Archive for the ‘HUMINT’ Category
I have been ruminating lately on our situation regarding aspects of Russian interference (active measures) and the new President of the United States. In previous posts I have delved into the Wilderness of Mirrors of counterintelligence that we find ourselves in today as well as some other musings on motives that the Russians and the President (and his minions) may have in relation to their actions. Today though, on the morning of the big Comey interview in congress, I would like to cover the fabricator. By fabricator I mean the intelligence term and not the guy who makes something on the line at the local plant. A fabricator in the parlance of spies means someone who lies, creates stories, and half truths in order to deceive in order to mislead intelligence operations. More to the point, I would like to submit that in the goings on today you will have to ponder whether or not the president and his minions are all fabricators acting in whatever interest they have against us all.
Fabricators have motives just like any other liar but here are the defined reasons in the intelligence definition:
- Fanaticism or ideology is often cited as the key reason behind fabricator activity. When fanaticism is involved or ideology becomes stronger than morals, fabrication may then be seen as a reasonable means to an end. The fabricator may invent the fake intelligence to help bring about a specific outcome to a situation.
- Mental illness, such as confabulation, often combined with alcoholism, causes some individuals to fabricate intelligence, most often done as part of a fantasy of being a secret agent or to gain official attention.
- Money is a strong incentive for some fabricators. Often, a reliable intelligence source agent will become a fabricator because of financial problems or greed. When the agent no longer has valid intelligence to sell to the conducting intelligence officer, the agent may decide to sell fabricated intelligence in order to satisfy need or greed. (Source: Wikipedia)
As you can see these are not so different from any other liar, however in the context of the intelligence world and what we see playing out today all of them could also easily fit the Presidents and the White Houses machinations of late. many have speculated already on all of these with regard to Trump and his coterie of minions in the White House today. I would put it to you here that all of these are likely but money and fanaticism are two of the key players here with a healthy helping of political expeditiousness. While Trump seems to be in his own reality much of the time, his outright lying and cognitive dissonance has multiple purposes. I would say that he has all of these factors, the mental illness, (narcissism) Desire for money and power, (Money) and a fanaticism that he wears like a cloak to keep him in the seat of power by using a base that he may not in fact believe in truly, but needs their support to win. I would say that this was a thumbnail of his campaign and what we are seeing now as he is running the country.
Looking back I would say the one biggest tell has been his claims of the Obama admin “tapping his wires” at Trump Tower during the election. Trump used this, as he does many other outrageous claims by Tweet, to distract everyone. He is specifically distracting the media, from looking at the real problem at hand (e.g. Russian ties between himself and his coterie and the monies involved) in what I am calling a WMD attack (Weapon of Mass Distraction) vis a vis early am Tweet storms. As we have seen with the claim of wiretapping there is no evidence but he uses spin and word salad to confabulate and bamboozle the media and the populace to look the other direction. I put it to you now that you can expect some other outbursts today or tomorrow post the Comey hearing in an attempt to spin things away from the connections that he and his people have with Russia.
Trump is a fabricator.
See through it.
With all of the crazed tweets over the weekend from 45 I thought it would be appropriate to acquaint my readers with the notion of the “Wilderness of Mirrors” as James Jesus Angleton put it. Angleton is famous for his paranoia and his actions during the time he was chief of counter intelligence at the CIA from 1954-1975. Today we are in an unprecedented time of national intrigue with our very nations political system at stake with the issues surrounding the hack of the DNC, the manipulation of the US election process, and now the allegations and insinuations that the Trump campaign may have colluded with Russia. All of these things now fall under the auspices of Counter Intelligence in that there are actors within our government that may be compromised and have either been witting or unwitting accomplices to a foreign powers manipulation of our national transition of power. What’s more, these same individuals may in fact be assets of that foreign power while they are in the power within the White House and elsewhere within the new administration.
Take a breath there and contemplate that statement.
