A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever. Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS). He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID). Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen . The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.
Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over. Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type. In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding. This case is different. It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree). No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.
As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him. Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic. The oath itself looks like this:
“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.“
It is communicated in an elegant and articulate manner and leaves no room for interpretation. Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation. Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man. That day and duty will come and justice served in a military court of his peers at a time yet to be determined. My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness. Allowing anyone to enter into classified environment with read / writable media is not uncommon. Read writable material is used within these environments. However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least. In most cases it does not and never should occur.
This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others. The results? Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find. Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.
New White Paper: The Rise of the Cyber Cell
The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell
Want To Play A Game?: Preparedness and Cyber Event Games
Any Given Tuesday
On February 16, 2010 the Bipartisan Policy Center’s national security preparedness group (led by Thomas Kean and Lee Hamilton), in co-ordination with former CIA Director General Michael Hayden and others. I watched it as the participants worked their way through the mock scenario and like many in my field remained quiet with respect to the matter preferring to hear the comments of others prior to offering up any ideas of my own with respect to the exercise itself. The role playing game took place in an alternate 2011. In this alternate reality 2011 hackers distribute a free phone application containing a virus, which lets them do the following:
- Sniff and capture passwords
- Capture keystrokes
The scenario combines a series of quite serious events that individually pose major problems and collectively represent a disastrous situation:
- Malicious code & content is propagated via an infected mobile phone application thusly propagating the code and establishing command & control (C&C) (EVENT OF INTEREST)
- Worsening conditions due to the spread of the malicious code & content lead to confusion in the financial markets (FINANCIAL CRISIS #1), resulting in the abandonment of smart phones as hey are now viewed with grave suspicion
- Consumer confidence plummets in the market specifically with respect to the mobile communication & smart phone manufacturers resulting in a $3 Billion USD loss in two weeks (FINANCIAL CRISIS #2)
- Data servers and alternate communications systems components (servers), experience excessive traffic conditions leading to worsening communications availability, quality, integrity (COMMUNICATIONS NETWORK CRISIS #1)
- Alternate universe 2011 experiencing climate issues (Environmental CRISIS1 & 2)
- Summer 2011 is one of the hottest in recorded history
- Impacts cooling stations within the power grid
- Summer 2011 is one of the hottest in recorded history
- Hurricane hits Gulf Coast
- Damages to the natural gas infrastructure of the United States
- Sub-national terrorist attack (bombing), at a power station takes place
- Renders key elements of the national power grid inoperable
- Millions left without power
Conclusions Made By The Participants: The U.S. Is Not Prepared For a Large Scale Cyber Event
Concerns and Comments on The Outcome
I struggled greatly with this for many reasons not the least of which is that I am a citizen of the United States, was born and bred here and make my residence here as well along with hundreds of millions of other Americans. Former Director General Hayden along with others concluded that should an event such as this occur the outcome would be disastrous. Though I understood the rationale being employed to conduct the test (it is hardly new – role playing scenarios have been used for decades to test preparedness), I was and to a degree, remain torn with respect broadcasting a message such as this one to the world at large regardless of whether or not it reflected true, current, state statistics. My fear is that in sharing this type of information with the masses the result could very well be pandemonium and panic as opposed to curiosity leading to inquiries to congressmen and women or senators.
Warfare, after all, is a behavioral activity demonstrated by human beings toward one another; it is as old as time. Archeologists have substantial evidence that suggests in no uncertain terms the realities of warfare long before history recorded the rise of the State as Westerners define it. In his 1996 book, War Before Civilization by Lawrence H. Keeley (Oxford Press, 1996), a professor in the Anthropology Department of the University of Illinois Circle Campus, Chicago stated that “approximately 90–95% of known societies throughout history engaged in at least occasional warfare and many fought constantly.” Cyber warfare is a logical extension of this mindset; a modern addition to a longstanding tradition replete with customs, courtesies, weapons and protocols. I’ve written previously on the activity and attitudes held by certain nation states with respect to cyber warfare; some friendly others not so friendly to the United States. The fact of the matter is that cyber warfare is real. Debates suggesting anything to the contrary simply the product of the uninformed or those who wish to believe that things in the world were different than how they are.
