05.04.2010

The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell

Rise of the Cyber Cell


Tags: Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Cyber Terrorism, Cyber Warfare, Subversive Multi-Vector Threats (SMTs) | Leave a Comment 

08.06.2009

In my initial installment on this topic I cast a broad net regarding Cybercriminology.  Realizing this I wanted to make the next few installments a bit more topic centric and focus on key elements within this area of study.   Part II of this entry will focus on the the tactics and activities being utilized today on a global basis by cybercriminals and will distinguish in more gross detail the differences between hobbyists, independent operators, cybergangs & cartels, organized crime entities in addition to state sponsored units.  With respect to that I’d like to ask you to suspend disbelief (if you have any), for a moment and remain open to the realities of the cyber criminal underground.   It is real and it is evolving rapidly.  So much so that I would assert to anyone that the innovation and tenacity being demonstrated globally; independently and collaboratively is both impressive and noteworthy.   It is a non-trivial matter, and like another topic often avoided it is an inconvenient truth that must be addressed in a direct manner.

What’s For Sale

Perhaps the best place to begin is by asking what’s for sale.  My assertion to you is that everything is for sale.  Everything.  Your SSN, Your Birth Certificate, Your Passport, Your Drivers Liscense, Your banking information, Your credit cards, Your address and telephone numbers, you’re very identity lock, stock and barrel.  Why?  Because cyber criminals are the visionary equal opportunists.   True cyber criminals, those who are organized and approach their craft and trade like any other business embody the same entrepreneurial spirit which you and I might were we to start our own businesses.  It’s often hinted at but largely not discussed in this manner, however it warrants this level of discussion.  I realize that is a powerful statement to make however I believe that their tenacity, agility, and ability to adapt suggests that they operate in a manner which is both visionary (with respect to their ability to recognize new revenue generating opportunities) and equality driven as they are typically not concerned with whom they victimize nor with them conduct transactions (or the intent with which tools and / or services will be used).  A dollar is a dollar to these folks and the consumer is, well just that, a consumer.  There is no sense of obligation or ownership regarding the wares or services being sought after and secured for nefarious means, after all to the cyber criminal (many of whom operate in traditional criminal activity simultaneously), it’s simply business; nothing personal.    As this area of study gains momentum and popularity in study, it becomes more evident that the more we learn and apply in our studies the more there is to know.

Historical Record:

Its difficult to establish with any certainty a specific date or time for the birthing of cyber crime in the modern context which we in the research community have become accustomed to referring.  I tend to believe there are certain events (many of which appear in the papers we’re currently writing), which over the course of time when studied aid in building the foundation for creation of a global subeconomy predicated on ‘cyber’ criminal activity.  Most of these dates would likely be seen as mere ‘blips’ on a historical time line however I believe when taken into consideration of other events and the dramatic changes seen in our world over the last 20 years, it becomes less difficult to see the ways in which traditional criminal entities (non-cyber) have managed to shift into the realm of the cyber thusly changing forever, the landscape of threats and subsequently our world en masse. One date that is often overlooked in our industry for its importance and impact with respect to the rise in cyber criminology is June 12, 1987.   If you’re not a historian or someone who studies these things regularly this date might seem rather pedestrian.  Its significance is hard dispute when taken in context.   On that sunny afternoon in June a speech was given by the 40th President of United States of America, Ronald Regan in Berlin at the Bradenburg Gate during the celebration of Berlin’s 750th year in existence.  During the speech President Regan appealed to then General Secretary of the Communist Party of the  United Soviet Socialist Republic, Mikhail Gorbachev to “…tear down this wall!”.   Though its immediate significance might still seem vague or elusive, 29 months later that wall came down and shortly thereafter so to did the USSR and the ‘Iron Curtain’ as we knew it.  As a result much of the old guard, including many well educated computer scientists, military and state intelligence officers were left without jobs.  Faced with the rapid (some assert too rapid), adoption of democracy and change within their society a new dawn was born out of which I believe aided in catapulting traditional criminal enterprises into the cyber realm.

Part III:
In Part three I’ll begin discussing the subeconomy driving cybercriminals which includes but is not limited to ”crimeware”, “crime as a service”, “hacking as a service” and the means by which they are influenced by and continue to incfluence and perpetuate criminal activity in cyberspace.