We potentially have reached what I personally thought was only a movie plot line as a reality today. There are actual reasons to question whether or not the President of the US today may be a witting or unwitting asset of the Russian state. There may be reason to believe that the minions of the new President may also be assets of the Russian state, and to even make it worse we have seen a litany of lies and half truths given by these people and their dissembling has been caught by the Fourth Estate and held accountable for them. While there is no smoking gun yet, there is a lot to parse out with every mornings headlines in the Times and other papers of record but I would like to lift the curtain a little for you on the counterintel side for you. If you are gonna play this game at home you need a primer on counter intelligence and the ‘Wilderness of Mirrors’
When Angleton made the comment on the wilderness of mirrors he was referring to his own deep paranoia and the nature of counter intel. You have spies upon spies that you must determine who they work for in reality. As the chief of counter intelligence it was Angleton’s job to assume that assets and agents within his own organization were in fact double agents or even triple agents. It was Angleton’s job to seek the truth of what his officers were telling him from intelligence reports and what their assets were saying in a time when the great game was at it’s highest point with the USSR. In essence, and this was his personality anyway, he had to assume at all times there was compromise within his organization and to determine who those assets that were doubles were and were working for in reality.
Now, in the current situation we are going through with 45 and the Russian efforts to destabilize the United States there is no internal mole hunt that we have heard about within the halls of the CIA but, there is a counter intelligence operation going on at least at the FBI concerning all the players we are hearing about in the news and likely other names we have not heard. The current players you know are;
- Paul Manafort (Worked for Yanukovich/Had affairs/Money troubles/Access to slush funds)
- Trump (No tax retturns/business with Russia/Love of Putin)
- Jeff Sessions (Lied about meeting Russian Ambassador twice at least)
- Michael Flynn (Lied about talking to Russian ambassador to Pence and everyone else)
- Carter Page (Business with Russia and seems disposed to them)
- Jared Kushner (Revelations of meeting with Russian ambassador with Sessions)
- Roger Stone (May have handed over DNC emails to Wikileaks physically)
- Un-named others TBD
There are likely more to be named as we go along but you get the gist. The people in the inner circle of the current presidents campaign and those he then added to his administration all seem to have had regular contact with the Russian government pre election and post. Not only are they talking to Russian emissaries but according to the IC, they are talking to Russian intelligence officers. This is not a good thing even if they were unwitting assets of the Russian intelligence apparatus. To lie about these contacts only makes the problem worse for the state and places more suspicion on them all, which leads to the wilderness of mirrors that the fourth estate is amplifying with the reporting (which they should be doing) on the leaks that are coming out of the IC. Leaks mind you to my mind, are a means to an end to get the word out because if they did not, the admin would attempt to bury them forever. To wit, we have agents of foreign powers and people within the admin who are all lying about their connections and discussions. This is a counter intelligence operation and a mole hunt potentially. Do we believe the people who have been sources of the Steele notes? Or do we think that maybe they are telling tales to muddy the waters even more? Since some of these people seem to be dying conveniently are they being killed off by Putin for talking and telling the truth or are they just being killed to muddy the waters some more?
This is how you have to approach this. No one is telling the truth and you have to discern what the truth of it all really is. Who do you believe?
We are in the wilderness of mirrors kids. Look at the news and try to parse out what is truth and what is fiction. It makes it even worse when there are factions out there like Alex Jones and the SVR that would like you to believe wild stories and disinformation campaigns set out to further their own agendas. All of this then, in a completely inconceivable twist today is re-tweeted by the president of this country who often does so as a diversion (one hopes) or actually believes these things (much worse for he may be mentally deranged) which unbalances us all. We are now all in Angleton’s shoes trying to determine what is truth today and this is one of the most destabilizing things happening today to the United States populace and government. I want you all to understand this as you watch or read the news with these revelations. Specifically now that we have reached peak crazy with Trump saying that the former President ordered a FISA warrant on himself and the campaign in 2016. There are many issues here to consider and if in fact the IC had intel that the candidate and his minions were in fact in touch with Russian intelligence ‘constantly’ then what actions would the IC and the president have at their command to take up to determine if this was in fact true?
The recent accusation by the current president may be complete lunacy and the product of his own reading or watching conspiracy sites, or, it may have some basis in fact. In that there may not have been a FISA warrant but instead foreign friendly intelligence agencies, monitoring not only Russia but by their outside mandate, the current president and his people’s conversations “might” have some telling information. Maybe they in fact got the conversations and there was no smoking gun but instead the conversations looked suspect and more digging was required. Perhaps then, some group like the FIVE EYES passed along this information and it is still being worked by the IC here in the US?
