Tag Archives: Advanced Persistent Threat

Comments on Comment Crew

Posted on 2013-02-21 | Leave a comment

Everyone paying any attention to security this week noted Mandiant’s report on the Comment Crew. If you haven’t, go read it first. I’ll wait.

Why You Make Groundless Accusations?Although I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and criticisms. (And some folks just need to take off the tinfoil hats). I don’t really care that much about what makes the sekrit skwirl cabal happy, and in fact it tickles me when they get frustrated by “outsiders” (inasmuch as Mandiant is one, anyway) not playing by their rules. In any case, healthy skepticism regarding someone else’s conclusions keeps them honest, but don’t miss the big picture out of myopia. The relative prevalence of espionage and APT relative to regular criminal activity remains an open research question and a valid area of debate, but I’ve seen some really smart people this week falling into the cliché of missing the forest for the trees.

Instead, this means the adversary can’t dictate the pace and terms of the conflict, whether or not they completely retool. By driving up the cost to the attacker over time, you start to make headway. That works both ways, of course, and at the moment that balance leans decidedly in their favor. Releasing the IOCs will also allow defenders to discover additional compromises. Remember that opponents make mistakes, and so we can capitalize on the opportunity for ongoing intel gathering as they transition to new infrastructure (assuming they even bother).

Sharing information has more than just tactical value. In my view (obviously not one shared by Congress), this points out that we don’t need the government to get in the way with CISPA or other information-sharing that stays behind walls of overclassification or possibly creates additional privacy and civil rights issues. We can do this the right way and improve things. Partisan politics lies way outside the scope of this blog, but I certainly see this as “we’re from the government and we’re here to help” territory.

[1]: As usual, these represent my opinions only. And that’s only good for today anyway because I may change my mind as new facts come to light or I think about topics more thoroughly.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , ,

Chinese government attacking American journalism?

Posted on 2013-02-02 | Leave a comment

What a week: disclosure of compromises at the New York Times, Wall Street Journal, and Washington Post. A Java update released on a Friday evening 18 days early due to active exploitation. Twitter compromised affecting 250k users, including me. I may have more to say about the Twitter compromise later.

Journalists in China

If they don’t respect them there, they won’t respect them here.

I’ve assumed for some time that state-sponsored attackers have long targeted major media outlets, especially those who regularly report on national security issues. While we don’t need to start putting on tinfoil hats, the ill-fated Wikileaks partnership with the NYT should have provided a pretty obvious starting point for people to think about these issues. Even more obviously, at least to me, journalists have had to take OPSEC seriously for a very long time, whether due to drug cartels or US presidents unhappy with political and legal revelations. I wouldn’t characterize these incidents as an assault on our way of life, exactly, because the Fourth Estate has always had conflicts with power. We should become far more suspicious when governments don’t concern themselves with the press, because that says something about their relationships with it or, perhaps, their views of popular opinion.

An extraordinary claim requires extraordinary proof.

Others have criticized the reporting and the completeness of the stories. For what it’s worth, as noted above, I certainly don’t think claiming that governments have tried to attack journalists really presents an extraordinary claim. And I have seen enough evidence first-hand to believe that Chinese-based actors actively exploit networks around the world. Combining the two, we know how the Chinese government regards free speech and a free press.

But if you want us to believe that this represents the greatest transfer of wealth in history and all the other hyperbole that surrounds discussion of “the APT” and “China” and “cyberwar”, you need to present evidence. Declassify it, make it public, show it to the American people. If you’re a news outlet dedicated to informing the public, give us the facts. When the government wants to make a case for war, it discusses specific incidents and presents intelligence. If we face such a great threat, don’t just assert the threat, prove it. (Note: I don’t actually expect any of this to happen.)

