Thursday, March 18, 2010

The Tiger and the Ghost

Companies like Mandiant have placed themselves in the lead of the counter-APT fight in a lot of people's eyes. I respect this, and they certainly have teams with great skill and experience. They have done a great job of stirring up a lot of discussion, and have caused a lot of debate. An unfortunate side effect of this is that a lot of people have put on their firefighter hats, and are chasing ghosts. No, not ghosts that pop out of closets and say "boo!". I mean ghosts as in invisible warriors. Unfortunately, this effect is precisely what is expected, and possibly even wanted by our enemies.

A quick word about Mandiant's claims about our adversaries tactics. They are spot on.

Yes, this post is about the APT. However, it is not about their specific tactical assaults. I would submit that though this is important, the most important aspect of countering the APT is understanding him. I've asked before if it really matters how new this threat is. I still contend it does not. Walking that path is wasted effort. It's time to step up our game to understand the enemy.

For several years there have been warnings and warning signs that this adversary was up to something. Several ally countries were penetrated by the ghosts. The U.S. was hit hard during this time as well. While all of this is going on, officials are disavowing and claiming no knowledge of these attacks. Meanwhile, the military general standing behind said official is trying hard to keep his lip from curling in to a tiger's smile.

Stratagem 1:
Deceive the heaven to cross the sea.

For years, we have invited the tiger in for dinner. And why not? He knocked at the door and asked nicely. Only he didn't outright kill us. He learned about us, in the open, and with our invitation. It was accomplished through foreign exchange studies, open trade agreements, imports & exports, business mergers, the legal system, and watching us fight in Kosovo, Iraq, and Afghanistan. They watched us unleash our strike packages, and watched others defend against it. This was done until he felt he could learn no more. He took all he learned and used it for further study.

Stratagem 3:
Kill with a borrowed knife.

Our enemy is no doubt using the works of others to strengthen himself while wearing us down. If your army is not strong enough for attack, let the works of others weaken the enemy. They let our industries get worn down by the daily barrage of malware infections, lesser intrusions, and perhaps some more skilled adversaries. While all of this is going on, they conserve strength.

Stratagem 4:
Wait at ease for the enemy.

Our networks are under constant barrages by lesser opponents, or skilled opponents using simple techniques and tactics to wear down defenses and tie down huge numbers of opponents. Exhaust his will to fight before the real fight comes. This enemy clearly practices this strategy. These ghosts do not step up their game until they have to, they do not reveal the full breadth and depth of their plans until we match them.

What does our enemy want?
To establish the links between political, economic and military installations. To exploit ways to control & disable our ability maintain C2 or C4I. To identify key systems and perform what Mr. Tim Thomas calls "acupuncture warfare" with precision strikes. The adversary is aiming to close market gaps and gain the information advantage. This allows him to control and predict our responses and behaviors. Based on the study of "three-three" this adversary focuses on obtaining, transmitting, handling, and protecting information. He defends himself while controlling our actions or attempting to control our actions with the incursions we are seeing. He seeks to level the playing field through the use of information.

Too much reliance on technology to do the work has led us to a situation where many don't know how to begin fighting this adversary. He has been honing his skills in this space for nearly two decades. If you don't know yourself you will lose. That is, what are your key systems, what relationships do you have with other organizations and who maintains these relationships? What are your true capabilities? Do they match your requirements? These are just some of the questions that need to be answered.

This has nothing to do with what technology you can buy. This has everything to do with how you think, how your boss thinks, how their boss thinks and so on, and how your enemy thinks. If you're just joining, welcome to the fight.


bob said...

Excellent Analysis, It's very true.
In the past the primary way to weaken another countries economy was to use direct military force.
Indirect methods with spies for example were high risk with less affect.

Hostile countries (not necessarily overtly) don't need to invade another country they can directly control the other countries economy , purchase companies and resources as well as use their own resources to weaken another countries economy.
1. USA's manufacturing base has been weakened by cheap manufacturing in Communist China and the IP stealing which ensues with this exported manufacturing.
(The companies don't need to worry about pollution mitigation costs and paying staff proper wages)
2. Rare earths market take over
3. Exchange rate manipulation

Also fit's with some of the idea's in the following link.
Cyberwar/APT ... etc is an extension on this. To steal information or damage infrastructure one previously needed spies, now with APT attacks someone can directly access and manipulate sensitive information from across the world.

Russia & China are very good at using their own hackers like Privateers.
From wikipedia "A privateer is a private person or ship authorized by a government by letters of marque to attack foreign shipping during wartime."
This is what is happening now, deniable hacking assets.
Don't know if the US should do this but it is a concern. (issues with the two edged sword)

The United States needs to realise that war has broadened from just direct military force to attacks in other avenues.
Just because they were not directly attackable in the past doesn't mean they can't be attacked now.

Businesses should probably see themselves as being on the frontier and able to be directly attacked.
It's back to the wild west all over again but most haven't noticed.