‘Wilderness of Mirrors” kids.
IJPFRH CPAGP EIIL!
CYBER CYBER CYBER!
CYBER CYBER CYBER! or “CRY HAVOC AND LET SLIP THE DIGITAL DOGS OD CYBER WAR!”” is often what you hear from me in a mocking tone as I scan the internet and the news for the usual cyber-douchery. Well this time kids I am actually going to review a book that for once was not full of douchery! Instead it was filled with mostly good information and aimed at people who are not necessarily versed at all in the cyberz. I personally was surprised to find myself thinking that I would approve this for a syllabus (as it has been placed into one by someone I know and asked me to read this and comment)
The book really is a primer on IW (Information Warfare) and Cyber-Warfare (for lack of a better nomenclature for it) which many of you reading my blog might be way below your desired literacy level on the subjects. However, for the novice I would happily recommend that they read the book and then spend more time using ALL of the footnotes to go and read even more on the subject to get a grasp of the complexities here. In fact, I would go as far as to say to all of you out there that IF you are teaching this subject at all then you SHOULD use this book as a starting point.
I would also like to say that I would LOVE to start a kickstarter and get this book into the hands of each and every moron in Congress and the House. I would sit there and MAKE them read it in front of me *surely watching their lips move as they do so* There are too many people in positions of power making stupid decisions about this stuff when they haven’t a single clue. I guess the same could be said about the military folks as well. We have plenty of generals who have no idea either.. That’s just one man’s opinion though.
As we move further and further down the cyber-war road I think that books like this should be mandatory reading for all military personnel as well as college level courses in not only IW/INFOSEC but also political and affairs of state majors as well. We will only continue down this road it seems and it would be best for us all if the next wave of digital natives had a real grasp of the technologies as well as the political, logical, and tactical aspects of “Cyber”
I have broken down the book into rough chapters and subject areas as it is within the book (mostly) It really does cover more of the overall issues of cyber-warfare and methods used (not overly technical) The modus operandi so to speak of the actual events that have taken place are laid out in the book and give you a picture of the evolving of IW to what we see today as “cyber-warfare” I will comment on those sections on what I thought was good and what I thought was derpy of course, I mean would you all have it any other way?
IW (INFORMATION WARFARE) RUSSIA
The authors cover early IW with the Russian saga’s over Georgia and Estonia. There is a lot in there that perhaps even you out there might not know about the specifics of the incidents where Russia is “alleged” to have attacked both countries at different times with different goals and effects. Much of this also touches on the ideas of proxy organizations that may or may not be state run that were a part of the action as well as a good overview of what happened.
In the case of Georgia it went kinetic and this is the first real “cyber-warfare” incident in my mind as cyber-war goes. I say this because in my mind unless there is an actual kinetic portion to the fighting there is no “war” it is instead an “action” or “espionage” so in the case of tanks rolling in on Georgia we have a warfare scenario outright that was in tandem with IW/CW actions.
OUR CHINESE OVERLORDS
Ah Chairman Meow… What book on Cyber would be complete without our friends at the MSS 3rd Directorate huh? Well in the case of this primer it gets it right. It gets across not only that China has been hacking the living shit out of us but also WHY they are doing it! The book gives a base of information (lots of footnotes and links) to ancillary documentation that will explain the nature of Chinese thought on warfare and more to the point Cyber-Warfare. The Chinese have been working this angle (The Thousand Grains of Sand etc) for a long time now and there are more than a few treatises on it for you to read after finishing this book.
The big cases are in there as well as mention of the malware used, goals of the attacks and some of the key players. If you are out to start teaching about Chinese electronic/cyber/IW then this is a good place to start. Not too heavy but it gets the point across to those who are not so up to speed on the politics, the tech, or the stratagems involved.
Anonymous, as someone on my Twitter feed was just asking me as I was writing this piece, is also a part of this picture as well. The idea of asymmetric online warfare is really embodied by these groups. The book focuses more on Lulzsec and their 50 days of sailing but it doesn’t go too in depth with the derp. Suffice to say that all of them are indeed important to cyber-warfare as we know it and may in fact be the end model for all cyber-warfare. How so? Well, how better to have plausible denyability than to get a non state group to carry out your dirty war? Hell, for that matter how about just blame them and make it look like one of their ops huh?
