Brian Krebs broke the story.

Jim McQuaid adds additional info.

And this week’s IntelFusion FLASH Traffic explores the problem in greater depth (subscription service).

Bottom line, the U.S. needs to emulate China and start forcing bad ISPs to either clean up their act or shut them down. This is getting friggin’ embarassing.

I’m very excited about launching OSINT Hacks on Mining the Russian Internet, which will teach attendees the sources and methods that GreyLogic/Project Grey Goose investigators use to conduct OSINT via the Russian Internet. This two day course will be offered through the IO Institute and will immediately follow InfoWarCon on May 17th and 18th.

Description: Open source intelligence collection on the Russian Internet (Runet) can be challenging at best. U.S. IP addresses are sporadically blocked from accessing certain Russian forums and websites. Google has very limited data indexed on Runet. Machine translation from Russian to English is frequently poor or barely adequate. Personal identifying information is prioritized differently in the Russian Federation than in the United States.There is an entirely new universe of social networking and gaming sites to mine that are exclusive to Runet and which are loaded with valuable information on Russian Ministry of Defense key assets (locations of nuclear bases, submarine schedules, Spetsnatz deployments, etc.).

The OSINT Hacks course will teach you how to maximize your intelligence gathering resources and mine a rich variety of high value data from the closely monitored and tightly controlled Russian Internet through a combination of actual Project Grey Goose case studies and new resources developed by GreyLogic for this course.

Also, if your agency or company would like me to teach this course at your facility, the IO Institute has agreed to extend that option to you as long as you can provide a minimum of six registrants. You can also pick the dates that are most convenient for your group.

I’ve recently posted about the need for a new Cyber Intelligence model here and here. This course will provide you with the essential knowledge you need to implement those changes at your organization or agency. Each attendee will also receive a free copy of Inside Cyber Warfare for preliminary reading before the course begins.

Sandia National Labs, in an ongoing effort to protect U.S. critical infrastructure from physical and network attacks, has developed a Threat Analysis Framework comprised of 5 elements:

1. the identification of an adversary
2. the development of generic threat profiles
3. the identification of generic attack paths
4. the discovery of adversary intent
5. the identification of mitigation strategies

Sandia researcher David Duggan and his colleagues, who are responsible for developing this tool, recognized the limitations of classified threat data (i.e., a very slow process to get it to the people who need it) and chose to develop an unclassified threat analysis framework instead. Duggan’s report “Threat Analysis Framework” is available for public release and should be read if you want a full understanding of this model.

For the purpose of this post, however, I’m only focusing on one very problematic dilemma for everyone in the Threat Assessment business – Is an attack being formulated by a threat seeking to exploit a vulnerability?

Duggan’s approach to answering this question involves breaking it into two separate questions:

1. Are any threats discussing aspects of exploiting a specific vulnerability?
2. Could the threat find enough information about a vulnerability to develop an attack?

He recommends accessing web forum data sets, such as the Dark Web project owned by the University at Arizona AI Lab, Intelligence Community reporting, and other open source data in order to find the answer to both questions.

The following scenario describes Sandia’s approach. Screen captures come from the Threat Analysis workshop presentation (June 24, 2008).

Figure 1: Discover adversary intent from open and closed sources

Figure 2: Are SCADA vulnerabilities discoverable online?

Figure 3: Note that this approach relies on Search capabilities

Figure 4: The 6 steps by which discovery is made

Figure 5: The Results

The results show that the second question “Could the threat find enough information about a vulnerability to develop an attack?” can be answered with a “yes”. In fact, it’s distressingly easy to find detailed SCADA vulnerability information online. However, Sandia’s Threat Analysis model failed to find chatter in public online sources.

The Sandia Threat Analysis Model suffers from the same problem that Deloitte’s model does. It looks for threat data in the wrong places – open forums. Bad actors with the smarts to understand SCADA software vulnerabilities, devise a plan of attack to exploit that vulnerability, and execute on it are not stupid enough to plan it on a publicly accessible forum. It’ll be done in IRC channels or on private, more secure online venues. And that requires different sources and methods than those used even as late as last year.

In yesterday’s post, I outlined a new approach to developing cyber threat intelligence. With today’s post on Sandia’s Threat Analysis for the NSTB, I hope to point out how critical it is that organizations with the responsibility of protecting our most vital assets begin re-evaluating how emerging threats can be detected. My recommendation, obviously, is the adoption of a more aggressive, active intelligence gathering process.

