The Need for New Taxonomic Views of Malicious Code & Content
Today’s blog post has been kicking around in the recesses of my mind for a while. I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice. It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have. Customized, designer malware. Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others. Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore. When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic. It’s a simple value proposition for the attacker:
- Study your target(s)
- Collect and qualify intelligence while making discretionary decisions on what to discard or retain
- Study and evaluate targets of opportunity – technical and non-technical
- Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
- Engage and begin insertion within the target environment
- Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
- Assess opportunity cost
- Engage in compromise
- Secure targeted object of mission
10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)
11. Secure the target
12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question
Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious. Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.
As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist. In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.
So how do we begin fighting these threats? We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance. Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented. Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware. I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges. These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish). Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.
New White Paper: The Rise of the Cyber Cell
The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell
Why PCI and APTs are NOTHING alike
Today I read a blog entry which both amused and troubled me. The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist. In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike. Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land….. Let’s take a look at what he asserts.
First and foremost, he asserts that they are similar. I find that humorous at best and borderline irresponsible at worst. PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against. It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences. It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.
Anton asserts the following (whether in jest or in all seriousness is debatable):
- “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent
- Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
- Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
- Both are not threats. The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
- “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
- I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
- People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
- In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard. I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated. Fair enough, it’s your environment, do as thou wilt. However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses. The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering. In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
- “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
- True however there are restrictions and guidelines associated with transaction levels (minimum activity and dollar amounts etc.). ‘APTs’ are not always terribly advanced. Ghost Net is a phenomenal example of this. The vulnerability which was exploited was quite old, the tool which was used was not sophisticated (Ghost RAT), and the rest is history.
- With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
- PCI is well documented and the domains clearly articulate what is required in order to meet compliance in terms of operational controls (manual & programmable), in addition to internal and externally related controls. I already addressed the nature of ‘APTs’ two bullet points ago however will reiterate that by the time you are aware one is in your environment (provided you are not in possession of the types of technologies which would provide you view necessary to capture and identify associated ‘APT’ activity), it is too late. At this point you’d need to take immediate steps to stop the bleeding (exfiltration of data) from your organization.
- Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
- Agreed but again this is true of all things within information security.
- PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
- PCI does require logging and monitoring. However APTs require (as I mentioned previously), much more than simple logging and monitoring. Session based analysis, for example, must be present if it is not you will likely never see an ‘APT’ coming, going or just hanging about collecting data.
- People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.
- This is an oversimplification of the challenges associated with both PCI and ‘APT’s (and part of the reason I stated earlier that Anton’s orginal post was borderline irresponsible). PCI has teeth unlike many other regulatory and / or compliance acts. This is true for several reasons not the least of which is that it is not being pushed by the federal government but rather originates with privatized business thusly placing stringent conditions upon those who must meet its criteria in order to remain in business. People do not refuse to address ‘APTs’. This is both preposterous and asinine. Most people, specifically those outside the financial services, defense industrial base, or research & development environments (pharmaceutical, high technology, low technology etc.), are unaware of the existence of ‘APTs’. Being unaware of the existence of something does not in any way imply that under other circumstances one would refuse to acknowledge the existence of something should proof be brought forth. This is an under developed line of logic and it is logic such as this which is being espoused within the industry today that is allowing for ‘APTs’ to become the hot topic amongst any and all vendors who may or may not have any experience or expertise with these threats
I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:
- To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
- To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
- To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security
Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
German Government and Internet Explorer
The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.
It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.
In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.
My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.
Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.
I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.
Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.
The reasons are simple:
- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.
It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”
I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.
Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.
Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.
As a final disclaimer, these views are mine alone and do not reflect the views of my employer.
APTs, Web Browsers and Information Security
The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise. In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:
If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive. Almost unanimously the hands would raise for the $1000 cash because people want the cash.
The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information. I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.
I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come. We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser. You get my point. It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses to go about their daily business.
I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe. I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.
This series of attacks and exploits of Internet Explorer have proven that point more than ever. The opportunity was there 3 years ago and now the first of many attacks have arrived. But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.
Security is about protecting information pure and simple, everything else is just a by product of that.