Oddly enough just days ago Hammond wrote a piece saying this very thing. He intoned that the FBI via Sabu were manipulating the Anon’s into going after government targets. This is not beyond comprehension especially for places like China as well. So this is something to pay attention to. However, this book really did not take that issue on and I really wished that they had. Perhaps in the next updated edition guys?
OY VEY, the “GRID” this is one of the most derpy subjects usually in the media as well as the books/talks/material on cyber-warfare out there. In this case though I will allow what they wrote stand as a “so so” because they make no real claim to an actual apocalypse. Instead the book talks about the possible scenarios of how one could attack the grid. This book makes no claim that it would work but it is something to think about especially if you have an army of trained squirrels with routers strapped to their backs.
It is my belief that the system is too complex to have a systematic fail of apocalypse proportions and it always has been so. If the book talked about maybe creating a series of EMP devices placed at strategic high volume transformers then I would say they’d be on to something. However, that said, the use of a topological attack model was a good one from a logical perspective. They base most of this off of the Chinese grad students paper back years ago so your mileage may vary. So on this chapter I give it a 40% derp.
All in all I would have liked to have seen more in the political area concerning different countries thought patterns on IW/CW but hey, what can ya do eh? Additionally I think more could have been done on the ideas of offense vs. defense. Today I see a lot of derp around how the US has a GREAT OFFENSIVE CAPABILITY! Which for me and many of you out there I assume, leads me to the logical thought conclusion of “GREAT! We are totally offensive but our defense SUCKS!” So much for CYBER-MAD huh?
I would have also like to have seen more in the way of some game theory involved in the book as well concerning cyber-warfare. Some thought experiments would be helpful to lay out the problems within actually carrying out cyber-war as well as potential outcomes from doing so more along the lines of what I saw in the Global Cyber-Game.
Well, in the end I think it is a good start point for people to use this in their syllabus for teaching IW/CW today. It is a primer though and I would love to see not only this end up on the list but also the Global Cyber Game as well to round out the ideas here. To me it is more about “should we do this?” as opposed to “LETS FUCKING DO THIS!” as the effects of doing so are not necessarily known. Much of this territory is new and all too much of it is hyped up to the point of utter nonsense. This is the biggest problem we have though, this nonsense level with regard to the leaders of the land not knowing anything about it and then voting on things.
We need a more informed populace as well as government and I think this book would be a good start. So to the person who asked me to review this..
rode bb iqdnpmbia fpn’k ybi lr qektrf?
par·a·noi·anoun1.Psychiatry. a mental disorder characterized by systematized delusions and the projection of personalconflicts, which are ascribed to the supposed hostility of others, sometimes progressing todisturbances of consciousness and aggressive acts believed to be performed in self-defense or as a mission.2.baseless or excessive suspicion of the motives of others.Also, par·a·noe·a [par-uh-nee-uh] Show IPA .Origin:
1805–15; < Neo-Latin < Greek paránoia madness. See para-, nous, -ia
Paranoia , the Anonymous intelligence division (self described) published a dump of data ostensibly taken from Bank of America and TEK Systems last week. The information presented seems to show that BofA had contracted with TEK to create an ad hoc “Threat Intelligence” unit around the time of the LulzSec debacle. Of course since the compromise of HB Gary Federal and the revelations that BofA had been pitched by them to do some contract work in the disinformation business it only makes sense that BofA would set up a threat intel unit. The information from the HB Gary dumps seemed to allude to the fact that BofA was actively looking to carry out such plans against those they perceived as threats. Anons out there took great umbrage and thus BofA was concerned.
This blog post is being put together to analyze the data dumped by Anonymous and to give some perspective on what BofA may have been up to and to set some things straight on the meanings of the data presented by Paranoia. First off though I would like to just say that I think that generally BofA was being handed lackluster threat intel by a group of people with intelligence background. (for those names located in the dumps their LinkedIN pages showed former mil intel work) This of course is an opinion formed solely from the content that was available online. There may have been much more context in formal reports that may have been generated by the analysts elsewhere that was not open for the taking where Anon found this dump. The daily and monthly reports found in the database showed some analysis but generally gave rough OSINT reports from online chat logs, news reports, and pastebin postings. There seemed to be a general lack of product here and as such I have to wonder if there ever was or if perhaps those reports never made it to the internet accessible server that anonymous downloaded them from.
