In light of APT, a new Cyber Intelligence model is called for

Last Updated on Monday, 1 February 2010 03:43 Written by Jeffreycarr Monday, 1 February 2010 03:43

The Computer Network Exploitation (CNE) process which Mandiant has identified as “Advanced Persistent Threat” has helped open more than a few eyes in Government and private industry. This is both distressing and heartening. It’s distressing because there is nothing new in APT except awareness on the part of the organizations who didn’t know it was happening to them. It’s heartening because that awareness is freeing up time and resources to address the problem in a serious way, which brings me to the point of this post.

Around the same time that Mandiant released M-Trends: Advanced Persistent Threat, Deloitte issued its report “Cyber Crime: A Clear and Present Danger“. It sheds light on the same methodology that Mandiant addresses – “persistent and sustained access” – although it doesn’t use the term APT to do it. What Deloitte does do, however, is dedicate a section to “Developing Actionable Cyber Threat Intelligence“. In it, Deloitte discusses the need for “a cyber risk management process prioritizes threats, analyzes threats, detects a threat before, during, or after actual occurrence, and specifies the proper response.” This diagram shows Deloitte’s “cyber intelligence acquisition and analysis” model. The graphic below is a blow-up of the left side of the diagram which identifies a comprehensive list of open sources for intelligence gathering:

Intelligence is only as good as the raw data an analyst can extract it from. So what’s missing from Deloitte’s model? Quite a bit if you’re concerned about State and Non-State actors getting access to your critical information. Why? Because they won’t be holding strategy sessions on hacker forums that can be accessed by law enforcement or intelligence agencies. And if they were stupid enough to do that, it wouldn’t be in English. Instead, you need a patient, persistent, and sustained effort to find the private forums, IRC channels and other places where these conversations do take place. Think of it as a reverse-APT.

A second major flaw with this collection effort is that it completely ignores State-sponsored R&D projects. If you know what widget a State is interested in (because they are investing in research to develop it), and your company makes that widget, you know where to focus your protection efforts.

This is actionable intelligence, and even better, it has a fast “time on target”; meaning you aren’t collecting a tsunami of data, most of which only results in slowing down your intelligence gathering efforts. You cannot protect everything, therefore, you need to identify your critical data, identify who outside of your agency or company wants that data, and focus your intelligence assets on identifying and researching those potential adversaries.

Contact me for a consultation on how to implement this for your company or agency if you’d like more information. In addition, I’ll be offering a two-day course at the IO Institute called “OSINT Hacks for Mining the Russian Internet” following InfoWarCon on May 17 and 18th. A separate course is in development which focuses on the Chinese Internet. More information will be forthcoming as the date gets closer but feel free to shoot me an email if you’d like to attend.

Remarks on the Mandiant Report on Advanced Persistent Threat (APT)

Last Updated on Tuesday, 2 February 2010 04:59 Written by admin Saturday, 30 January 2010 11:23

UPDATE (02 Feb 2010): I was contacted by Rob Lee, a Director at Mandiant, who informed me that their report was written by Mandiant employees (including himself) and, contrary to my suspicion, was not farmed out to a White Paper vendor. I appreciate Rob making the effort to contact me and provide correct data and I have lined out the offending sentence to reflect the change. I also edited out my closing sentence. Re-reading it, I may have been a bit too harsh, particularly since Rob made the effort to contact me when he didn’t have to.

———

A lot has been written about Mandiant’s report on a method of network attack and exploitation called “Advanced Persistent Threat“, a term coined by the U.S. Air Force in 2006 and recently adapted to network attacks by Mandiant (whose CEO, COO, CFO, and VP of Products are all Air Force veterans).

The first and most important thing to note is that this is not a report at all. It’s a white paper, and a white paper, when its created by a commercial concern,  is a marketing document that delivers information in an easily identifiable way:

1. it describes a problem which its potential customer base is having trouble with
2. it offers a solution that it wants potential customers to believe is best implemented by the commercial concern

Mandiant’s paper does not say who wrote it, which is another characteristic of marketing white papers, particularly when they are contracted out to a specialty white paper house which I suspect was the case with this one.

A further give-away that you should treat this report as a marketing document comes with its excessive use of adjectives like “dramatic increase” and “superbly capable teams of attackers” as well as over-generalizations (“the APT successfully compromises any target it desires”, “conventional defenses are ineffective”). And if that isn’t enough, there’s logical inconsistencies like this one: “Although the U.S. government and defense communities are aware of and countering APT attacks, many victims and targets are unaware and unequipped…. This report outlines trends, techniques, and real details of how the APT successfully compromises any target it desires.” Yeah…. No.

