Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
Comments
Leave a Reply