B of A’s THREAT INTELLIGENCE TEAM
Since the leak of their threat intelligence BofA has been recruiting for a real team it seems. A Google of the parameters show that they have a bunch of openings all over the place for “Threat Assessment” It makes sense since the TEK Systems team may in fact be mostly defunct but also that they likely would want an in house group and not have to pay overhead on consultants to do the work for them. TEK’s crew as well may have been the problem that caused the leak in the first place by placing the data in an accessible area of a web-server or having passed the data to someone who did not take care of it. Either way it looks as though BofA is seeking to create their own intelligence apparatus much as many other corporate entities are today. The big difference though is what exactly is their directive as a group is to be.
One of the problems I have with the Paranoia analysis is that they take it to the conspiratorial level and make it out to be some pseudo CIA like entity. The reality though is that from what has been shown in the documents provided, that this group really was only tasked with OSINT and threat intelligence by passive listening. This is a key difference from disinformation operations and active participation or recruiting of assets. I will cover this in more detail further on in this post so suffice to say that what BofA was doing here was not only mediocre but also not Machiavellian in nature. The argument can be made though that we don’t know the whole picture and I am sure Paranoia and Anonymous are leaning that way. I cannot with what I have seen so far. What I see is an ad hoc group of contractors trying to create an intelligence wing as a defensive maneuver to try and stay ahead of incidents if not deal with them more effectively should they not be able to stop them.
Nothing more.. Nothing less.
Threat Intelligence vs. Analysis and Product
All of this talk though should be based on a good understanding of what intelligence gathering really is. There are many variations on intelligence tasks and in this case what is clearly seen in the emails and documents is that this group was designated as a “Threat Intelligence” collection group. I have written in the past about “Threat Intelligence” and the misnomer many have on the idea that it is some arcane CIA like pursuit. One of the bigger problems overall is perception and reporting where intelligence gathering is concerned. Basically in today’s parlance much of the threat intelligence out there in INFOSEC is more around malware variants, their C&C’s and perhaps who are running them. With the advent of APT actors as well as criminal activity and entities like Anonymous the paradigm of threat intelligence has come full circle back to the old school idea of what it is from the military sphere of operations.
Today’s threat intelligence is not only technical but also human action driven and this makes it even more important to carry out the collection and analysis properly in order to provide your client with the information to make their decisions with. Unfortunately in the case of the data from BofA we see only sketchy outlines of what is being pasted online, what may be being said in IRC sessions, and what is in the news. Nothing overly direct came from any of the data that I saw and as “product” I would not be able to make much of any decisions from what was presented by TEK Systems people. What is really missing within the dump from Paranoia was any kind of finished analysis product tying together the information in a cogent way for the executives at BofA. Did TEK actually carry this type of activity out? Were there actual reports that the execs were reading that would help in understanding the contents of the raw intelligence that was being passed on in emails daily and monthly? I cannot say for sure. What I did see in the reporting (daily threat reports as well as monthly) were some ancillary comments by a few of the analysts but nothing overly structured or productive. I really would like to know if they had more of an apparatus going on here as well as if they plan on creating one again with all of the advertised positions in that Google search above.
Threat Intelligence vs. HUMINT
This brings me to the whole issue of Threat Intel vs. HUMINT. It would seem that Paranoia thinks that there is much more than meets the eye within the dump that makes them intone that there is a HUMINT (Human Intelligence) portion to the BofA program. While there may well be some of that going on it was not evident from any of the documents I looked at within the dump files. HUMINT would imply that there are active participants of the program out there interacting with the targets trying to recruit them or elicit information from them. With that kind of activity comes all of the things one might conjure up in their heads when they think on NOC (Non Operational Cover) officers in the CIA trying to harvest intelligence from sources (assets) in the field. From everything seen that was posted by Paranoia this is not the case.This operation was completely passive and just collecting data that was in public view aka OSINT. (Open Source Intelligence) Could BofA be seeking to interact more with Anon’s and generate more personal data other than that which the Anon’s posted about each other (DOX’ing) sure but there is no evidence of that. Given the revelations with HB Gary though I can see why the Anon’s might be thinking that they are likely taking more robust non passive actions in the background elsewhere though. Overall I just want everyone to understand that it’s not all cloak and dagger here and seems that Paranoia has a flair for the dramatic as a means to get their point across. Or, perhaps they are just living up to their name.