Final Thoughts
Will we see acts of war or wars fought in cyber space? I believe we’ll see a continuation of that which we’ve already seen and noted over the last two decades if not longer. To assert otherwise would be foolish. Will the manifest the way in which they did in the continuity / disaster recovery exercises described in ‘Operation Shockwave’(or for those who recall them operations ‘Black Ice’ and ‘Blue Cascade’ which took natural disasters or disasters introduced by sub-national entities and married them with cyber attacks)? I wouldn’t want to speculate however I believe that though there is much conjecture with respect to this subject; much debate amongst industry pundits (some fluent, experienced and familiar with warfare and the cyber derivative and some not) that it is not beyond the realms of possibility. A great deal of work has been done in the study of traditional warfare:
- The Art
- The Science
- The Nature
- The Humanity or lack of Humanity
- Tactics
- Strategy
So too as it relates to the integration of defensive and offensive tactics, strategy and solutions and this I believe will continue as our need to address threats which exist on a logically driven front yet have the potential to impact the physical world will only continue to grow. We have an obligation to do what we can however we can to protect our nation and our allies. I still believe we should be more discrete with sharing information (I can’t unlearn that which the Marine Corps taught me), and hope that via proper educational channels (many of those participants within the Bipartisan Policy Center’s panel suggested and commented on the need to work with industry in order to ensure safe guarding of the nation), and we will arrive at a point where exercises such as this and the feelings of angst they produce, are no longer needed nor angst generating.
Why PCI and APTs are NOTHING alike
Today I read a blog entry which both amused and troubled me. The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist. In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike. Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land….. Let’s take a look at what he asserts.
First and foremost, he asserts that they are similar. I find that humorous at best and borderline irresponsible at worst. PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against. It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences. It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.
Anton asserts the following (whether in jest or in all seriousness is debatable):
- “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent
- Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
- Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
- Both are not threats. The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
- “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
- I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
- People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
- In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard. I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated. Fair enough, it’s your environment, do as thou wilt. However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses. The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering. In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
- “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
- True however there are restrictions and guidelines associated with transaction levels (minimum activity and dollar amounts etc.). ‘APTs’ are not always terribly advanced. Ghost Net is a phenomenal example of this. The vulnerability which was exploited was quite old, the tool which was used was not sophisticated (Ghost RAT), and the rest is history.
- With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
- PCI is well documented and the domains clearly articulate what is required in order to meet compliance in terms of operational controls (manual & programmable), in addition to internal and externally related controls. I already addressed the nature of ‘APTs’ two bullet points ago however will reiterate that by the time you are aware one is in your environment (provided you are not in possession of the types of technologies which would provide you view necessary to capture and identify associated ‘APT’ activity), it is too late. At this point you’d need to take immediate steps to stop the bleeding (exfiltration of data) from your organization.
- Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
- Agreed but again this is true of all things within information security.
- PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
- PCI does require logging and monitoring. However APTs require (as I mentioned previously), much more than simple logging and monitoring. Session based analysis, for example, must be present if it is not you will likely never see an ‘APT’ coming, going or just hanging about collecting data.
- People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.
