Tag Archives: China

Comments on Comment Crew

Posted on 2013-02-21 | Leave a comment

Everyone paying any attention to security this week noted Mandiant’s report on the Comment Crew. If you haven’t, go read it first. I’ll wait.

Why You Make Groundless Accusations?Although I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and criticisms. (And some folks just need to take off the tinfoil hats). I don’t really care that much about what makes the sekrit skwirl cabal happy, and in fact it tickles me when they get frustrated by “outsiders” (inasmuch as Mandiant is one, anyway) not playing by their rules. In any case, healthy skepticism regarding someone else’s conclusions keeps them honest, but don’t miss the big picture out of myopia. The relative prevalence of espionage and APT relative to regular criminal activity remains an open research question and a valid area of debate, but I’ve seen some really smart people this week falling into the cliché of missing the forest for the trees.

Instead, this means the adversary can’t dictate the pace and terms of the conflict, whether or not they completely retool. By driving up the cost to the attacker over time, you start to make headway. That works both ways, of course, and at the moment that balance leans decidedly in their favor. Releasing the IOCs will also allow defenders to discover additional compromises. Remember that opponents make mistakes, and so we can capitalize on the opportunity for ongoing intel gathering as they transition to new infrastructure (assuming they even bother).

Sharing information has more than just tactical value. In my view (obviously not one shared by Congress), this points out that we don’t need the government to get in the way with CISPA or other information-sharing that stays behind walls of overclassification or possibly creates additional privacy and civil rights issues. We can do this the right way and improve things. Partisan politics lies way outside the scope of this blog, but I certainly see this as “we’re from the government and we’re here to help” territory.

[1]: As usual, these represent my opinions only. And that’s only good for today anyway because I may change my mind as new facts come to light or I think about topics more thoroughly.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , ,

Chinese government attacking American journalism?

Posted on 2013-02-02 | Leave a comment

What a week: disclosure of compromises at the New York Times, Wall Street Journal, and Washington Post. A Java update released on a Friday evening 18 days early due to active exploitation. Twitter compromised affecting 250k users, including me. I may have more to say about the Twitter compromise later.

Journalists in China

If they don’t respect them there, they won’t respect them here.

I’ve assumed for some time that state-sponsored attackers have long targeted major media outlets, especially those who regularly report on national security issues. While we don’t need to start putting on tinfoil hats, the ill-fated Wikileaks partnership with the NYT should have provided a pretty obvious starting point for people to think about these issues. Even more obviously, at least to me, journalists have had to take OPSEC seriously for a very long time, whether due to drug cartels or US presidents unhappy with political and legal revelations. I wouldn’t characterize these incidents as an assault on our way of life, exactly, because the Fourth Estate has always had conflicts with power. We should become far more suspicious when governments don’t concern themselves with the press, because that says something about their relationships with it or, perhaps, their views of popular opinion.

An extraordinary claim requires extraordinary proof.

Others have criticized the reporting and the completeness of the stories. For what it’s worth, as noted above, I certainly don’t think claiming that governments have tried to attack journalists really presents an extraordinary claim. And I have seen enough evidence first-hand to believe that Chinese-based actors actively exploit networks around the world. Combining the two, we know how the Chinese government regards free speech and a free press.

But if you want us to believe that this represents the greatest transfer of wealth in history and all the other hyperbole that surrounds discussion of “the APT” and “China” and “cyberwar”, you need to present evidence. Declassify it, make it public, show it to the American people. If you’re a news outlet dedicated to informing the public, give us the facts. When the government wants to make a case for war, it discusses specific incidents and presents intelligence. If we face such a great threat, don’t just assert the threat, prove it. (Note: I don’t actually expect any of this to happen.)

Whether the intelligence will amount to proof, however, remains to be seen.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Cyberwords on cyberwar

Posted on 2012-12-08 | Leave a comment

united-states-logistics-evolution-agency

Few things frustrate me as much as muddled thinking, depending on logical fallacies, or misinterpreting data. To my (long) list of examples of some of these things, I can add Dennis Fisher‘s post U.S. Cyberwar Doctrine Would Not Matter Without International Agreement. To be fair, you should read his article first before my critique of it.
Continue reading

→ Leave a comment

Posted in Links

Tagged , , , , , , ,

China as a threat: a bit of perspective

Posted on 2012-05-14 | 4 Comments

Gentleman pandaI got a bit of friendly feedback after recently stating on Twitter that I get tired of all the constant drum-beating about China. That includes some notes from friends and colleagues whom I respect but who do not entirely agree with me. I thought I’d clarify my thoughts on the original APT as a result.

First, anybody who doesn’t recognize that China is engaged in a long-term (and heretofore incredibly successful) campaign of information operations against the West just hasn’t paid attention. We have the evidence, and even the PRC’s protestations to the contrary seem carefully constructed simply to parse meanings and split hairs. They engage in normal diplomatic cover speak, and I can’t fault them for that, but we should still recognize it for what it is. Denials of this reality ring as hollow as denials of the immense volume of fraud and related cyber crimes sourced from Eastern Europe and Russia.

