New White Paper: The Rise of the Cyber Cell
The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell
Want To Play A Game?: Preparedness and Cyber Event Games
Any Given Tuesday
On February 16, 2010 the Bipartisan Policy Center’s national security preparedness group (led by Thomas Kean and Lee Hamilton), in co-ordination with former CIA Director General Michael Hayden and others. I watched it as the participants worked their way through the mock scenario and like many in my field remained quiet with respect to the matter preferring to hear the comments of others prior to offering up any ideas of my own with respect to the exercise itself. The role playing game took place in an alternate 2011. In this alternate reality 2011 hackers distribute a free phone application containing a virus, which lets them do the following:
- Sniff and capture passwords
- Capture keystrokes
The scenario combines a series of quite serious events that individually pose major problems and collectively represent a disastrous situation:
- Malicious code & content is propagated via an infected mobile phone application thusly propagating the code and establishing command & control (C&C) (EVENT OF INTEREST)
- Worsening conditions due to the spread of the malicious code & content lead to confusion in the financial markets (FINANCIAL CRISIS #1), resulting in the abandonment of smart phones as hey are now viewed with grave suspicion
- Consumer confidence plummets in the market specifically with respect to the mobile communication & smart phone manufacturers resulting in a $3 Billion USD loss in two weeks (FINANCIAL CRISIS #2)
- Data servers and alternate communications systems components (servers), experience excessive traffic conditions leading to worsening communications availability, quality, integrity (COMMUNICATIONS NETWORK CRISIS #1)
- Alternate universe 2011 experiencing climate issues (Environmental CRISIS1 & 2)
- Summer 2011 is one of the hottest in recorded history
- Impacts cooling stations within the power grid
- Summer 2011 is one of the hottest in recorded history
- Hurricane hits Gulf Coast
- Damages to the natural gas infrastructure of the United States
- Sub-national terrorist attack (bombing), at a power station takes place
- Renders key elements of the national power grid inoperable
- Millions left without power
Conclusions Made By The Participants: The U.S. Is Not Prepared For a Large Scale Cyber Event
Concerns and Comments on The Outcome
I struggled greatly with this for many reasons not the least of which is that I am a citizen of the United States, was born and bred here and make my residence here as well along with hundreds of millions of other Americans. Former Director General Hayden along with others concluded that should an event such as this occur the outcome would be disastrous. Though I understood the rationale being employed to conduct the test (it is hardly new – role playing scenarios have been used for decades to test preparedness), I was and to a degree, remain torn with respect broadcasting a message such as this one to the world at large regardless of whether or not it reflected true, current, state statistics. My fear is that in sharing this type of information with the masses the result could very well be pandemonium and panic as opposed to curiosity leading to inquiries to congressmen and women or senators.
Warfare, after all, is a behavioral activity demonstrated by human beings toward one another; it is as old as time. Archeologists have substantial evidence that suggests in no uncertain terms the realities of warfare long before history recorded the rise of the State as Westerners define it. In his 1996 book, War Before Civilization by Lawrence H. Keeley (Oxford Press, 1996), a professor in the Anthropology Department of the University of Illinois Circle Campus, Chicago stated that “approximately 90–95% of known societies throughout history engaged in at least occasional warfare and many fought constantly.” Cyber warfare is a logical extension of this mindset; a modern addition to a longstanding tradition replete with customs, courtesies, weapons and protocols. I’ve written previously on the activity and attitudes held by certain nation states with respect to cyber warfare; some friendly others not so friendly to the United States. The fact of the matter is that cyber warfare is real. Debates suggesting anything to the contrary simply the product of the uninformed or those who wish to believe that things in the world were different than how they are.
