The Tiger and the Ghost

Companies like Mandiant have placed themselves in the lead of the counter-APT fight in a lot of people's eyes. I respect this, and they certainly have teams with great skill and experience. They have done a great job of stirring up a lot of discussion, and have caused a lot of debate. An unfortunate side effect of this is that a lot of people have put on their firefighter hats, and are chasing ghosts. No, not ghosts that pop out of closets and say "boo!". I mean ghosts as in invisible warriors. Unfortunately, this effect is precisely what is expected, and possibly even wanted by our enemies.

A quick word about Mandiant's claims about our adversaries tactics. They are spot on.

Yes, this post is about the APT. However, it is not about their specific tactical assaults. I would submit that though this is important, the most important aspect of countering the APT is understanding him. I've asked before if it really matters how new this threat is. I still contend it does not. Walking that path is wasted effort. It's time to step up our game to understand the enemy.

For several years there have been warnings and warning signs that this adversary was up to something. Several ally countries were penetrated by the ghosts. The U.S. was hit hard during this time as well. While all of this is going on, officials are disavowing and claiming no knowledge of these attacks. Meanwhile, the military general standing behind said official is trying hard to keep his lip from curling in to a tiger's smile.

Stratagem 1:
Deceive the heaven to cross the sea.

For years, we have invited the tiger in for dinner. And why not? He knocked at the door and asked nicely. Only he didn't outright kill us. He learned about us, in the open, and with our invitation. It was accomplished through foreign exchange studies, open trade agreements, imports & exports, business mergers, the legal system, and watching us fight in Kosovo, Iraq, and Afghanistan. They watched us unleash our strike packages, and watched others defend against it. This was done until he felt he could learn no more. He took all he learned and used it for further study.

Stratagem 3:
Kill with a borrowed knife.

Our enemy is no doubt using the works of others to strengthen himself while wearing us down. If your army is not strong enough for attack, let the works of others weaken the enemy. They let our industries get worn down by the daily barrage of malware infections, lesser intrusions, and perhaps some more skilled adversaries. While all of this is going on, they conserve strength.

Stratagem 4:
Wait at ease for the enemy.

Our networks are under constant barrages by lesser opponents, or skilled opponents using simple techniques and tactics to wear down defenses and tie down huge numbers of opponents. Exhaust his will to fight before the real fight comes. This enemy clearly practices this strategy. These ghosts do not step up their game until they have to, they do not reveal the full breadth and depth of their plans until we match them.

What does our enemy want?
To establish the links between political, economic and military installations. To exploit ways to control & disable our ability maintain C2 or C4I. To identify key systems and perform what Mr. Tim Thomas calls "acupuncture warfare" with precision strikes. The adversary is aiming to close market gaps and gain the information advantage. This allows him to control and predict our responses and behaviors. Based on the study of "three-three" this adversary focuses on obtaining, transmitting, handling, and protecting information. He defends himself while controlling our actions or attempting to control our actions with the incursions we are seeing. He seeks to level the playing field through the use of information.

Too much reliance on technology to do the work has led us to a situation where many don't know how to begin fighting this adversary. He has been honing his skills in this space for nearly two decades. If you don't know yourself you will lose. That is, what are your key systems, what relationships do you have with other organizations and who maintains these relationships? What are your true capabilities? Do they match your requirements? These are just some of the questions that need to be answered.

This has nothing to do with what technology you can buy. This has everything to do with how you think, how your boss thinks, how their boss thinks and so on, and how your enemy thinks. If you're just joining, welcome to the fight.