Whoever wrote this paper for Mandiant just expressed a logically impossible scenario. Either Gov and DoD are countering APT attacks, or APT successfully compromises any target it desires. It cannot be both. Furthermore, it’s blatantly untrue. The Department of the Interior’s cyber security is among the worst anywhere according to multiple Inspector General reports. The FAA has had numerous embarrassing incidents as well as the Department of Energy’s National Nuclear Security Administration. So, Mandiant, are you telling me that the DoI, FAA, and DoE can’t handle the most mundane of cyber threats but they are aware of and successfully countering sophisticated APT attacks?

All of the above is just from page 2 – the Executive Summary. Since the Executive Summary is supposed to deliver the key findings to the reader, here’s the message that it delivered to me and, I bet, to many other InfoSec and Intelligence professionals:

Mandiant’s goal in this report is to increase its customer base by over-stating a threat while promoting its services as the sole or best solution to that threat.

And speaking of promotion of services, that’s done twice. At the end of the Executive Summary, and at the end of the report.

Moving on to the body of the report, you’ll find this diagram of Mandiant’s APT lifecycle:

Now compare that to the diagram from the Chinese IW report and the model described in chapter 10 of my book which I outlined here. They all describe the same methodology because this is, generally speaking, how espionage has been conducted for thousands of years, albeit recast in the technology of the moment – the Internet. It is NOT because APT is some new kind of super-threat that “successfully compromises any target it desires“.

Shame on Mandiant for promoting this piece of marketing hype as a “report”. If I were a customer of their’s and read this paper, I’d have serious reservations about continuing with them on any scale whatsoever.

Recommendation for Tactical Cyber Operations against Radical Muslim Websites

Last Updated on Monday, 4 January 2010 12:58 Written by Jeffreycarr Monday, 4 January 2010 12:58

John Arquilla and Kevin Coleman have both recently advocated preemptive cyber strikes against radical Muslim Websites involved in recruiting, indoctrinating, and training new followers to engage in attacks against Western targets. With all due respect to both gentlemen, I believe that their respective articles convey a hopelessly flawed approach to dealing with this problem. Not only would a preemptive strike fail to achieve its goal of shutting down adversary websites, it would galvanize the opposition; fueling their recruitment efforts with a new urgency that will attract thousands of new Internet-savvy, well-educated, religiously-motivated Muslims eager to get involved in cyber-based and/or physical attacks against “the Great Satan”. Here’s why:

• A pre-emptive attack, to be successful, must either incapacitate the enemy or take away his will to fight. Launching a cyber attack against enemy websites will accomplish neither objective. It will, however, waste our time and resources in yet another game of Whack-a-Mole.
• Before the U.S. can launch a cyber attack against ANY opponent, it must harden its critical infrastructure against the counterstrike that is sure to follow. As of today, you pick the Critical Infrastructure (CI) and a GAO report exists identifying its ongoing vulnerabilities. Take air travel, for example, since that seems to be a favorite target of terrorists world-wide. One would think that the FAA would have hardened its networks in the nine years since 9/11, but no. FAA networks contain multiple vulnerabilities up to and including those which support national Air Traffic Control operations. Other CI vulnerable to attack include nuclear power plants, electric and hydroelectric generating stations, water treatment facilities, and so on.

Three tactically-sound Cyber Operations that we should initiate today

1. Apply what worked in Iraq to cyberspace. Enlist and engage (with pay) the assistance of moderate Muslims who are opposed to the mis-representation of their religious beliefs by radical zealots. Their job will be to post to these online forums what they already believe to be true, that Islam is a religion of peace and that the extremists are misrepresenting the true nature of “Jihad”.
2. Run a domain registration search against the domains of every terrorist website and identify those domain names issued by U.S. companies. Run a second search to identify U.S. companies providing hosting services to those domains. Have a federal judge issue an order forcing these U.S. companies to require proof of valid WHOIS and registration data from their customers (something that the law requires them to do anyway). In many cases, such registration data for terrorist or criminal websites is either false or stolen, which would result in a rapid lockdown of all the sites which do not comply as well as their domain names. While its easy to find another hosting provider, it’s much more difficult to recover from the loss of a domain name.
3. Conduct aggressive counterintelligence operations against tier 1 and tier 2 Muslim hackers who have demonstrated the expertise and the intent to go after CI targets. This is something that GreyLogic has been doing for the past 12 months. Information collected can be acted upon by the appropriate national and international agencies. By targeting the elite of the terrorists talent pool, we effectively reduce the chances of a successful attack against our own critical networks.

Clearly something must be done. Let’s think carefully about means, methods, and outcomes and remember that, unlike the physical battlefield where the U.S. clearly dominates, no nation controls the domain of cyberspace.