Final Thoughts
Will we see acts of war or wars fought in cyber space? I believe we’ll see a continuation of that which we’ve already seen and noted over the last two decades if not longer. To assert otherwise would be foolish. Will the manifest the way in which they did in the continuity / disaster recovery exercises described in ‘Operation Shockwave’(or for those who recall them operations ‘Black Ice’ and ‘Blue Cascade’ which took natural disasters or disasters introduced by sub-national entities and married them with cyber attacks)? I wouldn’t want to speculate however I believe that though there is much conjecture with respect to this subject; much debate amongst industry pundits (some fluent, experienced and familiar with warfare and the cyber derivative and some not) that it is not beyond the realms of possibility. A great deal of work has been done in the study of traditional warfare:
- The Art
- The Science
- The Nature
- The Humanity or lack of Humanity
- Tactics
- Strategy
So too as it relates to the integration of defensive and offensive tactics, strategy and solutions and this I believe will continue as our need to address threats which exist on a logically driven front yet have the potential to impact the physical world will only continue to grow. We have an obligation to do what we can however we can to protect our nation and our allies. I still believe we should be more discrete with sharing information (I can’t unlearn that which the Marine Corps taught me), and hope that via proper educational channels (many of those participants within the Bipartisan Policy Center’s panel suggested and commented on the need to work with industry in order to ensure safe guarding of the nation), and we will arrive at a point where exercises such as this and the feelings of angst they produce, are no longer needed nor angst generating.
Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
2010 Predictions…sort of
Its 2010 people Happy New Year! Where did 2009 go? Last year was a very busy year for Cassandra Security. A lot has occurred since we launched and we as individuals and as a team have learned a great deal in the process. 2010 promises to be a very exciting year and if my estimations are sound, we will show no signs of slowing. This is a good thing. My first 2010 prediction is that in not too distant future you will see our site change. The evolution has begun and it is only a matter of time before it is complete. I am personally looking forward to this and other changes however; I will refrain from commenting until the appropriate time. I will say however our goal remains the same to provide the most comprehensive, thought provoking content we can related to our passionate study, devotion and understanding of our discipline. Expect to see more in the way of malicious code and content analysis, threat analysis, reversing, trending and a whole host of other technological and philosophical endeavors related to our work. It is an exciting time to be in our space; it is a time that calls for leaders to lead, followers to follow and those who are confused to kindly step out of the way. Before I get into the heart of this post, I would like to say thank you to those who have shown their love, appreciation and support to us thus far, believing in our work and us and rallying behind us regularly. Thank you. You know who you are and so do we. We are honored by your allegiance and support and hope that in achieving our goals we will also aid you in accomplishing your own whether in business or personal contexts.
This time of year resolutions are the norm and in our space so are predictions. I am not a resolution kind of guy so I will jump squarely into the predictions. Predictions are tricky. In our space often times you encounter a regurgitation of ideas or worse yet, a pilfering of them with the net effect being that they end up on someone’s prediction list. This entry is going to be different. I hope you’ll enjoy it and appreciate for what it is as opposed to yet another broadcast of what may or may not be the next big threat to hit (I will mention some things which fall into this category . As you will see, it will be done in a manner traditionally different from what one would expect in piece such as this). Predictions come in two varieties. They are either related or associated with the divine, the supernatural, or the result of anticipatory science (the type of predictions, which lead to the formulation of a hypothesis for example). As we neared the close of 2009, I read no one’s predictions for 2010. In fact, I still have not read anyone else’s’ to avoid muddying the waters of my own thought process. When I was a child, a very wise person told me that the true test of a prophet or one who makes predictions lies in his or her accuracy with respect to the prophecy or prediction coming true. I took that to mean (and still do), that there are many things which must fall into place either by divine design or by the design of man (some may argue the latter is influenced by the former however that is not the purpose of this piece so let’s table that for another time). I never took it to mean that we as intelligent, informed human beings perhaps lacking ‘divine’ insight could not arrive at conclusions after conducting enough individual and collaborative analysis to make educated guesses or predictions. In fact that is where I believe most predictions fall categorically; into the realm of those driven by anticipatory science. Does this mean that I am ruling out in terms of absolutes, the possibility of one’s “gut” or “instincts” playing a role in this process? Certainly not. However, what it does not mean is that what we conceive as predictions in our space are akin and par with messages delivered from on high, carved in stone and presented to a body of people.