Whether the intelligence will amount to proof, however, remains to be seen.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Terrible Presentation Stress Disorder: “Finding APT with Big Data”

Posted on 2012-05-18 | Leave a comment

Yesterday, I attended the North Texas ISSA Meeting with my friends Michelle and Ryker. The talk carried the fascinating title Threatscape 2012: Finding Advanced Persistent Threats with ‘Big Data’ Analysis and Correlation, presented by A.N. Ananth, CEO of Prism Microsystems, and one of the leaders of Global DataGuard. (I think the actual presenter was not the person listed, though I might have missed that.) Among the lessons I “learned”:
Condescending Wonka wants to hear all about Big Data and the APT

  • Doing recon on a target is what makes the APT “advanced”, especially if you use LinkedIn to figure out more about a company.
  • “0 day” attacks are the Ebola and bird flu of information security.
  • 100 Gb (sic) of data is Big Data.
  • All the traffic to your web site is Big Data. But we’ve been dealing with Big Data like that since the 1970s, so we know how to handle it.
  • Log data from 25 servers is Big Data, because Big Data doesn’t really have anything to do with how much data you have. (This theme came up a lot.
  • Attackers only care about customer records, so clearly the talk focused heavily on real-world experience with the APT.
  • The Verizon DBIR1 mostly only covers North America.
  • Log analysis is advanced behavior correlation analytics.
  • You must do regression testing on your network behavior adaptive learning modeling.
  • Comparing one million points of data is big data but you can use metadata for higher level indicators.
  • Detecting Stuxnet would have been obvious because it’s a new process.
  • Databases suck for analyzing security data.

I swear I’m not winking at you. That’s an eye twitch from TPSD (Terrible Presentation Stress Disorder). Because lunchtime has arrived and I feel a little frisky now that I’ve had my Dr Pepper, let’s take just a few examples to demonstrate the already-obvious cluelessness of this presentation.

First, do a bit of basic research before you cite anything. The Verizon DBIR states in the Executive Summary on page 2:

We also welcome the Australian Federal Police (AFP), the Irish Reporting & Information Security Service (IRISS), and the Police Central eCrimes Unit (PCeU) of the London Metropolitan Police. These organizations have broadened the scope of the DBIR tremendously with regard to data breaches around the globe.

In addition, Verizon performs data breach investigations around the world, not just domestically. Page 12 shows the countries in which confirmed breaches occurred as part of the analyzed caseload. I don’t believe we published data showing the specific geographic distribution of cases, but the statement that the DBIR mostly covers only North America has no support.

Second, I’ve written a good bit here about the APT, and others have done so far more extensively. The APT – nation-state threat actors with significant cyber capabilities, usually meaning “China” or similar when used cluefully – doesn’t care so much about customer records. After all, if you own a significant chunk of the national debt of the United States, credit card numbers are small fry. When you start talking about research plans, sensitive business documents, source code, and the like, now you’ve started to address the target assets. That’s not to say that nobody cares about customer data, of course. Look at the tremendous amount of fraud coming from all over the world, largely but not exclusively centered in Russia and Eastern Europe, not to mention the “hacktivism” related breaches in 2011.

Third, while basic security measures would certainly prevent most common breaches, this doesn’t hold true for truly advanced attacks (by definition). If you think that any system that simply monitors for new processes would detect Stuxnet in an obvious manner, either you don’t really know much about enterprise monitoring or malware, or you are lying. I will charitably assume the former and recommend that you sit down and buy a beer for an actual incident responder or malware analyst to get the real story.

Finally, Big Data absolutely does have something to do with the volume of your data, though that’s not the only factor involved. The presenters correctly stated in the midst of their chaotic confusion that Big Data means data for which traditional RDBMS and similar systems just don’t work. That doesn’t mean 100 data points or even 100 gigabytes (again, charitably assuming a typo here). It means that you have so much data arriving so quickly and in such different forms (schemas) that you can’t simply stream it into a traditional database. This differs significantly from data science and analytics in which we try to find patterns and anomalies in the data, sometimes with advanced methods like machine learning and distributed computation. These two concepts aren’t identical, they’re orthogonal: you may perform analytics on smaller data sets, or you may have a very large data set that maps to well-understood models. The phrase “regression testing on your network behavior adaptive learning modeling” is gobbledygook.

I could go on, but really, the only other thing I want to say to the gentlemen who presented this useless waste of an hour is:
Zoidberg: Your presentation is bad and you should feel bad!

1: Disclosure: I work for the Verizon RISK team that produces the DBIR, though I joined after the publication of the 2012 edition and had no hand in it.