- This is an oversimplification of the challenges associated with both PCI and ‘APT’s (and part of the reason I stated earlier that Anton’s orginal post was borderline irresponsible). PCI has teeth unlike many other regulatory and / or compliance acts. This is true for several reasons not the least of which is that it is not being pushed by the federal government but rather originates with privatized business thusly placing stringent conditions upon those who must meet its criteria in order to remain in business. People do not refuse to address ‘APTs’. This is both preposterous and asinine. Most people, specifically those outside the financial services, defense industrial base, or research & development environments (pharmaceutical, high technology, low technology etc.), are unaware of the existence of ‘APTs’. Being unaware of the existence of something does not in any way imply that under other circumstances one would refuse to acknowledge the existence of something should proof be brought forth. This is an under developed line of logic and it is logic such as this which is being espoused within the industry today that is allowing for ‘APTs’ to become the hot topic amongst any and all vendors who may or may not have any experience or expertise with these threats
I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:
- To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
- To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
- To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security
Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
2010 Predictions…sort of
Its 2010 people Happy New Year! Where did 2009 go? Last year was a very busy year for Cassandra Security. A lot has occurred since we launched and we as individuals and as a team have learned a great deal in the process. 2010 promises to be a very exciting year and if my estimations are sound, we will show no signs of slowing. This is a good thing. My first 2010 prediction is that in not too distant future you will see our site change. The evolution has begun and it is only a matter of time before it is complete. I am personally looking forward to this and other changes however; I will refrain from commenting until the appropriate time. I will say however our goal remains the same to provide the most comprehensive, thought provoking content we can related to our passionate study, devotion and understanding of our discipline. Expect to see more in the way of malicious code and content analysis, threat analysis, reversing, trending and a whole host of other technological and philosophical endeavors related to our work. It is an exciting time to be in our space; it is a time that calls for leaders to lead, followers to follow and those who are confused to kindly step out of the way. Before I get into the heart of this post, I would like to say thank you to those who have shown their love, appreciation and support to us thus far, believing in our work and us and rallying behind us regularly. Thank you. You know who you are and so do we. We are honored by your allegiance and support and hope that in achieving our goals we will also aid you in accomplishing your own whether in business or personal contexts.
This time of year resolutions are the norm and in our space so are predictions. I am not a resolution kind of guy so I will jump squarely into the predictions. Predictions are tricky. In our space often times you encounter a regurgitation of ideas or worse yet, a pilfering of them with the net effect being that they end up on someone’s prediction list. This entry is going to be different. I hope you’ll enjoy it and appreciate for what it is as opposed to yet another broadcast of what may or may not be the next big threat to hit (I will mention some things which fall into this category . As you will see, it will be done in a manner traditionally different from what one would expect in piece such as this). Predictions come in two varieties. They are either related or associated with the divine, the supernatural, or the result of anticipatory science (the type of predictions, which lead to the formulation of a hypothesis for example). As we neared the close of 2009, I read no one’s predictions for 2010. In fact, I still have not read anyone else’s’ to avoid muddying the waters of my own thought process. When I was a child, a very wise person told me that the true test of a prophet or one who makes predictions lies in his or her accuracy with respect to the prophecy or prediction coming true. I took that to mean (and still do), that there are many things which must fall into place either by divine design or by the design of man (some may argue the latter is influenced by the former however that is not the purpose of this piece so let’s table that for another time). I never took it to mean that we as intelligent, informed human beings perhaps lacking ‘divine’ insight could not arrive at conclusions after conducting enough individual and collaborative analysis to make educated guesses or predictions. In fact that is where I believe most predictions fall categorically; into the realm of those driven by anticipatory science. Does this mean that I am ruling out in terms of absolutes, the possibility of one’s “gut” or “instincts” playing a role in this process? Certainly not. However, what it does not mean is that what we conceive as predictions in our space are akin and par with messages delivered from on high, carved in stone and presented to a body of people.
Preface:
I feel that it is important to write and speak honestly about the world in which we live and work; the good and the bad; the sacred and the profane; the beautiful and the ugly. I believe that in doing so we remain in balance and present a realistic view of the world as opposed to one seen through tinted glasses. I believe that there are threats, very real threats, which are at work in the world some more noticeable than others and some operating quietly in remote locations readying themselves for their opportunity to strike. However, I do not believe it to be a healthy nor intellectually honest position to take which speaks only of those threats in an unbalanced light. This I fear leads us away from sound thinking and directly into the land of those who inappropriately talk of fear, uncertainty and doubt. We do not need to lead anyone down a road to perdition; people do that for themselves. Our role to identify the patterns, trends, activity, threats, vulnerabilities and risks may be exploited in order to achieve the goals set forth by those who seek to do harm in whatever form harm “means” to them. Furthermore, I believe we as professionals have a responsibility to avoid (when possible), sensationalism being entered into if possible. Sensationalism is fine for the circus or cinema however terribly inappropriate in other contexts, namely those within which we operate. I find that behavior to be distasteful and amateurish and so should you if you are a professional seeking to improve your skills and understand of that which we do.