Ask your security vendor what they’re doing about detecting emerging threats. If you’re not satisfied with the answer, ask them to contact GreyLogic. Sandia’s excellent research in this area aptly shows how complex the problem is. No one company has all of the resources needed to provide a complete threat picture. A joint effort is needed, and my company is happy to collaborate with any security vendor currently operating in this space.

Around the same time that Mandiant released M-Trends: Advanced Persistent Threat, Deloitte issued its report “Cyber Crime: A Clear and Present Danger“. It sheds light on the same methodology that Mandiant addresses – “persistent and sustained access” – although it doesn’t use the term APT to do it. What Deloitte does do, however, is dedicate a section to “Developing Actionable Cyber Threat Intelligence“. In it, Deloitte discusses the need for “a cyber risk management process prioritizes threats, analyzes threats, detects a threat before, during, or after actual occurrence, and specifies the proper response.” This diagram shows Deloitte’s “cyber intelligence acquisition and analysis” model. The graphic below is a blow-up of the left side of the diagram which identifies a comprehensive list of open sources for intelligence gathering:

Intelligence is only as good as the raw data an analyst can extract it from. So what’s missing from Deloitte’s model? Quite a bit if you’re concerned about State and Non-State actors getting access to your critical information. Why? Because they won’t be holding strategy sessions on hacker forums that can be accessed by law enforcement or intelligence agencies. And if they were stupid enough to do that, it wouldn’t be in English. Instead, you need a patient, persistent, and sustained effort to find the private forums, IRC channels and other places where these conversations do take place. Think of it as a reverse-APT.

A second major flaw with this collection effort is that it completely ignores State-sponsored R&D projects. If you know what widget a State is interested in (because they are investing in research to develop it), and your company makes that widget, you know where to focus your protection efforts.

This is actionable intelligence, and even better, it has a fast “time on target”; meaning you aren’t collecting a tsunami of data, most of which only results in slowing down your intelligence gathering efforts. You cannot protect everything, therefore, you need to identify your critical data, identify who outside of your agency or company wants that data, and focus your intelligence assets on identifying and researching those potential adversaries.

Contact me for a consultation on how to implement this for your company or agency if you’d like more information. In addition, I’ll be offering a two-day course at the IO Institute called “OSINT Hacks for Mining the Russian Internet” following InfoWarCon on May 17 and 18th. A separate course is in development which focuses on the Chinese Internet. More information will be forthcoming as the date gets closer but feel free to shoot me an email if you’d like to attend.

You sold your soul to the devil when you put on your first pair of Jimmy Choo’s, I saw it.
- Emily (to Andy) “The Devil wears Prada”

You may have heard the term “Fashionista”; i.e., people devoted to the creations of a select group of fashion designers and who only wear their designs. I have adapted the term to reflect what I’m seeing happen in Washington DC as well as in major U.S. corporations. Decision makers are being swayed by whatever novel term, concept, or strategy is popular at the moment. Right now that term is APT (Advanced Persistant Threat). Tomorrow it will be something else. And the politician, policy maker, General, and C-level executive who makes an information security decision based solely on what’s hot at the moment is the cyber equivalent of a slave to fashion – a “Cyberista”.

This is not to say that the concept behind APT is without value. Just the opposite. The concept of an adversary committing time, resources, and money to the long-term exploitation of a valued network is critical for you to understand. But there are endless permutations to that which are just as critical and they’ll be missed if the only reason you’re buying it is because you bought the hype, or because that’s the keyword on everyone’s lips.

How to tell if you’re a Cyberista

• Do you become enraged when you read something critical about APT?
• Do you feel the need to personally attack the critic who wants you to see its flaws?
• Are your buying decisions influenced or determined by the “cool” product de jour?

Why are you picking on Mandiant?

I’m not picking on Mandiant. I was critical of their decision to commission a marketing white paper and release it as a “report”. Words are important. The precise use of words to convey a national security matter is extremely important. That’s why many intelligence analysts use “Words of Estimative Probability” when writing reports for their customers. GreyLogic/Project Grey Goose reports are written that way as well.

Bottom line – when you’re looking to learn about a threat, emulate Joe Friday from Dragnet and ask for “just the facts”. Don’t become a Cyberista. The country cannot afford it.

———

A lot has been written about Mandiant’s report on a method of network attack and exploitation called “Advanced Persistent Threat“, a term coined by the U.S. Air Force in 2006 and recently adapted to network attacks by Mandiant (whose CEO, COO, CFO, and VP of Products are all Air Force veterans).

The first and most important thing to note is that this is not a report at all. It’s a white paper, and a white paper, when its created by a commercial concern,  is a marketing document that delivers information in an easily identifiable way:

1. it describes a problem which its potential customer base is having trouble with
2. it offers a solution that it wants potential customers to believe is best implemented by the commercial concern

Mandiant’s paper does not say who wrote it, which is another characteristic of marketing white papers, particularly when they are contracted out to a specialty white paper house which I suspect was the case with this one.