→ Leave a comment

Posted in Notes

Tagged , , , ,

China as a threat: a bit of perspective

Posted on 2012-05-14 | 4 Comments

Gentleman pandaI got a bit of friendly feedback after recently stating on Twitter that I get tired of all the constant drum-beating about China. That includes some notes from friends and colleagues whom I respect but who do not entirely agree with me. I thought I’d clarify my thoughts on the original APT as a result.

First, anybody who doesn’t recognize that China is engaged in a long-term (and heretofore incredibly successful) campaign of information operations against the West just hasn’t paid attention. We have the evidence, and even the PRC’s protestations to the contrary seem carefully constructed simply to parse meanings and split hairs. They engage in normal diplomatic cover speak, and I can’t fault them for that, but we should still recognize it for what it is. Denials of this reality ring as hollow as denials of the immense volume of fraud and related cyber crimes sourced from Eastern Europe and Russia.

That said, however, I believe some of the reaction in recent months has gone overboard. A number of high-profile individuals have had a significant presence in the press lately, and some of them seem to have the impression that the US should treat this as the most significant issue in its relations with the PRC. Given the range of issues that involve two of the most powerful nations in human history, I find this shortsighted. Climate change, energy policy, human rights, and macroeconomic issues all represent legitimate areas of discussion. Information operations (“warfare” if you like, but I don’t) comprise an important part of those issues but should not overshadow things like nuclear weaponry, for example.

At the same time, they indicate that only the “APT” matters and that professional incident responders only think in term of campaigns (rather than intrusions). I disagree: other significant issues do exist within our domains of threat intelligence, information security, and incident response, as well as within the separate scope of Pacific Rim foreign policy. When your rhetoric reaches the point where your professional colleagues start to openly wonder if you’ve become completely Sinophobic, then you should take a step back and ponder whether to dial it down slightly.

Yes, China’s IO campaigns certainly present a significant challenge in a number of ways, including the need for public awareness in the West, but that challenge exists within the context of many other important topics. Let’s not get so zoomed into one adversary and one issue that we lose focus on the rest.

→ 4 Comments

Posted in Manifesto

Tagged , ,

Uninformed thoughts on Iran as a cyber threat

Posted on 2012-04-30 | Leave a comment
Carrot bomb

Understanding the reality of a threat matters.

Last week, a number of organizations reported that Iranian oil infrastructure had gone offline in response to malware of some sort. The Iranian Oil Ministry claims the attack only affected user data, not actual production equipment, and others have indicated that the malware did not target industrial control systems. So while the whole incident might seem reminiscent of Stuxnet, the reality doesn’t quite match up to that prior incident. In fact, we don’t know at this time whether they simply had to deal with commodity malware of some sort (though that seems like a stretch), or a reconnaissance attack gathering user data, as the Iranians claimed, or some other scenario.

Side note: this reminds me of the lack of utility of the term “advanced persistent threat”. If we don’t use it as a euphemism for a particular nation-state actor, then clearly we can consider the United States and Israel as APT-type adversaries for Iran, among other potential targets. While Israel continues to talk about a possible kinetic strike on Iranian nuclear facilities despite internal controversy, disabling those same facilities via attacks in the cyber domain has lots of benefits: drastically reduced collateral damage, deniability of a covert operation, and reduced risk of generating empathy for the regime among the Iranian populace.

Recent Congressional hearings convened to discuss whether Iran’s cyber abilities constitute a significant threat to the US. Personally, I consider it highly unlikely that any serious assessments would be unclassified, so these public hearings strike me as a sort of political Kabuki theater as follow-up to previous assessments including Iran as a cyber threat, though those had more meat to them. We have to consider the possibility that this gets so much play due to interest in conflict with Iran by hawkish elements in government and related commercial power structures. The nature of power leads to its active use. Uncharitably, we might say that power is no fun if not wielded, but more realistically that dormant power leads to atrophy.

That doesn’t mean we shouldn’t consider the range of Iranian cyber capability. I don’t have sufficient data or background on Iran to take a real stab at analyzing that1, but we can ask reasonable questions. Can a small isolated nation develop the mindset in personnel required (cf. DPRK)? (Probably so, though it might take more effort and broad collaboration with friendly organizations to get there.)