Tags: , , , Filed Under Uncategorized | Leave a Comment 

07.09.2009

Multiple sources are reporting that a massive DDoS attack crippled several US and South Korea Web sites. The reports are claiming the attacks are coming from North Korea and/or Pro North Korean groups. The level of sophistication needed to perform such an operation as reported does not take a high level of sophiscation.  I just recently gave a Web cast with SANS on Cyber Terrorism this last Tuesday.  You can check out the archive: https://www.sans.org/webcasts/show.php?webcastid=92489.  I gave a lot of examples of DDoS attacks that made the news and just how easy a Cyber Actor can tap into what I call HaaS (Hacking as a Service).  The targets that were reported in the news were Government sites.  Hence, they did not disrupt Critical Infrastructure or Social Networking sites, which probably would have been front page news.  Is this just a sample of the capability that North Korea is flexing or do they plan to escalate the sophistication.  When the level of sophistaction raises so are the counter measures we should consider.

DDoS attacks are very loud and send a clear message…it’s the slient attacks that require additional network forensics and data mining tools that are provide by vendors like Netwitness or Palantir.  Event level data is great, but full session packet level data provides a much granular picture of possible attack vectors that fly under the radar.  A great example of that is Ghost Net, which I talk about briefly in my SANS Web cast.  The following link provides a great example of the level of detail that went into that investigation: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network .  As my fellow colleague Will Gragido said, what’s more powerful, a bullet, bomb or bit…depending on the criticality of the target, they all can have an impact.

The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.

Tags: , , , Filed Under Uncategorized | Leave a Comment 

06.09.2009

Tradition dictates that when Willie Sutton was arrested and asked why he robbed banks, he paused and answered “Because that’s where the money is”.  Whether or not you believe that Mr.Sutton actually said this (he denied it later in life in his autobiography but suggested that were he asked he would’ve said that and more), it’s important to note the underlying sentiment of the statement.  Why do criminals do what they do? Because ultimately, whether its robbing banks or undermining economies via subversive technological activity, there is money (profits), to be made.  In our industry buzz words and pablum are fed to the masses in gross fashion.  Much of this is meant to appease and satisfy in the hopes of causing as little discomfort as possible as no one (vendor, industry expert etc.) wants to be seen as being anything other than Stepfordesque in both delivery and content messaging.  Ours is a real world.  It is not for the faint of heart.  It is not explicitly good nor is it explicitly bad it is a mixture of the two; an amalgamation, a world of shades of gray….or is it?

In many respects one can argue that this is the case.  That in fact, there are really only shades of grey and very rarely if ever at all, blacks or white.  But what about in our world?  The world of the Information Security Practioner.  Does this argument hold true?  I believe it does not.  In fact, I would argue that nothing could be further from the truth and that there is ample historical and recent evidence to support this point.  Furthermore, there is an entire area of study devoted to the study of that which is implicitly ‘black’ within our discipline, the study of cyber-criminology.  Often referenced yet rarely detailed, this area of study is both fascinating and freightening; it is invigorating to researchers and analysts such as my peers and Iwhile at the same time crippling to others.  It is an area of study which influences research and development, tactics, techniques and tools while at the same time exposes the darker elements of the Information SuperHighway in ways which many might traditionally believe belong in Hollywood feature films.  Research and study here entails exposure to voluminous amounts of data pertaining to active investigations, closed cases, cold cases, legal arguments, geopolitical ammendments, law enforcement tactics, in addition to a myriad of data and scenarios of questionable nature.  It demands and acute sense of good and evil; right and wrong regardless of the perspective espoused by those elements & subjects which come under scrutiny.  It requires comprehension of the tactics, techniques and lengths to which cyber-criminals and cyber-syndicates are willing to go in order to ensure their business interests remain profitable, consistent and unfettered by security researchers and / or law enforcement.  Additionally, it requires dedication, strength, vigilance and the courage of ones convictions to leverage the intelligence gathered and gained for the greater good in the hopes of mitigating the risks posed by cyber-criminals the world over.  It focuses on a fluid almost intangible focal point; ever changing and dynamic; well established, informed and trained ready to act out singularly or in concert.   It is not for the faint of heart nor the unprepared mind.  This area of Information Security Study (which of course is also part of the greater body of knowledge and research dedicated to criminology), deals with subject matter and activity to yet not limited to the following:

When taking into consideration the illicit cyber-criminal activities listed previously, it should come as no surprise to anyone that there is a vast amount of money to be made (recent estimates suggest that the cyber-crime on a global scale is a $105 billion USD industry, far exceding the revenues associated with the global drug trade), and that profitability is the key motivator associated with this space.

You might be asking yourself how this will help you secure your enterprise or yourself and why you should spend more time exploring this topic than say those associated with the compliance = security motif so popular in todays security talks.  If so I’m glad you are as I believe these points underscore the importance clearly:

With respect to this points I have one question to pose before closing: “In the 21st Century, what has the potential to do more harm?  Bombs, Bullets or Bits?”

The above comments are strictly mine and mine only, they in now way reflect the position of my employer, management or any other organization with which I’m associated.