My assessment in a nutshell here of the Paranoia BofA Drop is as follows:
- Paranoia found some interesting documentation but no smoking gun
- TEK systems did a mediocre job at Threat Intelligence with the caveat that I am only working with the documents in plain view today
- BofA like any other company today has the right to carry out this type of activity but they need to make sure that it’s done well and that it isn’t leaked like this
- If more documents come out showing a more in depth look at the OSINT being collected then perhaps we can change the above findings
- BofA needs to classify their data and protect it better on this front
- Paranoia needs to not let its name get the best of itself
All the drama aside this was a ho hum really. It was funny seeing all the analysts taking down their LinkedIN pages (really, how sekret squirrel is it to have a LI page saying who you work for doing this kind of work anyway? SECOPS anyone?) I consider those players quite burned and assume they are no longer working on this contract because of it. All you analysts out there named, you are now targets and you are probably learning SECOPS the hard way huh? I guess in the end this will all just be another short chapter in Encyclopedia Dramatica and an object lesson for BofA and maybe TEK Systems.
For everyone else.. It’s just LULZ.
I came to Defcon this year as it turned 20 and after much had changed on the world stage regarding our business (INFOSEC/Pentesting/Dev/SECOPS) much remained the same. What has really changed though, and could be seen at this anniversary year was just how much our antics and interests were now the new “hotness” to the government and the military. Never before had the NSA had a booth at our conference but this year, they were there with recruiting in mind and that is a big change.
However, you may be saying to yourself right about now “Uhh, but, this has been going on a while, not just now” Well, yes, it has, but, what I have noticed this last con was that it’s not all about the tech, this year, it was also recruitment of human assets who would give “intelligence” to the players like NSA. No more are they just looking for programs and programmers, but also seeking out to make connections with people who have connections. You see, as Shawn Henry said as well as General Alexnder, “we need you to keep an eye out and tell us if you see something” What I heard was the equivalent of “if you see something say something” that the TSA has plastered at airports.
This is an important paradigm that we all need to be aware of. With the advent of Anonymous and Stuxnet as well as the nascent idea of the internet becoming a “digital nation state” we all have to be mindful that while the technologies out there are a commodity, so too are we in the great game of cold war intelligence and cyber war. We are the commodity that makes the new exploit as well as being the HUMINT asset that intelligence agencies need to “collect” with.
Now, while you are pondering that, consider the fact that the “opposition” is also trying to curry favor and recruit us as well…
Yup, that’s right. That party you might be attending might in fact have operators from other countries clandestine services too. In fact, that party could even be funded by said agencies and players to get you to chat and perhaps leak meaningful information. Think about it, how many of you out there reading this post work for fortune 500 companies as security technicians? What kind of data is in your head that might be of use to a foreign operative?
Ponder that as you sip that free drink late in the day. Say, did you know that the Chinese most preferable means to gaining intel with visiting professors and the like, is to have them over tired and tipsy? It’s true, it’s low level but its been used on many an occasion. You see, once you start talking, then you open the door for more rapport building, and then it’s pretty much over. One wonders how many Los Alamos folks had the same treatment on trips to China. Now think about the average Defcon party and the amount of alcohol and sleep deprivation we have going on there.
So, look at it from that perspective. Now the NSA has come to the con just as the FBI and other agencies and security bodies so too will the “other guys” I don’t know how many of you out there come from military or “other” backgrounds where you will have a DSS or counterintelligence training,but, I am assuming that a vast majority of the folks attending the cons today do not have that background, especially the younger ones who’s only been in the security arena a short time. Pentesters who know SE should be able to easily detect some of the techniques used to recruit an asset, and tease out information.. Others, maybe not so much.
So here we are today, APT (Yes China being one purveyor of APT attacks) are not only using malware to get into systems but also recruiting sources to help them in their goals. Used to be a time that it really only was the nuclear scientists getting the attention… Today though, everything is game, you might make widgets, but that doesn’t mean that someone doesn’t want to know what you know.