Preface:
I feel that it is important to write and speak honestly about the world in which we live and work; the good and the bad; the sacred and the profane; the beautiful and the ugly. I believe that in doing so we remain in balance and present a realistic view of the world as opposed to one seen through tinted glasses. I believe that there are threats, very real threats, which are at work in the world some more noticeable than others and some operating quietly in remote locations readying themselves for their opportunity to strike. However, I do not believe it to be a healthy nor intellectually honest position to take which speaks only of those threats in an unbalanced light. This I fear leads us away from sound thinking and directly into the land of those who inappropriately talk of fear, uncertainty and doubt. We do not need to lead anyone down a road to perdition; people do that for themselves. Our role to identify the patterns, trends, activity, threats, vulnerabilities and risks may be exploited in order to achieve the goals set forth by those who seek to do harm in whatever form harm “means” to them. Furthermore, I believe we as professionals have a responsibility to avoid (when possible), sensationalism being entered into if possible. Sensationalism is fine for the circus or cinema however terribly inappropriate in other contexts, namely those within which we operate. I find that behavior to be distasteful and amateurish and so should you if you are a professional seeking to improve your skills and understand of that which we do.
Prediction #1: Evolution by Definition Will Fuel the Revolution
I do not believe that we will see a plateau or a peak with respect to illicit activity regardless of the form it takes: cyber crime, cyber espionage, and cyber warfare or cyber terrorism. I believe will see continued growth and likely see greater degrees of interconnectivity between organizations around the world (in addition to individual operators), as there is no shortage of demand for what is being supplied nor is there shortage of innovation taking place. I write often about cyber crime, cyber espionage, cyber warfare and cyber terror as they are passions of mine (in addition to being areas which I have professional experience in), in addition to psychology. I often quip that there is an ‘Evolution Revolution’ in full swing with respect to those factors that drives the creation, support, and growth of sub-economic ecosystems (sometimes referred to as shadow economies). Put plainly there are simply too many opportunities and too many parties ready, willing and able for a plethora of reasons (recall that agendas drive action) for this to not be the case.
Evolution occurs without the aid or impetus of a third party. It simply does not require it; it is not necessary for its manifestation. Revolution, on the contrary, requires an evolution of thought, ideals and action. So long as this evolution remains present (which I believe based on my understanding of Darwin and other’s writings it will), revolution will be made possible and continue unfettered. In our field, in our discipline I believe that we have seen over time examples of this and will no doubt see much more in 2010 and beyond. The world is not enough to quote Ian Fleming, and it is an intellectually dishonest position to take that suggests everything that can be monetized on the Internet (in other words given monetary value), already has been. Assertions such as this boggle the mind and suggest that human innovation and creativity has reached its apex (which we know has not occurred), and as a result markets will dwindle. Do you see that happening? I don’t. In fact, I would argue the opposite completely and passionately. So long as there is evolution pushing revolution within cyber criminal ecosystems (shadow economies), state sponsored cyber warfare and espionage not to mention sub-nationally sponsored (cyber terrorism) there will continue to be opportunities upon which to capitalize. We need now, more so than ever before, remain diligent and prepare ourselves for what is coming even if we cannot (in an unequivocal sense), “predict” exactly what will occur.
Prediction #2: The Sky is not falling, but it is Getting Gray
“All the leaves are brown and the skies are gray”. I love that lyric; it speaks a lot in few words; it evokes a visceral response that the listener can easily identify with should he or she have experienced winter and its realities. Ironically, it is winter and I am writing this less formal but still serious post about predictions. Often people make assumptions broadcasting them the absence of fact with respect to what is real and what is not within our industry. It does not require an advanced degree to recognize that this is foolish at best and quite dangerous as worst. Take the innovation for example. I believe that innovation both good and bad will continue and that in some respects that innovation that we perceive and recognize as being bad in our industry will supersede the readiness of the tools and tactics we have at our disposal should we become complacent and jaded. Cyber criminals for example, are extremely innovative and recognize at times more readily than we would like to admit, the challenges and inability of industry to address all that they have to offer and more. We must ready ourselves in all seasons, in particular the winter of our development in order to address this, as we know that cyber criminals do not sleep but often our industry does. Sound analysis and integrity driven research along with our desire and ability to enable ourselves and our clients to meet these challenges is what is needed, not sensationalistic ramblings or debates having to do with the validity of a new enablement technology or regulatory standard. Preparedness is key and the failure to plan is the equivalent of preparing to fail. Last year, there were ample examples identified and noted which influenced the industry’s belief that the sky is falling however there was little to lead us to believe that utter destruction was upon us. This is not to say that there were not very serious occurrences, which wreaked havoc upon the cyber world, and beyond (to suggest otherwise would be madness). No, some truly thing BAD things did happen and will continue to happen. Will the skies remain gray? I believe they will, I maintain that they will be cloudy and at times become more ominous than at other. Trends change; they evolve and mature. It is because they do that in my mind, it is better to expect the worst, hope for the best, and always be prepared. Very rarely (if ever), are people penalized for preparedness. Should you find yourself being penalized for being prepared, you can blame me or the boy scouts, whichever you would like 
but take solace in the fact that you were prepared.
