A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever. Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS). He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID). Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen . The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.
Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over. Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type. In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding. This case is different. It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree). No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.
As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him. Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic. The oath itself looks like this:
“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.“
It is communicated in an elegant and articulate manner and leaves no room for interpretation. Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation. Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man. That day and duty will come and justice served in a military court of his peers at a time yet to be determined. My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness. Allowing anyone to enter into classified environment with read / writable media is not uncommon. Read writable material is used within these environments. However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least. In most cases it does not and never should occur.
This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others. The results? Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find. Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.
The Need for New Taxonomic Views of Malicious Code & Content
Today’s blog post has been kicking around in the recesses of my mind for a while. I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice. It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have. Customized, designer malware. Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others. Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore. When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic. It’s a simple value proposition for the attacker:
- Study your target(s)
- Collect and qualify intelligence while making discretionary decisions on what to discard or retain
- Study and evaluate targets of opportunity – technical and non-technical
- Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
- Engage and begin insertion within the target environment
- Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
- Assess opportunity cost
- Engage in compromise
- Secure targeted object of mission
10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)
11. Secure the target
12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question
Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious. Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.
As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist. In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.
So how do we begin fighting these threats? We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance. Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented. Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware. I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges. These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish). Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.