That said, however, I believe some of the reaction in recent months has gone overboard. A number of high-profile individuals have had a significant presence in the press lately, and some of them seem to have the impression that the US should treat this as the most significant issue in its relations with the PRC. Given the range of issues that involve two of the most powerful nations in human history, I find this shortsighted. Climate change, energy policy, human rights, and macroeconomic issues all represent legitimate areas of discussion. Information operations (“warfare” if you like, but I don’t) comprise an important part of those issues but should not overshadow things like nuclear weaponry, for example.

At the same time, they indicate that only the “APT” matters and that professional incident responders only think in term of campaigns (rather than intrusions). I disagree: other significant issues do exist within our domains of threat intelligence, information security, and incident response, as well as within the separate scope of Pacific Rim foreign policy. When your rhetoric reaches the point where your professional colleagues start to openly wonder if you’ve become completely Sinophobic, then you should take a step back and ponder whether to dial it down slightly.

Yes, China’s IO campaigns certainly present a significant challenge in a number of ways, including the need for public awareness in the West, but that challenge exists within the context of many other important topics. Let’s not get so zoomed into one adversary and one issue that we lose focus on the rest.

→ 4 Comments

Posted in Manifesto

Tagged , ,

Threat intelligence evolution

Posted on 2012-02-23 | Leave a comment

When I got started in network security many years ago, I principally dealt with assets. As time went on, I dealt more with vulnerabilities because, hey, that’s sexy. But that’s old and busted: the new hotness is threat.

Semantics: words mean things

If one thing makes me crazy about security vendors – and far more than one thing does, to tell the truth – it’s the imprecise use of language. Depending on who you ask, a piece of malware is a “risk” and unpatched software is a “threat”. Please don’t ask me what I say when an antivirus program classifies netcat as a “trojan.” Communication reflects thought, and so when you use words in fuzzy, ill-defined ways, you also think in fuzzy, ill-defined ways. So when we talk about “threats”, let’s be clear: “a threat is what we’re trying to protect against”.

I often fall into my own trap by conflating the terms “threat” and “threat actor”, usually distinguishing only via context. In reality, though, we need to understand the difference between the components of “threat”, which CERT rolls up into “an indication of a potential undesirable event”. We can break down the threat further into the actor, exploit (method), motive. Generally, threat intelligence. as most private-sector organizations use it today, centers around methods. This usually means malware indicators, network addresses, and traffic signatures. We also sometimes talk about motive: espionage, ‘hacktivism’, organized crime, and so on. These things matter. We can’t lose sight of them, but we can’t stay content with them, either.

illuminati

This would be a terrible way to deter threat actors.

With some notable exceptions, we rarely talk about intelligence based on specific threat actors. Even then, those lead to controversy because the indicators remain classified, and so we fall back on IP addresses when attribution can encompass so much more.

Crowdstrike

Today, the firm Crowdstrike announced its “stealth-mode launch”:

CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. Utilizing Big-Data technologies, CrowdStrike is developing a new and innovative approach to solving today’s most demanding cyber-security challenges. CrowdStrike’s core mission is to fundamentally change how organizations implement and manage security in their environment.

I don’t quite understand what they’ll offer, which I suppose explains the stealth mode bit. They give proper attention to the concept of attribution and TTP (tactics, techniques, and procedures), and throw out a little red meat about patriots defending against nation-state adversaries.

By identifying the adversary and revealing their unique TTPs (i.e. modus operandi), we can hit them where it counts – at the human-dependent and not easily scalable parts of their operations.

This tends to put me in mind to agree with Saso Virag, who saw three components:

That is, Crowdstrike clearly has a militia mindset, a possible focus on tracking down the humans behind the screens, and trying to find the adversary who has already penetrated the network. I don’t know whether they intend to try to conduct attacks against the attackers or simply try to defend against the non-automated portions of the kill chain. Certainly, they want to go further than sitting back while attackers simply out-maneuver defenders. The concept incurs a lot of operational risk, and I personally would quibble with some parts of it (e.g. nationalistic motivations). At the same time, though, I also agree with the general concept that the status quo can only have negative outcomes for us today, and maybe their approach will work.

Quis custodiet ipsos custodes?

Richard Bejtlich has written about this before, and he tends to lean towards striking back in various ways too. At one time, I would not have conceived that private-sector organizations could get into this role. But the trend toward private military contractors and the like over the last decade might indicate otherwise. The US has already started to outsource critical “cyber” operations to firms like General Dynamics, such as domestic monitoring of dissident elements on the Internet. The conspiracy theorist in me wants to call this “megacorp martial law”. And while the NSA and the US intelligence committee won’t confirm publicly that it has undertaken CNA/CNE, that has to be the worst-kept secret in intelligence since Israel got nuclear weapons.