Consider, too, the nature and value of threat intelligence. The risk reduction for most private organizations stems from potentially attributing attacks to Iran and mapping out indicators of compromise, whether technical, methodological, or otherwise. Preventive controls likely would not change appreciably due to an Iranian threat: we in the US and much of the West in general have all sorts of commercial sanctions against Iran, so we rarely have to consider how to secure transactions and partner networks like we do in the case of Russia, Eastern Europe, China, and similar states. Appropriate governmental groups can also track units or other sponsored actors for possible counter strikes (CNA/CNE), although at this point I’ve ventured out of the scope of speculation where I feel knowledgeable enough to ask good questions.

1: However, you might follow Ali-Reza Anghaie (@packetknife) for a far more informed perspective.

→ Leave a comment

Posted in Notes

Tagged , , ,

Semantic change: APT, Cyberwar, and Hacking

Posted on 2012-04-12 | 1 Comment

“It’s just semantics!”

I hate that phrase. Words mean things – and “semantics” is the study of those meanings. Most words can push emotional buttons for us, even when we really just use different words to describe the same thing. Think about the range of words that all essentially mean “fecal matter”, running the entire way from baby talk to medical terminology to vulgarity.

And, over time, the meaning of a word can evolve through semantic change. I’d suppose this happens even more frequently with jargon. So I’ve started to change my tune on a few specific bits of jargon that I encounter daily.

First, one of the most common (and controversial) phrases in 2011: “advanced persistent threat” (APT). From my understanding, this term originated with the US Air Force in 2006 to refer to either “any sophisticated adversary engaged in information warfare in support of long-term strategic goals” or, well, China. I do not like this term at all, because we have much better terms now when discussing general classes of attackers. And now that the US government has publicly discussed the ongoing campaign of intrusions from China, rather than just in classified environments, we no longer need to treat the subject so gingerly. My stance has evolved to the point of eschewing the term completely. If you mean “nation-state actors” in general, say that. If you mean China (or Russia, or Israel, or the US), then say that. If you mean adversaries with significant capability, I suppose “APT” is the marketing buzzword these days, but this usually leads to so much FUD that I’d prefer other terms that don’t carry the same baggage.

This year, I still hear “cyberwar” – maybe with even more frequency than in 2011. In my view, individuals and organizations with specific agendas have fanned the flames here to suit their own purposes. I don’t really like this term, because I believe that we should reserve the term “war” for the sort of large-scale “kinetic” conflict traditionally associated with it. General Robert E. Lee said at the Battle of Fredericksburg that “it is well that war is so terrible, otherwise we should grow too fond of it”. By using the word “war” for something that doesn’t result in the broken lives and bodies we see in places like Afghanistan, Somalia, and Uganda, we desensitize ourselves to that harsh reality. (I speak here in general terms: certainly, there are individuals who use terms like “cyberwar” have an all-too-horrible familiarity with the reality of war in a way I do not.) With all that said, I’ve come to accept this term grudgingly. Certainly, conflict exists between nations and other organizations, and some of those conflicts extend to networks and other digital systems. At one time, this primarily took the form of a secret war, and the vast majority of the public knew nothing about it beyond what they saw in movies. Nobody denies that these conflicts exist now; we just disagree on who does what, what we should call what they do, and of course what will happen in the future. But if I see this term, I will assume you mean the type of serious conflict that leads to things like Titan Rain and Stuxnet – and that you know a thing or two about it, rather than parroting what you heard in a vendor webinar.

Finally: I refuse to give up the word “hacker”. My last CSO once said in a security meeting that “we don’t hire hackers” – only to have several of us cough politely and catch his eye. (“Well, you know what I mean.”) The term certainly has considerable nuance, but I will almost always use it to refer to a particular subculture of geeks and programmers: Linus Torvalds, Richard Stallman, Grace Hopper, Steve Wozniak – not Albert Gonzalez and Kevin Mitnick. Portmanteaus like “hacktivism” grate on me, but at the moment I don’t know of better alternate terms.

I’d like for us to think of something, though.

→ 1 Comment

Posted in Manifesto

Tagged , , ,

Threat intelligence evolution

Posted on 2012-02-23 | Leave a comment

When I got started in network security many years ago, I principally dealt with assets. As time went on, I dealt more with vulnerabilities because, hey, that’s sexy. But that’s old and busted: the new hotness is threat.