Prediction#3: The Threat Landscape Will Remain Unpredictable
If I have learned anything in life, it is that life is unpredictable and perhaps that is what we need to focus. Unpredictability is what enables us to formulate strategy and tactics for dealing with everything we experience. Whether it is our car not starting to our enterprises, and our information personal or otherwise being placed at risk. Our goal for 2010 should be to remain vigilant and where appropriate become more so. This requires a reconsideration of risk and its management as opposed to the mindless adoption of the latest new fangled technology or audit requirement. We need to treat information security and risk management in 2010 as though they are living entities; sentient and in need of nurturing. Should we fail to do so then perhaps some of the more ‘sensational’ predictions made by others will come to a head.
Chicago, IL. United States of America
December 31, 2009
Cassandra Security has released part two in a series of white papers dedicated to critical infrastructure and key resources. This paper addresses historic threats and exploitation, challenges in securing and maintaining security of these environments, economic and political impact associated with a lack of potable water and much more. We hope you find this paper as enlightening and thought provoking as found the topic while researching and analyzing this aspect of CI. Look for part III in the series soon!
Seeing Tomorrow Today,
Cassandra Security
Critical Infrastructure Part II Drinking Water and Waste Management Treatment Systems 123109 – Final
First, I’m a fan of Social Networking and I was not expecting a re-direct to another site. Although this was temporary it was frustrating. After doing some poking around and speaking with my good friend and colleague, Will Gragido, I stumbled across this article that gave a little more insight into the issue. According to Claudine Beaumont, Technology Editor of the Telegraph UK, “visitors to Twitter.com were automatically redirected to another web page, which displayed a green flag and English and Arabic writing: This site has been hacked by the Iranian Cyber Army,” read the message. “The USA thinks they control and manage Internet access, but they don’t. We control and manage the Internet with our power, so do not try to the incite Iranian people.” First, I don’t categorize this as a hack but a compromise/Cyber Noise like a DDoS attack. I would have been impressed if they tagged the web site directly. The sophistication to pull this off is on the level of a “Script Kiddie”. The tools are freely available on the Internet that my 11 year old could pull off with the a few Google queries. I guess the Iranian Cyber Army has not been keeping up with the news lately. The US Gov’t ceded control of ICANN to the World for more information please check out the link: http://bit.ly/6KSuny .
The good thing is the people at Twitter were able to correct the issue very quickly as I mentioned, the level of sophistication and 
indirect control was minimal. Additionally, Twitter had another breach early this summer for more information on that please check out: http://bit.ly/2lUzNM. I don’t think this is going to be the last time and I’m sure other Social Networking sites have increased their security/posture/awareness. Lastly and more importantly, the Iranian Military has seized control of an oil field in Northern Iraq, link to Reuters: http://bit.ly/7H7TC5. With that said, although this is purely speculation a Cyber attack/message less then 24 hours before a physical attack. Could these be tied together…not sure but interesting though. Everyone’s thoughts and comments are welcomed.
