Saturday, February 6, 2010

We just don't get it

Given all the talk about APT lately I'm still shocked. Shocked that there are those out there on the 'good guy' side that can do nothing but criticize. One recent discussion that's been heavily debated is one of how "new" Advanced Persistent Threats are. My question to everyone out there:

"Does it really matter ?"

Every day these enemy combatants are lifting data. Lifting data from organizations they're not supposed to be lifting data from. These data are then being used against us to gain political, economic and military advantages. I've watched the data pass through systems for months and it turns my stomach to think that it's being done with such ease. Especially considering where the data is from. That these attacks occur is nothing new. That these attacks are taking place on such a broad scope is entirely new. That the enemy elements are moving against so many targets at the same time and in such different industries is alarming.

For years I've investigated cybercrime and done malware analysis and intrusion investigations. I can say with relative ease that while the tactics used in these attacks are not necessarily new, there is a certain 'newness' to this type of enemy. The majority of cybercrime that occurs today is automated. Malware has reached a point of templatization such that these toolkits are sold so others can perpetrate more crimes. While certain high profile attacks are definitely not automated and require a crew of clever individuals, many cybercrime incidents are automated.

These attacks are not very automated. Like a skilled tradesman, they reduce overhead by automating simple things. When the enemy gains access to your networks, reads your email, browses the internet on your computer, pretends to be you to garner more information from your colleagues, ignores your bank statements but takes schematics, ignores your customer credit card database, but steals your organizations futures documents and pilfers from your R&D group there's a difference. When the same group penetrates military systems and networks there's a difference. The difference is due to the global scale, the difference is in our ability to remain a competitive nation. The difference is in our military's ability to remain effective. The difference is that this is not just about money.

Regarding their malware:
Is it any wonder that the malware used by this enemy shares a common trait with other malware? There are a finite number of methods to accomplish a goal in a given programming language. Is there a reason not to re-use code if it works? Is it any wonder we can look at multiple samples of malware and draw comparisons? Give a fool a katana and he'll cut off his nose. Give a Samurai a katana and he'll cut you in half before you can blink your eyes. Malware is a tool of the enemy, not the enemy himself. The right malware in the hands of a skilled opponent is a force multiplier for a real threat, while malware in hands of a lesser opponent is a nuisance. This enemy is more than their malware.

There is no data breach notification when this enemy penetrates a network and steals data. The notification comes when we have another financial crisis and a foreign government is bailing us out. The notification comes when we have another gas shortage like in the '70's. The notification comes when power grids fail. The notification comes when more of our commerce is outsourced and jobs are lost. The notification comes when our companies are being bought by foreign companies because they can no longer compete. The notification comes when our military can not protect our interests. This problem is bigger than the security industry. This problem is bigger than IT. The security and IT industries are impotent in this situation. This problem will take governments to solve.

The people that call it hype have not seen this enemy work. They have not seen the contents of the stolen files. The business that have recently started doing "Anti-APT audits" are missing the point and trying to capitalize on the situation to further their own business.

What should matter is how successful they have been. What should matter is defending ourselves. What should matter is how and where we share this information. What should matter is taking this information to those with the ability to do something about it. What should matter is taking the fight to the enemy.

So I ask again, does it matter if this threat is new?


Alex said...

It actually matters very much.

1.) If the APT is a new marketing term only to describe what the advanced nation-state threat is or does, then APT based marketing; Saying that "the APT is *everyone's* problem" is bullshit. Bullshit that will keep real people from defending from the threats they currently face (the vast majority of which are not the Chinese).

2.) If the APT simply describes a fundamental shift in the capability of the overall population of threats, then this needs to be something that should be studied and understood.

I think of the population of targets and the population of threat agents as gaussian distributions (we don't know the real shape, but that doesn't really matter for the thought exercise).

What isn't clear is if there is a shift in the population of targets that the APT is interested in (the Mandiant report seems to suggest "no", given their case studies). If this is not the case, see #1, above. APT for most people isn't relevant.

However, Looking at the Verizon data, you see a lot of incidents caused by customized malware, but very little nation-state activity represented. Given that VZ isn't usually called out to do IR for the Defense Industrial Base, we can't be sure if the dramatic increase in custom malware is an indicator of a threat capability change or not (the DIB's IP theft incidents don't commonly get reported). So there *was* a change in '08 - but *is* this a sustained change we will see in '09? Is this just a blip based on a couple of isolated particular agents? Or is this the APT slowly becoming "everyone's problem" (see #2)?

So yes. If you're the CISO at a Level 1 merchant, the CISO at a large hospital, someone who isn't a target of the Chinese but still needs to balance budget and time defending against the current threat population, vs pulling the "emergency stop" chain, it matters a hell of a lot.

Keydet89 said...

This "APT" discussion is becoming way too polarized. I'm not a critic...I'm an observer who's trying to understand. I've been looking at what's said, and based on my own experience, I'm not seeing the "A" so much, and I've been seeing the "P" for quite a while already, so that's not new to me.

Part of the polarization is leading to identifying some folks who are just asking questions as "critics", and what that's doing is preventing further discussion...which I really think is necessary, and beneficial overall. Some major players in this space are unwilling to engage because they're seeing questions being responded to with ad homonym "attacks". This isn't in every case, of course, but enough that those with something to contribute don't, because they don't want that negative light to be case, however unjustly, on their team and on their brand.

That these attacks are taking place on such a broad scope is entirely new.