Semantics: words mean things

If one thing makes me crazy about security vendors – and far more than one thing does, to tell the truth – it’s the imprecise use of language. Depending on who you ask, a piece of malware is a “risk” and unpatched software is a “threat”. Please don’t ask me what I say when an antivirus program classifies netcat as a “trojan.” Communication reflects thought, and so when you use words in fuzzy, ill-defined ways, you also think in fuzzy, ill-defined ways. So when we talk about “threats”, let’s be clear: “a threat is what we’re trying to protect against”.

I often fall into my own trap by conflating the terms “threat” and “threat actor”, usually distinguishing only via context. In reality, though, we need to understand the difference between the components of “threat”, which CERT rolls up into “an indication of a potential undesirable event”. We can break down the threat further into the actor, exploit (method), motive. Generally, threat intelligence. as most private-sector organizations use it today, centers around methods. This usually means malware indicators, network addresses, and traffic signatures. We also sometimes talk about motive: espionage, ‘hacktivism’, organized crime, and so on. These things matter. We can’t lose sight of them, but we can’t stay content with them, either.

illuminati

This would be a terrible way to deter threat actors.

With some notable exceptions, we rarely talk about intelligence based on specific threat actors. Even then, those lead to controversy because the indicators remain classified, and so we fall back on IP addresses when attribution can encompass so much more.

Crowdstrike

Today, the firm Crowdstrike announced its “stealth-mode launch”:

CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. Utilizing Big-Data technologies, CrowdStrike is developing a new and innovative approach to solving today’s most demanding cyber-security challenges. CrowdStrike’s core mission is to fundamentally change how organizations implement and manage security in their environment.

I don’t quite understand what they’ll offer, which I suppose explains the stealth mode bit. They give proper attention to the concept of attribution and TTP (tactics, techniques, and procedures), and throw out a little red meat about patriots defending against nation-state adversaries.

By identifying the adversary and revealing their unique TTPs (i.e. modus operandi), we can hit them where it counts – at the human-dependent and not easily scalable parts of their operations.

This tends to put me in mind to agree with Saso Virag, who saw three components:

That is, Crowdstrike clearly has a militia mindset, a possible focus on tracking down the humans behind the screens, and trying to find the adversary who has already penetrated the network. I don’t know whether they intend to try to conduct attacks against the attackers or simply try to defend against the non-automated portions of the kill chain. Certainly, they want to go further than sitting back while attackers simply out-maneuver defenders. The concept incurs a lot of operational risk, and I personally would quibble with some parts of it (e.g. nationalistic motivations). At the same time, though, I also agree with the general concept that the status quo can only have negative outcomes for us today, and maybe their approach will work.

Quis custodiet ipsos custodes?

Richard Bejtlich has written about this before, and he tends to lean towards striking back in various ways too. At one time, I would not have conceived that private-sector organizations could get into this role. But the trend toward private military contractors and the like over the last decade might indicate otherwise. The US has already started to outsource critical “cyber” operations to firms like General Dynamics, such as domestic monitoring of dissident elements on the Internet. The conspiracy theorist in me wants to call this “megacorp martial law”. And while the NSA and the US intelligence committee won’t confirm publicly that it has undertaken CNA/CNE, that has to be the worst-kept secret in intelligence since Israel got nuclear weapons.

So could you do this under a government contract? What about organizations based outside of the US, particularly if they do not employ US persons? On the one hand, the government might look the other way as it has with many existing “cyber militia” operators. On the other hand, when private organizations interfere with ongoing intelligence operations (e.g. bringing down a jihadist forum that the CIA has already infiltrated), then they’ll draw the attention and ire of men in dark suits with guns and badges.

I’ll look forward to seeing how we all continue to evolve in our understanding and practice of threat intelligence.

→ Leave a comment

Posted in Notes

Tagged , , , , , ,

3 reasons why big data matters for SIEM

Posted on 2012-02-15 | 1 Comment

"Nesting Dolls" by Andy Ihnatko“Big data” isn’t just a buzzword, and it doesn’t just mean “big piles o’ bits”. It’s jargon, but it has a particular meaning:

Big data is data that exceeds the processing capacity of conventional database systems. The data is too big, moves too fast, or doesn’t fit the strictures of your database architectures. To gain value from this data, you must choose an alternative way to process it.