So could you do this under a government contract? What about organizations based outside of the US, particularly if they do not employ US persons? On the one hand, the government might look the other way as it has with many existing “cyber militia” operators. On the other hand, when private organizations interfere with ongoing intelligence operations (e.g. bringing down a jihadist forum that the CIA has already infiltrated), then they’ll draw the attention and ire of men in dark suits with guns and badges.

I’ll look forward to seeing how we all continue to evolve in our understanding and practice of threat intelligence.

→ Leave a comment

Posted in Notes

Tagged , , , , , ,

Analysis of DNI annual Worldwide Threat Assessment

Posted on 2012-02-02 | Leave a comment

The US Director of National Intelligence, James Clapper, provided his annual Worldwide Threat Assessment to the Senate yesterday (followed by a classified session with, we can surmise, greater detail).

The unclassified portion discusses cybersecurity several times. In fact, the introduction states:

Counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns.

Notwithstanding the idea that we should consider cybersecurity as a domain and not only a specific activity, I found it useful to see where the policymakers within the US intelligence community see specific concerns. The entire document runs about thirty pages, but over two-thirds of it addresses specific region-by-region and country-by-country concerns. Two pages cover cyber threats and counterintelligence, which for our purposes cover largely similar ground.

The assessment correctly notes that “neither the public nor private sector has been successful at fully implementing best practices.” I’d go a step further, because best practices evolve on both the attack and defense fronts. We don’t even fully implement standard practices: the things we know how to do efficiently and relatively easily. Standard practices, in my mind, constitute a reasonable bar to clear: if practitioners in a given area generally all accept some technology or process as “the way it’s done”, then we shouldn’t excuse anyone doing less than that.

Interestingly, the document first singles out China and Russia as state actors, but then refers to the 2011 NCIX report to specifically blame “entities within these countries”. This means that, although the DNI does not provide specific reasons for attribution in the unclassified report, he does claim that the entities have state sponsorship. The NCIX only said on page 5 of his report that the intelligence community has “not been able to attribute many of these private sector data breaches to a state sponsor.”

The DNI report also notes that governments cannot keep up with tech development and illustrates this by “failed efforts at censoring social media” in the Arab Spring. This should provide an object lesson to US policymakers, though the recent controversies over SOPA, PIPA, and now ACTA indicate that they might not have fully connected the dots.

As a community, we’ve talked for years about addressing the vulnerability problems (including across the entire supply chain), but the DNI also talks about threat in the context of problems regarding warning, detection, and attribution. He recommends greater “US Government engagement” with the private sector. This presents other challenges, though, because we have concerns about transparency versus legitimate secrecy needs (just for starters).

In the section on counterintelligence, the report also links cybersecurity to foreign intelligence service activity. I physically laughed out loud at the assessment that “many intrusions into US networks are not being detected“: understatement of the year. The report here adds Iran to the list of countries undertaking cybersecurity operations against the US. The private sector infosec community, outside of the defense industrial base and Stuxnet, hasn’t really paid much attention to Iran. That could change in 2012, particularly if geopolitical tensions continue to increase there.

I didn’t expect any specific data in this document, given its purpose and classification level. But it could point the way to at least some of the areas that could involve many of us in the next few years, and it certainly is useful in validating the idea that we need to improve our abilities in sharing threat intelligence and incident detection & response.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Third world cyberalliances

Posted on 2011-12-15 | 1 Comment

NB: Due to the nature of the story, some of the links below go to Spanish-language articles. If you don’t read Spanish, you may wish to use Google Translate. I haven’t reviewed any translation so I don’t vouch for its accuracy.

I don’t always agree with Krypteia, but I always appreciate reading and considering his thoughts on things. And given my personal and professional connections to Mexico, I particularly appreciated his latest piece on La Amenaza de Iraní (sic). He analyzes in detail the recent reports from Univision regarding the now-former Iranian ambassador to Mexico planning “cyberwar” with Mexican university students.

I don’t have much to add to his analysis at the moment, except to take exception with another analyst whom I respect, Jeffrey Carr, who rejects the idea that Iran would bother with “Mexican hackers”

While I certainly recognize the efforts to which the Chinese have gone in their economic and military espionage (even if some folks dispute some of the specifics), that doesn’t mean that they cover every initiative from every ally. Nor does it mean that the Iranians wouldn’t attempt to grow their network, not least for the reasons Krypteia mentioned in his piece. This fits together well with today’s report on links between Los Zetas and Hizbollah, the latter of which has close ties with Iran.

Whatever the reality of this specific situation, the world has changed over the last two years. We will always have debates about who and why, and even more on what to do about it, but the threat landscape shifts daily.

→ 1 Comment

Posted in Links

Tagged , , , , , ,

Michael Chertoff: Addressing APT at MIRcon 2011

Posted on 2011-10-12 | Leave a comment

NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.

The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?

So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.

There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).

We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.

The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.

This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.

What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.

How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.

So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.

Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?

Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.

The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.

We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,