Is that really the case, or is it that new levels of visibility into networks and infrastructures is what's really new? Like many responders, I've gone on-site for malware issues that occurred a week before my arrival, only to find indications of compromise going back 6 months, and in some cases, as long as 2 yrs.

Based on what's being said, I'm not sure that much of this is really that "new" or in some cases all that "advanced". Some of the examples described are similar to things I, and others, had seen as long as 2 or 3 yrs ago.

Again, I'm not criticizing. I'm trying to understand the overall issue, regardless of what it's called. Breaking into networks and stealing data isn't new. Getting one piece of malware on a system and having it shovel off a shell so that the bad guy can take over manually is nothing new. Gaining access to an infrastructure by subverting misconfigured technology, guessing an admin password, or tricking a user to click on something is nothing new. The genesis from "noisy" malware to quieter, targeted attacks is nothing new.

Perhaps the apparent breadth of victims is new...but again, having responded to a wide variety of environments, a lack of visibility is a common factor, so is the realization of the breadth of victims "new"?

hogfly said...

Great comments. I think it's inevitable that APT attacks will become a marketing buzzword. It already has. The Mandiant Report did a lot of that whether or not it was intentional.

Is there a shift in targets? I would like to think the answer is both yes and no. There are targets that have always been targets for these kinds of attacks. There are new targets however and that I believe to be the result of what the attacks are attempting to accomplish. I do not believe this is a threat capability change, it was changed a few years ago, we're just now seeing it. There will be cases where it is new and cases where these attacks are a daily occurrence. Which was why I was asking whether or not it truly matters.

In a global economy where a country is industrializing at such a rapid rate, the scope of targets grows exponentially. I would readily contend that any CISO worth their salt at any corporation or organization had better be paying attention to this with the realization that they could be a target at any time. The realization needs to occur in that though you are not directly a target, one of your employees could be, or more importantly the companies you deal with are, and therefore you are a peripheral target, or a means to an end. These attacks, while advanced in some cases can be often be defeated by practicing 'good IT'.

hogfly said...


Great comments as always. I do not believe you to be a critic either. I honestly have to wonder if we are all a little too focused on what to call this or the title being used to identify these attacks and the attackers. It's not anyone's fault that there is focus on this so I have to ask you, in your opinion, what is 'Advanced'? Keeping in mind that not all of these attacks are truly advanced. There are different classes and tiers of these 'bad guys'.

I also have to wonder again, why does it matter if this is new? The question of 'newness' will always be a matter of perspective and I think it's an irrelevent part of the discussion. I too think it is vital that this issue and these attacks be dicussed. It's unfortunate that it's not being discussed outside of closed circles and that very little in the way of true details is able to come to light and it's also unfortunate that those that could contribute aren't to the degree that they are able to. Is there a place you know of where discussions are truly happening? I don't think there needs to be any attacking going on and I'd certainly apologize to anyone who thought I or others insulted them. That's not my goal.

I don't think there's been much increase in visibility in to networks and infrastructures. It's always been poor at best. That there have been embedded enemies for so long in these infrastructures would support that.

In my opinion what truly separates these from other attacks or attack classes is that it is a dedicated group(s) that is state-sponsored, well funded, with so many motivating factors attacking so many different industries with the goal being the same. Again, I don't think the focus needs to be on whether or not it's new, or even advanced, but rather that this is happening and is wildly successful, no one is or has done anything about it, and that there is truly nothing any of us can do to stop it except on a localized scale.

I think you're right and that if we study an individual attack it will be easy to say this is not new. Tactics are tactics and I would certainly agree that the techniques are not necessarily new. It's a matter of perspective. Attacks will always share common characteristics. Yes, attacks such as this have been occurring for years.

Again, I don't think this matters. I believe the focus needs to be elsewhere. Such as, if you(not you directly, but anyone) believe you saw this two years ago, do you have records of the incident that would allow for comparison to current incidents believed to be the same thing? Such as, if you believe you saw this two years ago, would you be willing or even able to compare notes? If not, that's a problem we need to solve in order to be even remotely effective as an industry.

diocyde said...

APT, I fight it every day, IN the US Government. Which is completely owned/Pwnd. I do malware analsys / forensics and can agree much is simple malware. some elements are advanced. Compromise is constant.

In my opinion US Gov will never get its act together until it is literally to late. CIO's with no authority, now power, no ability to control budgets, no power to fire/fine people, penalize them for weak security, apathy, overwhelmed by scope, decentralized organizations. Cluelessness to patching, not monitoring logs, not logging, and sheer incompetance. Useless C&A efforts, not enough code reviews and penetration testing. Non compliance with FDCC. Not locking down RDP. And inability for A/V to keep up or detect right.

do a Google search for Chinese people doing World of Warcraft Gold Farming. Now imagine that times 10. In your networks, being given targeted information to steal by trained intel officers.

Thats the reality. Our weak dickless inability to apply penalties to these actors, who we refuse to OUT is inexcusable. We know who are behind these attacks.

-its high time we start waging counter actions and start making them incur costs before its too late. Surely our military / intel are not doing it because they are so scared of creating a cyberwar. They cybertools like nuclear weapons that need presidential authority.

Better do something quick or the 20 year R&D edge they have on us will be gone and never come back.

Chinese population 1.3 billion, willing to work for peanuts, willing to steal and put us out of business for good.

USA 300 million people, generally not valuing advanced education, spiraling budgets, sort of lacking work ethic and have a sense of priveledge and entitlement. Graduating very very few advanced degrees in math, computers and science in comparison to the two major emerging markets India/China.

Do the comparision, see the future. Do something about it or it will be too late.