For more information on the presentations I mentioned above please check out:
http://bit.ly/8gQfrz
http://bit.ly/74tBEM
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
Subversive Multi-Vector Threats
Introducing….The Subversive Multi-Vector Threat
I had originally intended on submitting this to Wikipedia for inclusion within it and Wikitionary however, it was expressed to me that it would be a violation of their Conflict of Interest (COI) policy to publish it there. As a result, I decided to publish here within the friendly confines of the Cassandra Security blog. In doing so, I hope to bring our industry (perhaps a little differently than I had originally intended) a new term to be used with respect to much of what interests me and others in the research community and much of what I spend my time thinking about in addition to researching. Having said that, I’d like to first point out that my purpose is not to promote myself with the introduction of this new term but rather shed some light on what I feel passionately about and believe warrants exposure in addition to reclassification.
Origins of Subversive Multi-Vector Threats (SMT)
As an information security researcher, practitioner, thinker, and so forth, I deduced after much time spent researching and examining them, many of the terms we use in the security industry are neither clear nor comprehensive enough to resonate with larger audiences. This became especially evident to me when I considered the interests of my fellow researchers and peers as we struggle to address the dynamic nature of the threat landscape. As a result, I set out to consider what I believed to be true or common among many of these next generation or advanced threats and came to a wonderfully rich conclusion which you will soon see published as a co-branded work with my friend and colleague John Pirc. I began theorizing that the need to create a new term (one that addresses the true, diverse nature of these threats while avoiding the pigeon hole effect seen and experienced with less appropriate and accommodating terms), due to a lack of a more appropriate alternative was required. Adding to my feeling dissatisfaction with the terminology and the limits it placed on both researchers and analysts, was the matter of contextual relevance. Some terms have more limited application as we have all seen, and due to this and other reasons (this is not to say that they are invalid which should be noted but rather that something else, something new is required to fill the gap I saw), the need to reclassify and create new categories was clear to me.
Definition of Subversive Multi-Vector Threats (SMT)
Subversive Multi-Vector Threats (SMT) are highly sophisticated, well crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends. Some might argue that this is not unique however I believe the context in which these threats are seen and will continue to be seen unequivocally constitutes something new, unique and different. These threats are designed to, in a dynamic fashion, place a greater or lessor amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them. Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open sources intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result.
Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT)
Subversive Multi-Vector Threats (SMTs) differ dramatically from other well-known threat types in a number of ways as described above. The greatest differences noted between the types of threats I describe as being Subversive Multi-Vector Threats lies in the targets of interest and approaches to exploitation taken by each with respect to their targets. Whether they be targets of opportunity or directed, predesignated targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT), though the avenues for exploitation may change their overall relevance is entrenched in the realm of the technical. As such, APTs are forced to focus and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals. Not so with the Subversive Multi-Vector Threat. As I mentioned earlier, these threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Additionally, APTs are typically identified within the context of environments that cater in part or in their entirety to the public sector. These organizations include DoD, DIB and Intelligence Agencies (though we and others feel that this will change over time). With respect to SMTs, I believe based on research and experience they are more criminally motivated and as a result cast a wider net than do the traditional threats associated with APTs however, this is not to say that one could not easily bleed into another. I believe that SMTs are more sophisticated largely due to their being able to easily identify and exploit weaknesses which have little to nothing to do with technology. SMT’s have the ability to compromise and as a result, take advantage of the weaknesses of character (in addition to their ignorance), demonstrated by people while exploring processes (policies and procedures as well), for deficiencies. I have always traditionally referred to this as the ability of experienced, motivated aggressors to “…knock one of the three legs out from under the three-legged stool upon which all organizations sit.” These legs are: people, process, and technology. To knock one down, any one, creates instability and weakness which can see the organization fall squarely on its bottom. This is paramount in identifying and defining Subversive Multi-Vector Threats (SMTs).
As a result, I argue that Subversive Multi-Factor Threats (SMTs) only further serve to underscore the need for the implementation of soundly constructed, risk-based security programs and frameworks, which address in exhaustive detail the areas, which require in gross detail the areas requiring the greatest levels of diligence and care possible.