Prediction #1: Evolution by Definition Will Fuel the Revolution
I do not believe that we will see a plateau or a peak with respect to illicit activity regardless of the form it takes: cyber crime, cyber espionage, and cyber warfare or cyber terrorism. I believe will see continued growth and likely see greater degrees of interconnectivity between organizations around the world (in addition to individual operators), as there is no shortage of demand for what is being supplied nor is there shortage of innovation taking place. I write often about cyber crime, cyber espionage, cyber warfare and cyber terror as they are passions of mine (in addition to being areas which I have professional experience in), in addition to psychology. I often quip that there is an ‘Evolution Revolution’ in full swing with respect to those factors that drives the creation, support, and growth of sub-economic ecosystems (sometimes referred to as shadow economies). Put plainly there are simply too many opportunities and too many parties ready, willing and able for a plethora of reasons (recall that agendas drive action) for this to not be the case.
Evolution occurs without the aid or impetus of a third party. It simply does not require it; it is not necessary for its manifestation. Revolution, on the contrary, requires an evolution of thought, ideals and action. So long as this evolution remains present (which I believe based on my understanding of Darwin and other’s writings it will), revolution will be made possible and continue unfettered. In our field, in our discipline I believe that we have seen over time examples of this and will no doubt see much more in 2010 and beyond. The world is not enough to quote Ian Fleming, and it is an intellectually dishonest position to take that suggests everything that can be monetized on the Internet (in other words given monetary value), already has been. Assertions such as this boggle the mind and suggest that human innovation and creativity has reached its apex (which we know has not occurred), and as a result markets will dwindle. Do you see that happening? I don’t. In fact, I would argue the opposite completely and passionately. So long as there is evolution pushing revolution within cyber criminal ecosystems (shadow economies), state sponsored cyber warfare and espionage not to mention sub-nationally sponsored (cyber terrorism) there will continue to be opportunities upon which to capitalize. We need now, more so than ever before, remain diligent and prepare ourselves for what is coming even if we cannot (in an unequivocal sense), “predict” exactly what will occur.
Prediction #2: The Sky is not falling, but it is Getting Gray
“All the leaves are brown and the skies are gray”. I love that lyric; it speaks a lot in few words; it evokes a visceral response that the listener can easily identify with should he or she have experienced winter and its realities. Ironically, it is winter and I am writing this less formal but still serious post about predictions. Often people make assumptions broadcasting them the absence of fact with respect to what is real and what is not within our industry. It does not require an advanced degree to recognize that this is foolish at best and quite dangerous as worst. Take the innovation for example. I believe that innovation both good and bad will continue and that in some respects that innovation that we perceive and recognize as being bad in our industry will supersede the readiness of the tools and tactics we have at our disposal should we become complacent and jaded. Cyber criminals for example, are extremely innovative and recognize at times more readily than we would like to admit, the challenges and inability of industry to address all that they have to offer and more. We must ready ourselves in all seasons, in particular the winter of our development in order to address this, as we know that cyber criminals do not sleep but often our industry does. Sound analysis and integrity driven research along with our desire and ability to enable ourselves and our clients to meet these challenges is what is needed, not sensationalistic ramblings or debates having to do with the validity of a new enablement technology or regulatory standard. Preparedness is key and the failure to plan is the equivalent of preparing to fail. Last year, there were ample examples identified and noted which influenced the industry’s belief that the sky is falling however there was little to lead us to believe that utter destruction was upon us. This is not to say that there were not very serious occurrences, which wreaked havoc upon the cyber world, and beyond (to suggest otherwise would be madness). No, some truly thing BAD things did happen and will continue to happen. Will the skies remain gray? I believe they will, I maintain that they will be cloudy and at times become more ominous than at other. Trends change; they evolve and mature. It is because they do that in my mind, it is better to expect the worst, hope for the best, and always be prepared. Very rarely (if ever), are people penalized for preparedness. Should you find yourself being penalized for being prepared, you can blame me or the boy scouts, whichever you would like but take solace in the fact that you were prepared.