Pssst… It’s still espionage kids… And now YOU are part of it because you hold interesting information.
How’s that for some “Threat Intelligence” huh?
Which brings me to the second line of thinking or topic that came up this year. The government is asking us to consider more “threat intelligence” and to bring them in on the loop. See, right there, they are asking you to be an asset.. Did that occur to you? Of course I know for the most part you all thought, as I did too, that the idea was a bit silly.
Because who really has that kind of threat intel program going on today? Hell, we are all pretty much trying to just keep our shit together right? On average, unless you work for a major company,you may not even have an SIEM or even snort instance right? How are you going to convince your employer that you need that stuff and then more so, to pass that intel to the government? The only groups I have known to do this are the DIB partners, and they do it because they don’t want to lose contracts for the military.
So now, we would all be assets? All corporations out there, whether they are being attacked by APT or Anonymous, would be reporting their incursions or attempts at them to the government? That’s kinda spooky really. This also circles back nicely to the idea that we all now, all of us in the INFOSEC community are now collection nodes for SIGINT/HUMINT/MASINT/ELINT and not many of us have had the training to be analysts.
You see, when you use the words “Threat Intelligence” this has some context that some may not get right away. It’s not just what IP is hitting us and with what attacks anymore.. It’s about the context around all of that and the attribution that is needed for cyber warfare, or more likely, cyber intelligence operations. I expect to see a lot more of this lobbying going on at all of the cons as well as more people sidling up to the attendee’s and asking “so, what’s going on out there?”
For those of you not acquainted with HUMINT and it’s techniques, I suggest you read “The Art Of Intelligence” By Henry Crump and learn… Why? Because that guy you’re talking to at the cool party might just be a PRC case officer…
The Biggest Attack Surface is US
“I have met the enemy of information security, and that enemy is us.”
With the new spate of malware attacks (alleged by nation state actors) as well as other attacks by the likes of Anonymous on down to the usual cast of criminal characters, I have been taking stock of the “bigger picture” What I have come to the conclusion of, is that we, out of all things, the creators of the internet, the computers, the code, and the universe in general (probabilistic, newtonian, quantum, etc if you believe we in fact create our consensual reality) are the one common flaw in security.
Take that statement in a bit… I’ll be back in a moment while you ponder….
Ok, thought that through a bit? For me, the statement us an ultimate truth. We create all these things (for me universe included by perception) and in the case of the security over or within the systems that we make and use, are it’s core failing. We, for a lack of a better term, are “flawed” and thus, our systems will always be so. In the case of security today, we can see this from many angles, not just within the realm of computer security or data security, but also our efforts in war or protection from terror (ala DHS and the TSA) There are inherent flaws and unpredictable outcomes vis a vis human nature that really have to be taken account of before we can really even consider something to be more secure than not.
This is an issue that I think many are overlooking as they seek to make the better mousetrap cum Rube Goldberg device that will then sit blinking in your rack at the NOC. Boiling it all down to the sum total of security issues, we have the human being and their “nature” to consider as the driver of the ill as well as the arbiter of demise in any security scenario we can think up here. This is why I have decided to write this post, I want you all to stop, take a look around you, and see the problem from the macroverse instead of the microverse of code and hardware.
It’s all in the wetware man.
Human Nature, It’s Anathema To Security
Human nature… What a many splendored thing huh? It gives us so much latitude as a species to be dominant on this planet and yet, we still seem to be unable to overcome it and protect ourselves from it’s down side. Of course it isn’t just that our natures precludes us from attempting to secure things today, it’s also that we are using technologies that we built, us, fallible beings who tend to code in error and without foresight into how it could be abused. On that note, the abuse of the code itself is also human nature, we are always pushing the bounds trying to outdo others or just test the bounds of our realities so, it’s a natural progression really. Of course then there is also criminality, and the darker tendencies that we all have… We are just a pile of trouble aren’t we?
On the other hand, there is also the tendency for laziness today that we all have, whether that be intellectual or other slothly behaviors that can be and often times, are the cause for security failures. It is laziness in coding and a desire to work faster and maximize profits for example, that lead many people down the path of sloppy code and massive vulnerabilities therein. Couple this with the need for speed that today’s work environment (time is money calculations aside) demands, and we have the mix for epic failure much of the time. Oh, and lest we forget hubris, like that of Microsoft. coming so late to the security game in their coding and testing of operating systems, that, in effect are the most frequently vulnerable as well as the biggest target from user base perspectives.