Tags: , , , Filed Under Uncategorized | 2 Comments 

06.07.2009

Being security professionals, the majority of our work can be summed up by the simple phrase “react faster”.  Information security, at its core, is largely a reactive and often times a forensic function.  Sure, you can put a whole host of products and solutions in place to secure anything and call it “proactive”, but in reality, you are merely watching and waiting for something interesting to happen.  No matter how much you spend on marketing, this is clearly a defensive or reactive posture.

I have been doing a lot of thinking about the psychology of IT security professionals, focusing on how they react when something abnormal happens (note I did not say exclusively bad, i.e. false positives, process breakdowns, mis-configurations and mis-communications).  If a customer, user or company is attacked and knows who did it, should they retaliate or fire off a counter-offensive?  What is the thought process that would lead up to such a thing?  Is this even foolish or heretical to propose?

The point of this post is not to justify cyber-vigilantism, but instead to get us thinking about how a counter-offensive security system could benefit the IT security space, if at all.  Why are we as an indstry and profession always so reactionary in nature?  What can be done on a macro and micro scale to go on the offensive against threats, exploits, data theft schemes or other issues?  Is there an ethical barrier to launching counter-offensives or counter-attacks against a verified and proven attacker?

I would contend that the Internet (or any critical network) is key infrastructure, or at the least a utility (like water, natural gas, electricity).  If someone were to attack this key infrastructure in any country, the process that followed would probably look something like this:  Chaos, Cleanup, Identification of attacker, Legal Procedure to take offensive action against the attacker, and finally action.  The farthest IT security usually gets in the action department is to block further attacks (via firewall rules, reputation services, inline network protection or similar reactive systems).  Unfortunately, unlike Wake-on-LAN, there is no Magic Packet you can send to an attacker or their infrastructure to shut them down.  If only threats like Conficker or McColo were so simple.

Take another example of one country heavily manipulating another country’s currency or monetary scale/system.  Under international law, such nefarious actions could very quickly escalate and lead to all out war, if documented and proven.  At a minimum, the attacked economy would take some direct action, and I would guess it would be a little harsher than not accepting the responsible country’s currency or simple economic sanctions.

The concern with the counter-offensive mindset is that taking such a vigilante-style approach could do more harm than good.  Very true and valid point.  The situation could escalate to the point of both the attacker and defender depleting each other’s confidentiality, integrity and availability, but not before taking down 20 hops of Internet routers with overloaded bandwidth, and affecting innocent bystanders.

So what can we do?  Like a lot of things, the key is raising the awareness and education.  Digital information is getting to the level of a “natural resource” and ubiquitous availability is expected, if not demanded, by many.  Simple reactive protection is always going to keep security professionals chasing their tails.  I would contend that without at least the possibility of launching a counter-offensive, the security space will stagnate and we will have more of what we see today – threats and attackers winning more and more.

Tags: , , Filed Under Uncategorized | 1 Comment 

06.05.2009

I will be giving a presentation with the SANS Institute on July 7 @ 1:00 PM EDT (1700 UTC/GMT) on Cyber Terrorism. The following is a brief abstract of the webcast:

The topic of Cyber Terrorism has been a subject of many debates as to the reality of a significant event-taking place at the click of the button. In recent media coverage we’ve seen the London & Spain train bombings being triggered remotely using one of the most world’s most adopted technologies, a cell phone. Who would ever think that someone would use a cell phone as a trigger point for detonating a bomb? Additionally, who would ever think that a terrorist organization would realize that all cell phones on the same cellular network receives their time/date from the same network timeserver so everyone has the correct time. This has allowed them to conduct simultaneous attacks via sms or speed dial on their phone. In the traditional form of terrorism, these attack where easily characterized as terrorism. We had a significant event take place and a terrorist organization claiming responsibility…very clear-cut case. Another example of a terrorist organization exploiting technology were the events that took place in India. This time the terrorist organization was using smart phones as a means to communicate when they were conducting their operation.

These are few examples that have been covered widely by the media and fit the definition of terrorism causing fear, disruption, and destruction and in some cases total chaos. According to Stratfor, terrorist organizations typically follow a six stage process before they conduct an operation; target selection, planning, deployment, attack, escape and exploitation. Today, all of these steps can be carried out on the Internet. Globalization and the borderless Internet has brought commerce to every corner of the planet and with that has brought a very dark side of the Internet.

In the webcast I will be covering the threat landscape, the proliferation of cyber weapons, Hacking as a Service (HaaS), critical infrastructure targeting, use cases and mitigation techniques. I look forward to your attendance and Q&A at the end of the session.

Please use the following link to sign-up: https://www.sans.org/webcasts/show.php?webcastid=92489

The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.

Tags: , , , Filed Under Uncategorized | 2 Comments