network Monitoring of health/traffic
- Network centric asset management (a good network diagram that is updated frequently)
- Hardware asset management (knowing what you have and where it is)
- Software asset management (knowing what you use and what should and should not be there)
- Network landscapes (yours and others connected to you)
- Potential Aggressors or bad actors and their types
- News Cycles on hackers and hacks
- Political and social “net” movements
- Your social media posture (PR etc) in the world at large (i.e. social media monitoring of your org being talked about)
- The state of morale at your organization
- Industrial espionage potentials for your org (what you hold and why it might be of interest to a nation state or other)
- Patching and your network landscape
- The security posture of the orgs that work with you and have connection to you
- The threat to any orgs that you are affiliated with and connected to (i.e. higher threat and poorer security posture make for a higher threat overall to you)
- Actionable intelligence from IDS/IPS as well as trending data from a SOC (Security Operations Center)
As you can see from the above, it’s not just getting your hands on an IDS/IPS or a SOC service and looking at the attacks currently being aimed at you. You have to know the environment, know the players both inside and outside of your organization and be able to extrapolate a big picture view that you can then drill down into and have a deep understanding of.
Is this always possible in every org? Certainly not…
However, all of these factors above could lead to a technical compromise as well as perhaps an insider leak of information that could cause you great damage. You see, this has to be a more holistic picture and not just a network centric approach in order to have a better chance at protecting yourself. The focus for many of us in the information security sphere all too often just takes the form of technical means of security when the picture is much more complex. Unfortunately though, this is where many of the companies out there looking to sell appliances and cloud services lead companies and C levels astray.
Threat Intelligence Snake Oil
Sure, a SOC and an IDS/IPS is always a good thing. I am not saying that going without one is a super fantastic idea. What I am saying is first, you have to know your appliance. Know how it works as well as what the alerts mean yourselves, not just let the service dictate to you what an alert means. Now this means that you should have technically capable people who can read an alert, know the environment well, and determine “if” an alert is indeed valid.
Remember the old axiom “A fool with a tool… Is still a fool”
SOC services today often also say they offer you threat intelligence reports. These often are regurgitation’s of news stories on current hacks that have happened as well as patches being put out for various systems. No doubt these are good, but, they don’t always have everything you need to understand the threats. This is if you even get this feature, some places may in fact only offer the IDS/IPS and it will alert you alone without real context other than a CVE and some technical details. It is important when you decide to get a threat intelligence piece in addition to an IDS/IPS service, that you look at their alerts and get a good working picture of just how much information they are collecting, it’s relevance to your org, and its timeliness. After all, if you get an important piece of data the day after an attack, its already too late right?
This is all predicated though on the idea that you have someone or group of people who understand threat intelligence principles and how to apply them to your particular environment. This is where you need “Analysts” Even with a good SOC service that has good threat intelligence for you, it’s useless unless YOU have an analyst who can interpret the data.
Threat Intelligence Requires Analysis
A common issue in the intelligence game is having analysts who understand not only the data, the complexities of environments, and the big picture view of things, but also the ability to “analyze” data and extrapolate from it in a cogent way. Recently Jeffery Carr posted a blog on Infosec Island that was particularly prescient about the need to have the right psychology when performing analysis. He is absolutely right and in his article it was specifically around the intelligence collected by agencies like the CIA. You however are likely not the CIA but, you still need to have an approach to your threat intelligence in the same vein.
The technical side of the threat intelligence needs to be married with the social and psychological as well to have the big picture view of your threats. As I mentioned above, you need to know who might have it in for you, who might target you, why would they target you, and other motivations to have a better grasp of your threat matrix. For this, you need an analyst, or analysts, not just a report from the SOC. The same can be said just for the technical side of the house as well. If you have technical alerts but no real insight into how they work as well as what you presently have in your environment, then it’s game over really. The same can be said if you don’t have an analyst who can then extrapolate all of this into a cogent means of getting it across to the C levels that there is an issue(s) and the urgency or not of remediating them.
Analyses and analysts then, are the linchpin to the whole process. Without good analysis, then the service is useless really.
Graphic from: dmrattner.com
It is paramount to have a working program of threat intelligence as opposed to just getting a service and thinking you are all set. This to me, would be the next level of “Candy Security” in that you are laying all your eggs in the basket of some service like so many still today think that they have a firewall and their all good. As we have seen in the last few years alone, the threatscape of the online world has grown from just malware that steals bank data to malware and attacks that have much broader scope and end goals as well as aggressors that are thinking much more laterally in their approaches.
So once again, analysis is key.
As the complexity of attacks grow at a rate outstripping the pace of “Moores Law” the defenders have to take up a more nuanced approach to protecting their environments and their data. Reliance on technical solutions alone is not tenable, and as I have said in the past, you have to look at the creature behind the keyboard to get a better picture of the attack much of the time. A better understanding of all of the areas mentioned above will give you a higher chance of at least keeping some pace with the attacks out there against you.
Without analysis and insight, you are in an oubliet.. And you will want to “forget” because if you really think about the threats just from not knowing what goes on in your environment, you won’t be sleeping much. Consider your threat intelligence program if you have one, and if you don’t consider starting one.
Flame, DuQU, STUXNET, and now GAUSS:
Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.
Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…
I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.
Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.
And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.
Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.
An Interesting Week of News About Lebanon and Bankers:
Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.
Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.
All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.
Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:
Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?
Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.
Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.
The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:
Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.
We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.
So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.
In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.
We Have Many Tigers by The Tail and I Expect Blowback:
Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?
The cyber-genie is out of the cyber-bottle.
Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.
I have mentioned the other events above, but here are some links to stories for you to read up on it…
- PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
- Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
- Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)
All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.
It’s a delicate balance.. #shutupeugene
Pandora’s Box Has Been Opened:
In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.
It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.
The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.
Will we eventually have to have another treaty ban on malware of this kind?
Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?