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
I believe that Subversive Multi-Vector Threats (SMTs), can only be truly addressed after an organization has assessed itself and identified its vulnerabilities and deficiencies as part of a thorough risk assessment. My assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology in order to gain. Demonstrating unrelenting diligence as part of an ongoing risk management initiative is or should be non-negotiable. Are their technologies which can aid in addressing these threats: yes to a degree. Recall that these threats, Subversive Multi-Vector Threats (SMTs), are not always going to involve technological exploitation. As a result, this could mean that a person who is fully credentialed, fully authorized to be where he or she is, could effectively compromise a system or environment in order to meet the goals of his or her leaders. This is of course quite bad however not impossible to address if you are up to the challenge and willing to invest in what is required to mitigate the threats.
Cassandra Security Logo
The following white paper is the first in a series discussed earlier today by Cassandra Security. The authors of this piece, Will Gragido and John Pirc, are proud to present it to you and the community:
No Longer Available for Download, see Critical Infrastructure Part I: Trains and Transit Systems Revised Edition 120509!
Seeing Tomorrow Today,
Cassandra Security
Los Alamos We Hardly New You…But the GAO Fixed That
Well it is Friday night and I was not going to write anything or post anything for at least 24 hours; I promised myself. I like me and think it is poor form to break promises to me. That was before I read this article.
Upon initial read, I found myself floating quietly in low earth orbit enjoying a panoramic view of the Earth as my oxygen levels 
depleted slowly. Then came the descent. Hurtling towards the Earth at speeds not intended for man, I again found myself reading this article debating whether another trip in low earth orbit was in the cards. Thankfully, cooler heads prevailed and I am here, writing this blog entry.
This is colossally embarrassing and scary for a number of different reasons, many of which you may imagine, relate directly to the business which goes on at Los Alamos. I am a huge fan of the GAO because they get it; they tell it like it is good, bad, and often ugly. It is a quality I find endearing and necessary. Now, Los Alamos National Laboratory is not unique in that they have suffered breaches, several in fact, in recent years. They are, in my opinion, less unique than most would like to believe or dreamt was possible.
What is disturbing is the factual nature of the findings. The GAO writes great auditor friendly reports; they remind me of Sgt.Friday from Dragnet “Just the facts ma’am”. I am aghast, and quite honestly shocked that despite all that has occurred and that we know of (and are permitted to discuss in non-classified environments), that they found “”significant weaknesses … in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network…”, on the Los Alamos Laboratories Network. Significant weaknesses at a laboratory whose primary focus is national defense and security. They say so right here on their website, and in fact this is what they say right here:
“Los Alamos National Laboratory is a premier national security research institution, delivering scientific and engineering solutions for the nation’s most crucial and complex problems. Our primary responsibility is ensuring the safety, security, and reliability of the nation’s nuclear deterrent.”
The assessment demonstrated that the lab has vulnerabilities in several “critical” areas some of which include deficiencies in identifying and authenticating users, authorizing user access, encrypting classified information and maintain secure software configurations…how is that possible? As luck would have it, the GAO reports tells us just how it is possible and get this: No amount of ‘Cloud’ or ‘PCI’ Voodoo could achieve what is required of the solution! (ready the ominous risk management music):
“A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained..”
Heaven help us. The lab reportedly has not conducted a comprehensive risk assessment (well there goes my decision to not have a beer tonight) to date, nor has it achieved a proper state of data classification. What does that mean data classification? Well means that they have not marked the classification level of information stored on its classified network (a very serious problem in environments where one ought never to commingle classified and non-classified data). Additionally, as if all this was not enough, they have failed to implement adequate training for their users with security responsibilities…, which in my humble opinion means ALL USERS! The labs have “lost” assets due to theft, since January of this year approximately 67 computers have simply vanished…again in a secure environment I ask you…how is that possible? Over the last several years, they have experienced other breaches and losses, which resulted in fines for the lab, most notably the one incurred as the result of a contract worker illegally downloading and removing hundreds of pages of data from the lab via USB thumb drives…yes, bar tender, I will have another one. Additionally, the lab has taken flack in the past for not leveraging cryptographically sound email to share highly classified information.
According to the folks who broke this story @ PC World; a representative for the lab said in general they agreed with the report citing that the lab has made progress in its cyber-security efforts. According to Michael Kane, associate administrator for the NNSA, in a letter to the GAO the lab has addressed a number of key technical issues and is actively implementing policy to address the concerns brought to their attention via the report.