Alternately, “big data” refers to data of such volume that storage, management, processing, and analysis present engineering challenges beyond traditional IT solutions. If it fits in, say, a traditional RDBMS setup like MySQL or Oracle, then it may be a lot of data, but it’s not “big data”.

This new tech has lots of useful applications in social policy, business intelligence, science, and IT, among others. In the SIEM world, we’ve got to start looking at applying some of this tech where it makes sense, for at least a few specific reasons:

  1. Traditional SQL databases don’t fit the data model. We don’t necessarily care in most SIEM implementations about meeting the ACID standard. Shoehorning our needs into what exists holds us back.
  2. Big data tech (specifically, NoSQL database design) allows us to focus on the area of CAP that really matters to us: Partition Tolerance. Of the remaining two, we can usually settle for Availability and eventual Consistency.
  3. IT organizations consistently experience significant budget pressure as organizations focus on reducing expenses. This applies even more to security, where we provide loss avoidance rather than growing top line revenues. We need architecture that allows us to use cheaper, commodity hardware while still enabling us to maintain appropriate performance.

We haven’t reached the point yet where we need to focus too strongly on particular aspects of “big data”. Do you need Hadoop? What analysis tasks fit map-reduce algorithms? Should you try to leverage Amazon EC2 or another cloud provider? As Jon Oltsik writes:

While “big data” will intersect with security intelligence, the actual “big data” technology aspects are irrelevant. CISOs need the analytics capabilities but really don’t care what’s under the hood. Let’s focus on data analysis and situational awareness and avoid a debate about OLAP, Massively-Parallel Processing (MPP), and Hadoop.

Those things will matter when building an implementation (e.g. to a vendor). SIEM users, though, should generally focus on what capabilities they actually want, such as data sources and analysis methods.

Oltsik’s piece makes another cogent point about security intelligence:

Security intelligence demands more data. Early SIEMs collected event and log data then steadily added other data sources like NetFlow, packet capture, Database Activity Monitoring (DAM), Identity and Access Management (IAM), etc. Large enterprises now regularly collect gigabytes or even terabytes of data for security intelligence, investigations, and forensics. Many existing tools can’t meet these scalability needs.

Users will see this as the real driving force: to do the job effectively, the SIEM has to do more than just bring in firewall, IDS, and operating system logs. And it needs to support better exploratory data analysis, rather than just reporting and notifications.

I don’t know of many vendors that currently have products built on this approach, though I don’t doubt we’ll see a lot of them hurriedly slapping the label on their material even when it doesn’t fit: witness the APT debacle.

→ 1 Comment

Posted in Notes

Tagged , , , , , , ,

Third world cyberalliances

Posted on 2011-12-15 | 1 Comment

NB: Due to the nature of the story, some of the links below go to Spanish-language articles. If you don’t read Spanish, you may wish to use Google Translate. I haven’t reviewed any translation so I don’t vouch for its accuracy.

I don’t always agree with Krypteia, but I always appreciate reading and considering his thoughts on things. And given my personal and professional connections to Mexico, I particularly appreciated his latest piece on La Amenaza de Iraní (sic). He analyzes in detail the recent reports from Univision regarding the now-former Iranian ambassador to Mexico planning “cyberwar” with Mexican university students.

I don’t have much to add to his analysis at the moment, except to take exception with another analyst whom I respect, Jeffrey Carr, who rejects the idea that Iran would bother with “Mexican hackers”

While I certainly recognize the efforts to which the Chinese have gone in their economic and military espionage (even if some folks dispute some of the specifics), that doesn’t mean that they cover every initiative from every ally. Nor does it mean that the Iranians wouldn’t attempt to grow their network, not least for the reasons Krypteia mentioned in his piece. This fits together well with today’s report on links between Los Zetas and Hizbollah, the latter of which has close ties with Iran.

Whatever the reality of this specific situation, the world has changed over the last two years. We will always have debates about who and why, and even more on what to do about it, but the threat landscape shifts daily.

→ 1 Comment

Posted in Links

Tagged , , , , , ,

Michael Chertoff: Addressing APT at MIRcon 2011

Posted on 2011-10-12 | Leave a comment

NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.

The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?

So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.

There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).

We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.

The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.

This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.

What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.

How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.

So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.

Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?

Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.

The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.

We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,