Prediction#3: The Threat Landscape Will Remain Unpredictable
If I have learned anything in life, it is that life is unpredictable and perhaps that is what we need to focus. Unpredictability is what enables us to formulate strategy and tactics for dealing with everything we experience. Whether it is our car not starting to our enterprises, and our information personal or otherwise being placed at risk. Our goal for 2010 should be to remain vigilant and where appropriate become more so. This requires a reconsideration of risk and its management as opposed to the mindless adoption of the latest new fangled technology or audit requirement. We need to treat information security and risk management in 2010 as though they are living entities; sentient and in need of nurturing. Should we fail to do so then perhaps some of the more ‘sensational’ predictions made by others will come to a head.
Chicago, IL. United States of America
December 31, 2009
Cassandra Security has released part two in a series of white papers dedicated to critical infrastructure and key resources. This paper addresses historic threats and exploitation, challenges in securing and maintaining security of these environments, economic and political impact associated with a lack of potable water and much more. We hope you find this paper as enlightening and thought provoking as found the topic while researching and analyzing this aspect of CI. Look for part III in the series soon!
Seeing Tomorrow Today,
Cassandra Security
Critical Infrastructure Part II Drinking Water and Waste Management Treatment Systems 123109 – Final
First, I’m a fan of Social Networking and I was not expecting a re-direct to another site. Although this was temporary it was frustrating. After doing some poking around and speaking with my good friend and colleague, Will Gragido, I stumbled across this article that gave a little more insight into the issue. According to Claudine Beaumont, Technology Editor of the Telegraph UK, “visitors to Twitter.com were automatically redirected to another web page, which displayed a green flag and English and Arabic writing: This site has been hacked by the Iranian Cyber Army,” read the message. “The USA thinks they control and manage Internet access, but they don’t. We control and manage the Internet with our power, so do not try to the incite Iranian people.” First, I don’t categorize this as a hack but a compromise/Cyber Noise like a DDoS attack. I would have been impressed if they tagged the web site directly. The sophistication to pull this off is on the level of a “Script Kiddie”. The tools are freely available on the Internet that my 11 year old could pull off with the a few Google queries. I guess the Iranian Cyber Army has not been keeping up with the news lately. The US Gov’t ceded control of ICANN to the World for more information please check out the link: http://bit.ly/6KSuny .
The good thing is the people at Twitter were able to correct the issue very quickly as I mentioned, the level of sophistication and 
indirect control was minimal. Additionally, Twitter had another breach early this summer for more information on that please check out: http://bit.ly/2lUzNM. I don’t think this is going to be the last time and I’m sure other Social Networking sites have increased their security/posture/awareness. Lastly and more importantly, the Iranian Military has seized control of an oil field in Northern Iraq, link to Reuters: http://bit.ly/7H7TC5. With that said, although this is purely speculation a Cyber attack/message less then 24 hours before a physical attack. Could these be tied together…not sure but interesting though. Everyone’s thoughts and comments are welcomed.
Subversive Multi-Vector Threats
Introducing….The Subversive Multi-Vector Threat
I had originally intended on submitting this to Wikipedia for inclusion within it and Wikitionary however, it was expressed to me that it would be a violation of their Conflict of Interest (COI) policy to publish it there. As a result, I decided to publish here within the friendly confines of the Cassandra Security blog. In doing so, I hope to bring our industry (perhaps a little differently than I had originally intended) a new term to be used with respect to much of what interests me and others in the research community and much of what I spend my time thinking about in addition to researching. Having said that, I’d like to first point out that my purpose is not to promote myself with the introduction of this new term but rather shed some light on what I feel passionately about and believe warrants exposure in addition to reclassification.