A further give-away that you should treat this report as a marketing document comes with its excessive use of adjectives like “dramatic increase” and “superbly capable teams of attackers” as well as over-generalizations (“the APT successfully compromises any target it desires”, “conventional defenses are ineffective”). And if that isn’t enough, there’s logical inconsistencies like this one: “Although the U.S. government and defense communities are aware of and countering APT attacks, many victims and targets are unaware and unequipped…. This report outlines trends, techniques, and real details of how the APT successfully compromises any target it desires.” Yeah…. No.

Whoever wrote this paper for Mandiant just expressed a logically impossible scenario. Either Gov and DoD are countering APT attacks, or APT successfully compromises any target it desires. It cannot be both. Furthermore, it’s blatantly untrue. The Department of the Interior’s cyber security is among the worst anywhere according to multiple Inspector General reports. The FAA has had numerous embarrassing incidents as well as the Department of Energy’s National Nuclear Security Administration. So, Mandiant, are you telling me that the DoI, FAA, and DoE can’t handle the most mundane of cyber threats but they are aware of and successfully countering sophisticated APT attacks?

All of the above is just from page 2 – the Executive Summary. Since the Executive Summary is supposed to deliver the key findings to the reader, here’s the message that it delivered to me and, I bet, to many other InfoSec and Intelligence professionals:

Mandiant’s goal in this report is to increase its customer base by over-stating a threat while promoting its services as the sole or best solution to that threat.

And speaking of promotion of services, that’s done twice. At the end of the Executive Summary, and at the end of the report.

Moving on to the body of the report, you’ll find this diagram of Mandiant’s APT lifecycle:

Now compare that to the diagram from the Chinese IW report and the model described in chapter 10 of my book which I outlined here. They all describe the same methodology because this is, generally speaking, how espionage has been conducted for thousands of years, albeit recast in the technology of the moment – the Internet. It is NOT because APT is some new kind of super-threat that “successfully compromises any target it desires“.

Shame on Mandiant for promoting this piece of marketing hype as a “report”. If I were a customer of their’s and read this paper, I’d have serious reservations about continuing with them on any scale whatsoever.

Conflicts and espionage in cyberspace is a rapidly evolving domain. It’s impossible to fully scope out something that is morphing so quickly, and even worse, is being described so imprecisely. Because of that, I decided to create a book that provided a multi-tiered framework upon which readers can continue to build their understanding of how cyberspace is used to further geopolitical Will by State and Non-State actors.

I purposefully did not explore examples of the U.S. engaging in cyber conflicts or espionage not because they don’t exist, but because it doesn’t fit the scope of my book. Inside Cyber Warfare is about how States are using Non-State actors to further there geopolitical goals while maintaining plausible deniability. The U.S. doesn’t do that, nor do many other Western nations. Instead, I focused on those States that do. Granted, there is much more information about Russian activities then anyone else, but that’s because the Kremlin and its supporters among various Russian youth organizations are so happy to oblige intelligence analysts like myself with rich examples of such actions. However, I do cover many other nations besides the Russian Federation with as much detail as I could find in the time available to me. Again, use it as a framework to build upon.

A couple of reviewers suggested a sequel. Honestly, I don’t know if I’m up to writing another book, but I’m proud of the one I wrote and I hope it will help those responsible for making decisions in this arena to do so with a broader understanding of its intricacies.

1) It’s a survey, and not a scientific one at that. Be sure to read footnote #1 before you read the entire report.

2) I was struck by how secure China’s networks are considering that they are one of the leading countries in the world engaging in cyber espionage. I’m not a psychologist, but I’m wondering if governments can suffer from “projection” like people do – sort of like how homophobes think everyone is gay, or liars think they are always being lied to.

3) Kimberly Zenz didn’t accurately or adequately convey the relationship between the Kremlin and Russia’s ISPs in this quote from the report:

Although there is no national cyber exercise plan and little institutional provision for information sharing or partnership, govern ment officials “have very close relationships with the ISPs… and within the ISPs there are people who have real-time network awareness” and keep them informed, she said.

In fact, ISPs must agree to be monitored by the FSB or they don’t go online.

Then there was this quote, also by Zenz:

While it’s certainly true that Russia, like the U.S., retains the right to go to war for whatever reason it deems appropriate, I cannot find evidence of any “proposed Russian law” which defines an act of cyber war. I’d love to see it though so Kimberly, if you’re reading this, would you please send me a copy of that draft law?