Onion Routing and Darknets
Technology is marvelous. It enables, encourages and aids us in our daily lives and in ways, which many have never dreamed possible. Technology is a gift, as fire from Prometheus was to humanity; it is an essential enabler. Technology lacks intention, as it is inanimate. We give it purpose. Or perhaps more appropriately, we append intentions and uses to it and describe use cases for it. Some good, some bad, but all our own. Technology lacks the ability to discern right from wrong (note: let’s table any discussion about AI or the like for the moment as that is an entirely different and drawn discussion); good from bad in the way in which you or I might. Technology represents the manifestation of ideas from the realm of thought into the material world. Innovations, which were once in the mind or on the development board of men and women the world over, made reality by the hard work and ingenuity of those same men and women or others of like mind. However, this is not to say that technology cannot (as we have seen and described so often here and likely will in the future), be used for purposes other than those for which they were originally intended with nefarious or dark ends in mind. However, this is not technologies fault but rather the fault of man.
While researching in the lab some malware, I got side tracked and began playing with covert channel technology in virtual environments. Nothing fancy, just run of the mill technology that is easily had. In doing so, I began thinking a great deal about the use cases for such technology in the public sector, the private sector and points outside of those worlds. In digging more deeply I began to notice something troubling, something that resonated deeply within my mind and security driven personality and that was the potential for utilization of such technology for bitter ends. I have been tinkering with Onion Routing technology for years. Largely because I find that, some of the most effective means of obfuscating ones intentions are not necessarily to be had in convoluted, high-speed low drag technologies but rather in mature yet lesser known ones which take advantage of clever algorithmic implementations and cryptography. Take Onion Routing for example.
Onion Routing is not new. In fact, Onion Routing enabled environments have been around for more than a decade now and date back to the original intellectual property developed by Michael G. Reed, Paul F. Syverson, and David M. Goldschlag, and patented by the United States Navy in US Patent No. 6266704 (1998). Nowadays, several technologies and solutions utilize Onion Routing — some above scrutiny and others squarely positioned to be scrutinized. Onion Routing quite simply, is a technique that enables anonymous communications over networks and computer systems. It works by repeatedly encrypting and then forwarding message traffic to network nodes known as Onion Routers (catchy huh?). Each Onion Router then removes a layer of encryption within the message traffic it has received in order to uncover the next set of routing instructions. It then forwards the message traffic on to the next router where the process is repeated until delivery is complete. The net effect is that no node (ideally), knows who the original source of the traffic was, what the intended destination is, or what the contents of the message traffic is thusly creating an inherently ’secure’ transmission environment which applies and affords “plausible deniability” to those using it. However, during the course of researching, tinkering and reading the research work of others, it became clear to me (as it had been to others as well), that Onion Routed environments are no more secure than any other environment if one takes the time to study and look for opportunities of exploitation. It is possible to monitor, intercept and observe data being sent and received (in motion and at rest), on a local host. Many consider this indisputable and I tend to agree with them. Here is a short list of weaknesses associated with Onion Routed environments:
- Weak defense against timing analysis
- Intersection attacks and predecessor attacks
- Exit node issues (can be sniffed by the operator)
So far it all sounds pretty cut and dry right? Then I began looking at what and why these solutions might be utilized outside of the public sector and for what purpose. There is a variety of reasons individuals and groups might gravitate towards utilizing these communications models. Some lay squarely in the realm of criminal activity. Others masquerade under the pretense of political discourse (hiding behind United States Supreme Court rulings on the rights to anonymity for citizens as part of political discourse activities — which by the way I think is fine so long as that is what is truly occurring), while in all actuality attempt to push subversive or counter culturally driven agendas (which, if they were exposed for what they truly represent I reckon would not garner the protection afforded to citizens by the Supreme Court decision). In this entry, I am going to avoid delving too deeply into scrutinizing the intentions of those who use this technology as a means of effectively promoting political discourse. I will say that I believe there are those who utilize the technology (like all technologies and media if given the chance — TV, radio, newspapers, magazines, blogs, podcasts etc.), for questionable purposes largely due to its ability to obfuscate source and destination in addition to its availability.