Oh, and there are also the basics of human nature such as being helpful, or other more base desires that often are the unraveling of security measures. You can have all the defenses in the world, but all it takes is one person saying “Gee! Look! A USB stick in the parking lot! ITS ALL MINE!!! I MUST PLUG IT IN NOW!” How often have you pentesters out there reading this now have used that very exploit? Over and Over and Over again and had success each time. How many of us have had the door held for us even when we don’t have a badge? Yeah, I know, many have and though have been warned on the perils of doing so, still do it out of instinct or perhaps social programming.
It’s human nature that is the undoing of the best laid plans of mice and men…
What I am getting at is a simple truth, we are the problem. If we aren’t creating the poorly coded software, then we are the ones opening the gates to the Hun hoard, or worse, we are in fact that Hun hoard and are exploiting those weaknesses for our own gains (whether it be nation state, pentester as a job, or criminal to make a buck) it’s all driven by our nature.
HUMINT and The Push Of Social Media
So enters the era of “Social Media” and wow, we are a social animal aren’t we? We have Facebook, where we seemingly just expose all of our foibles, secrets, and other trivia daily, no, wait, by the second, every day. Who knew we would be so in need of telling everyone (not to mention showing everyone screen shots of our meals) about every little thing we do? Our location at that time, or perhaps that little Timmy took his first solid dump. *shudder* It’s little wonder that you see how much the government is interested in our “social” data huh? We are so willing to just give it up without a thought to it.
It’s our nature I guess… Tribes around a digital fire now…
Back to social media and HUMINT though, you see, this is the next wave. Since everyone wants to communicate on the Internet, then its easier to communicate with everyone and everyone in a way that, as we have seen, allows for a lot of data gathering, and manipulation. See, now we have the infrastructure populated, we will now use it, subvert it, for goals other than just befriending someone. Hell, we now have bots that do it for us right? How do you know that that person you are talking to on Twitter is a person or a heuristically adept bot? Give it some pause…
Think about the potentials here for every kind of abuse or manipulation. Anything from online advertising using Turing bots to intelligence agencies and others gathering data on you all for whatever purpose serves their needs, and you, you are the commodity.. The “asset” So, yes, as the technologies advance and the human nature side of things continues to allow for strides in security as well as the inevitable setbacks, you, will become the ultimate target of the easy score for data that could lead to compromise. After all, what do you think the real persistent threats rely on? Human nature, our nature and proclivities for social interaction, which, really, is what the Internet is all about huh?
Now, as you go to post on Facebook about your last meal.. Ponder this…
So, How Do We Remediate All of This?
Is remediation possible? Can we change the vagaries of human nature to the point where we can actually not only secure systems adeptly, but also secure the end users to disallow the lowest of the low hanging fruit? Can we get coding initiatives that work and for God’s sake, come up with non Turing complete machines and code? One wonders if it ever really a possibility, and frankly, the sense I get of things lately in the security community is no. We will never win the battle, the war will rage on forever and at least we will have jobs, but, we must get used to failure in the grander scheme of things.
Once again, human nature is the arbiter here and, well, we are human aren’t we? I guess the answer is no, we will never be able to remediate it all. As we move forward with an uncertain digital world, one where we have put all our eggs in one digital basket (yes, power, light, water, control) we all must look at the nature of it all and ponder what have we done to ourselves here? Has our nature and a propensity for laxity in thought and deed placed us in greater jeopardy? Will we ever learn from the things we have seen already and try to remedy the situations? Or will we just go on blithely until such time as there is an epic failure that causes us pain?
This is not to say it will happen, nor that I believe it will be as epic as some on capitol hill would have you think, nor those in the shadows selling them the digital snake oil in the first place. What I see though is that unless we get smarter and try to manage our natures here, some will end up exploiting them to our collective detriment. Whether it be the laws around our privacy, or lack thereof, or the connecting of systems upon systems that, should one fail in a cascade, we really could have an problem, we all have to take a step back and look in the mirror.
We are the problem.