Origins of Subversive Multi-Vector Threats (SMT)
As an information security researcher, practitioner, thinker, and so forth, I deduced after much time spent researching and examining them, many of the terms we use in the security industry are neither clear nor comprehensive enough to resonate with larger audiences. This became especially evident to me when I considered the interests of my fellow researchers and peers as we struggle to address the dynamic nature of the threat landscape. As a result, I set out to consider what I believed to be true or common among many of these next generation or advanced threats and came to a wonderfully rich conclusion which you will soon see published as a co-branded work with my friend and colleague John Pirc. I began theorizing that the need to create a new term (one that addresses the true, diverse nature of these threats while avoiding the pigeon hole effect seen and experienced with less appropriate and accommodating terms), due to a lack of a more appropriate alternative was required. Adding to my feeling dissatisfaction with the terminology and the limits it placed on both researchers and analysts, was the matter of contextual relevance. Some terms have more limited application as we have all seen, and due to this and other reasons (this is not to say that they are invalid which should be noted but rather that something else, something new is required to fill the gap I saw), the need to reclassify and create new categories was clear to me.
Definition of Subversive Multi-Vector Threats (SMT)
Subversive Multi-Vector Threats (SMT) are highly sophisticated, well crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends. Some might argue that this is not unique however I believe the context in which these threats are seen and will continue to be seen unequivocally constitutes something new, unique and different. These threats are designed to, in a dynamic fashion, place a greater or lessor amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them. Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open sources intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result.
Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT)
Subversive Multi-Vector Threats (SMTs) differ dramatically from other well-known threat types in a number of ways as described above. The greatest differences noted between the types of threats I describe as being Subversive Multi-Vector Threats lies in the targets of interest and approaches to exploitation taken by each with respect to their targets. Whether they be targets of opportunity or directed, predesignated targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT), though the avenues for exploitation may change their overall relevance is entrenched in the realm of the technical. As such, APTs are forced to focus and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals. Not so with the Subversive Multi-Vector Threat. As I mentioned earlier, these threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Additionally, APTs are typically identified within the context of environments that cater in part or in their entirety to the public sector. These organizations include DoD, DIB and Intelligence Agencies (though we and others feel that this will change over time). With respect to SMTs, I believe based on research and experience they are more criminally motivated and as a result cast a wider net than do the traditional threats associated with APTs however, this is not to say that one could not easily bleed into another. I believe that SMTs are more sophisticated largely due to their being able to easily identify and exploit weaknesses which have little to nothing to do with technology. SMT’s have the ability to compromise and as a result, take advantage of the weaknesses of character (in addition to their ignorance), demonstrated by people while exploring processes (policies and procedures as well), for deficiencies. I have always traditionally referred to this as the ability of experienced, motivated aggressors to “…knock one of the three legs out from under the three-legged stool upon which all organizations sit.” These legs are: people, process, and technology. To knock one down, any one, creates instability and weakness which can see the organization fall squarely on its bottom. This is paramount in identifying and defining Subversive Multi-Vector Threats (SMTs).
As a result, I argue that Subversive Multi-Factor Threats (SMTs) only further serve to underscore the need for the implementation of soundly constructed, risk-based security programs and frameworks, which address in exhaustive detail the areas, which require in gross detail the areas requiring the greatest levels of diligence and care possible.
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
I believe that Subversive Multi-Vector Threats (SMTs), can only be truly addressed after an organization has assessed itself and identified its vulnerabilities and deficiencies as part of a thorough risk assessment. My assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology in order to gain. Demonstrating unrelenting diligence as part of an ongoing risk management initiative is or should be non-negotiable. Are their technologies which can aid in addressing these threats: yes to a degree. Recall that these threats, Subversive Multi-Vector Threats (SMTs), are not always going to involve technological exploitation. As a result, this could mean that a person who is fully credentialed, fully authorized to be where he or she is, could effectively compromise a system or environment in order to meet the goals of his or her leaders. This is of course quite bad however not impossible to address if you are up to the challenge and willing to invest in what is required to mitigate the threats.