Crypto-anarchism poses a threat to us all. Whether someone is leveraging ‘darknets’ to propagate information or ideologies (so of which is illegally obtained and deemed sensitive and / or classified), or giving presentations with no intention of obfuscating their intentions on subject matter deemed subversive. We as information security professionals must be alert and vigilant. In doing so, we can better defend those who cannot defend themselves while aiding in preventing criminal activity. There is a need to ‘watch the watchmen’. I believe it is the responsibility of us all to do so; not a minority. Especially a minority who believes they are above the law and entitled to disseminate information that they are not legally entitled. That is dangerous business and not for amateurs. Information, which is deemed ‘sensitive’ or ‘classified’ should be treated as such and tradition dictates, is disseminated on a ‘need to know basis’. Deviating from that practice, regardless of what one believes to be legitimate reasoning is dangerous, and criminal. I believe that technologies such as Onion Routed networks or ‘dark nets’, can be utilized for good, however, they are and will likely continue to be corrupted and used for illegal, subversive and nefarious purposes as well.
Subversive Multi-Vector Threats
Introducing….The Subversive Multi-Vector Threat
I had originally intended on submitting this to Wikipedia for inclusion within it and Wikitionary however, it was expressed to me that it would be a violation of their Conflict of Interest (COI) policy to publish it there. As a result, I decided to publish here within the friendly confines of the Cassandra Security blog. In doing so, I hope to bring our industry (perhaps a little differently than I had originally intended) a new term to be used with respect to much of what interests me and others in the research community and much of what I spend my time thinking about in addition to researching. Having said that, I’d like to first point out that my purpose is not to promote myself with the introduction of this new term but rather shed some light on what I feel passionately about and believe warrants exposure in addition to reclassification.
Origins of Subversive Multi-Vector Threats (SMT)
As an information security researcher, practitioner, thinker, and so forth, I deduced after much time spent researching and examining them, many of the terms we use in the security industry are neither clear nor comprehensive enough to resonate with larger audiences. This became especially evident to me when I considered the interests of my fellow researchers and peers as we struggle to address the dynamic nature of the threat landscape. As a result, I set out to consider what I believed to be true or common among many of these next generation or advanced threats and came to a wonderfully rich conclusion which you will soon see published as a co-branded work with my friend and colleague John Pirc. I began theorizing that the need to create a new term (one that addresses the true, diverse nature of these threats while avoiding the pigeon hole effect seen and experienced with less appropriate and accommodating terms), due to a lack of a more appropriate alternative was required. Adding to my feeling dissatisfaction with the terminology and the limits it placed on both researchers and analysts, was the matter of contextual relevance. Some terms have more limited application as we have all seen, and due to this and other reasons (this is not to say that they are invalid which should be noted but rather that something else, something new is required to fill the gap I saw), the need to reclassify and create new categories was clear to me.
Definition of Subversive Multi-Vector Threats (SMT)
Subversive Multi-Vector Threats (SMT) are highly sophisticated, well crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends. Some might argue that this is not unique however I believe the context in which these threats are seen and will continue to be seen unequivocally constitutes something new, unique and different. These threats are designed to, in a dynamic fashion, place a greater or lessor amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them. Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open sources intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result.
Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT)
Subversive Multi-Vector Threats (SMTs) differ dramatically from other well-known threat types in a number of ways as described above. The greatest differences noted between the types of threats I describe as being Subversive Multi-Vector Threats lies in the targets of interest and approaches to exploitation taken by each with respect to their targets. Whether they be targets of opportunity or directed, predesignated targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT), though the avenues for exploitation may change their overall relevance is entrenched in the realm of the technical. As such, APTs are forced to focus and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals. Not so with the Subversive Multi-Vector Threat. As I mentioned earlier, these threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Additionally, APTs are typically identified within the context of environments that cater in part or in their entirety to the public sector. These organizations include DoD, DIB and Intelligence Agencies (though we and others feel that this will change over time). With respect to SMTs, I believe based on research and experience they are more criminally motivated and as a result cast a wider net than do the traditional threats associated with APTs however, this is not to say that one could not easily bleed into another. I believe that SMTs are more sophisticated largely due to their being able to easily identify and exploit weaknesses which have little to nothing to do with technology. SMT’s have the ability to compromise and as a result, take advantage of the weaknesses of character (in addition to their ignorance), demonstrated by people while exploring processes (policies and procedures as well), for deficiencies. I have always traditionally referred to this as the ability of experienced, motivated aggressors to “…knock one of the three legs out from under the three-legged stool upon which all organizations sit.” These legs are: people, process, and technology. To knock one down, any one, creates instability and weakness which can see the organization fall squarely on its bottom. This is paramount in identifying and defining Subversive Multi-Vector Threats (SMTs).