4) The report underscored how executives hate regulation, particularly U.S. executives. What it didn’t address (but we did) was the machinations that they go through to avoid having to abide by those regulations; specifically “reasonable business judgment”, “acceptance of risk”, and “technical exceptions”. When you consider how much of our national security relies on critical infrastructure and juxtapose that with the convoluted legal hoops that NERC has created to avoid complying with FERC requirements to protect that infrastructure, it’s almost inconceivable that executives could be this irresponsible.

5) According to this report, over 30% of U.S. executives from CI sectors reported experiencing DDoS attacks ranging from daily to monthly. Where are those reports? Why aren’t they made public? Not only are they not made public, but for the few that slip through the cracks, it seems like the cause is modified to reflect a non-cyber security issue. For example, in August 2006, Unit 3 of the TVA’s Browns Ferry nuclear plant went into a shutdown after two water recirculation pumps failed. An investigation found that the controllers for the pumps locked up due to a flood of computer data traffic on the plant’s internal control system network. This sounds like a DDoS attack, right? When the Nuclear Regulatory Commission issued their report on the incident, they cited a “possible” cause being a device failure and never mentioned the term “DDoS”.

McAfee and CSIS are well-known and well-respected organizations with good, hard-working people at both. I wish that at least one of those organizations would join me in pushing for more transparency on the cyber attacks that we are experiencing against our critical infrastructure. This is a critical issue because it is up to the American public to force politicians to address these problems, and there’s only one thing that generates action on the part of the electorate – pain. Unfortunately, this is such an entrenched problem and there’s so much industry resistance that I shudder to think how much pain it’s going to take to make us treat cyber security as a serious vulnerability with imminent negative consequences.

Project Grey Goose report on Critical Infrastructure:

State and/or Non-state actors from the Peoples Republic of China, the Russian Federation/Commonwealth of Independent States, and Turkey are almost certainly targeting and penetrating the networks of energy providers and other critical infrastructures in the U.S., Brazil, the Russian Federation, and the European Union.

Overall, 71% of respondents in the oil-and-gas industry reported stealthy-infiltration, compared with 54% of respondents in other sectors. The CSIS survey also found distributed DoS attacks were “particularly severe” in the energy/power and water/sewage sectors, where attacks were usually aimed at computer-based operational control systems, like SCADA.

Unfortunately, the CSIS report hasn’t been released publicly yet. It’s going to be presented at the World Economic Forum in Davos, Switzerland. McAfee commissioned CSIS to do the research which, according to the CSIS website, is “based on data from a survey of 600 IT and security executives in enterprises that own and/or operate critical infrastructure in 14 countries across the world. The survey data gathered for the report paints for the first time a detailed picture of the way those charged with the defense of critical IT networks are responding to cyber-attacks, attempting to secure their systems and working with governments.”

What’s even more interesting to me is that we came to similar conclusions in spite of the fact that our access to resources was drastically different.

• CSIS spoke with 600 executives in CI-related industries. The number of executives we were able to speak with: 0.
• CSIS had a budget to work with ( I wonder how much McAfee paid for this report?). Our budget: 0.
• CSIS had a former General Counsel for the NSA heading the project (Stewart Baker). I’m an ex-Microsoftie and intelligence blogger.

On the other hand, while CSIS utilized a paid team of researchers, I had the benefit of 8 highly skilled and motivated professionals who worked nights and weekends for free out of their love for the work. And there’s really nothing better than being a part of that kind of dedication.

Although a trip to Davos would have been nice.

That’s right. I said it. I’m invoking the P word – “Patriotism”. If getting your networks pwned and your sensitive data stolen, and not knowing who’s responsible is beginning to piss you off, there’s a simple solution. Put the interests of your country ahead of yourself; ahead of your shareholders; ahead of your manager, your VP, and your CEO; and acknowledge your breach (and everything that that entails).

I’m talking to all 30+ companies hit by the same parties responsible for the Google – China attack and who have chosen not to admit it. I’m talking to all of the energy companies who have been subject to successful network breaches or given in to extortion threats and are keeping quiet about it because acknowledging it may result in financial losses. Put your fear and self-interest aside, and announce that you’ve been attacked, share what’s been stolen, and make your logs and other facts related to your incident available to the organizations that need it to determine attribution.

This must be done if you expect us to identify the threats out there and protect you from them. The key to determining attribution is, in the words of Jeff Jonas, “data finding data“. Keeping your network breaches and data losses a secret only serves your attacker and makes you more of a target.  Put your country first for a change. Let’s get a little patriotism up in this bitch.