As a result, I argue that Subversive Multi-Factor Threats (SMTs) only further serve to underscore the need for the implementation of soundly constructed, risk-based security programs and frameworks, which address in exhaustive detail the areas, which require in gross detail the areas requiring the greatest levels of diligence and care possible.
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
I believe that Subversive Multi-Vector Threats (SMTs), can only be truly addressed after an organization has assessed itself and identified its vulnerabilities and deficiencies as part of a thorough risk assessment. My assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology in order to gain. Demonstrating unrelenting diligence as part of an ongoing risk management initiative is or should be non-negotiable. Are their technologies which can aid in addressing these threats: yes to a degree. Recall that these threats, Subversive Multi-Vector Threats (SMTs), are not always going to involve technological exploitation. As a result, this could mean that a person who is fully credentialed, fully authorized to be where he or she is, could effectively compromise a system or environment in order to meet the goals of his or her leaders. This is of course quite bad however not impossible to address if you are up to the challenge and willing to invest in what is required to mitigate the threats.
What is Security Research Worth?
Recently I’ve been giving thought to the value of security research and what a customer might pay for access to information collected by an organization with an expertise in assessing technical threats and vulnerabilities, government mandates and geo-political climates and then applying this knowledge to information security programs and practices. There are very likely two knee-jerk responses to this with one being, “Why would I pay for something my people can research on the internet?” and the other might be “Well, if I can get true value to increase the security posture of my organization, sure I’d pay for it.”
In either case, we still don’t know how much we should be paying for this research. I would say that we must first start with figuring out what it would cost an employer to hire an experienced security analyst or engineer, who is then dedicated to this function. According to Payscale.com security specialty pay ranges from $63,000 on the low end to nearly $100,000 per year on the high end. Add to this another 35% for benefits and you have a $135,000 per year experienced employee to spend their entire day collecting information from various websites and other resources. But remember that this person will only work about 40 to 50 hours per week, so what about the rest of that time?
So let’s assume that you have a relief factor .7 (standardized for the private sector) so the number of persons needed for a single position is 1.7 to take into account weekends, vacation and sick time. That said, if you’re going to staff 3 positions to achieve 24×7x365 security research and analysis capabilities, the number of people needed for that team is 5.1 (we’ll round it down to 5) so the total employee cost for a year is $675,000 plus training and education costs.
Ok, I know that I’m making some assumptions here and the actual salaries could be higher or lower depending on market, candidate, etc. Also, I’m making the assumption that an organization would require 24×7x365 staff to perform full security research, analysis and monitoring of the threats, vulnerabilities, market factors and geo-political factors that could impact their critical systems and networks. By the way, security research does not refer to the need to manage their security infrastructure for specific, targeted events against their infrastructure.
This brings me back to my initial question. Is there value in holistic, independent security research? Would you pay to have access to this information?
I’m certain there is and I would urge you to consider the following as you consider the value of this information or type of service to your organization.
At a minimum the following information needs to be available to the customer:
• Daily reports on the latest trends, threats, vulnerabilities and other issues that are relevant to the customer’s business or market
• Access to up to the minute threat and vulnerability data that allows an organization to customize and select security information relevant to their infrastructure
• Relevant information that covers not only technical threats and vulnerabilities but also anything specific across markets, geographies or political situations which can be used for an organization to understand the full impact of technical and geo-political events to their organizations
If a research organization can provide this type of information to a customer in a manner that doesn’t compromise their intellectual property or competitive advantage in a marketplace, there is certainly significant value to the customer. I just don’t know how much they would pay for this data. What would you?
