FireStarter: APT—It’s Called “Espionage”, not “Information Warfare”By Rich
There’s been a lot of talk on the Interwebs recently about the whole Google/China thing. While there are a few bright spots (like anything from the keyboard of Richard Bejtlich), most of it’s pretty bad.
Rather than rehashing the potential attack details, I want to step back and start talking about the bigger picture and its potential implications. The Google hack – Aurora or whatever you want to call it – isn’t the end (or the beginning) of the Advanced Persistent Threat, and it’s important for us to evaluate these incidents in context and use them to prepare for the future.
- As usual, instead of banding together, parts of the industry turned on each other to fight over the bones. On one side are pundits claiming how incredibly new and sophisticated the attack was. The other side insisted it was a stupid basic attack of no technical complexity, and that they had way better zero days which wouldn’t have ever been caught. Few realize that those two statements are not mutually exclusive – some organizations experience these kinds of attacks on a continuing basis (that’s why they’re called “persistent”). For other organizations (most of them) the combination of a zero-day with encrypted channels is way more advanced than what they’re used to or prepared for. It’s all a matter of perspective, and your ability to detect this stuff in the first place.
- The research community pounced on this, with many expressing disdain at the lack of sophistication of the attack. Guess what, folks, the attack was only as sophisticated as it needed to be. Why burn your IE8/Win7 zero day if you don’t have to? I don’t care if an attack isn’t elegant – if it works, it’s something to worry about.
- Do not think, for one instant, that the latest wave of attacks represents the total offensive capacity of our opponents.
- This is espionage, not ‘warfare’ and it is the logical extension of how countries have been spying on each other since the dawn of human history. You do not get to use the word ‘war’ if there aren’t bodies, bombs, and blood involved. You don’t get to tack ‘cyber’ onto something just because someone used a computer.
- There are few to no consequences if you’re caught. When you need a passport to spy you can be sent home or killed. When all you need is an IP address, the worst that can happen is your wife gets pissed because she thinks you’re browsing porn all night.
- There is no motivation for China to stop. They own major portions of our national debt and most of our manufacturing capacity, and are perceived as an essential market for US economic growth. We (the US and much of Europe) are in no position to apply any serious economic sanctions. China knows this, and it allows them great latitude to operate.
- Ever vendor who tells me they can ‘solve’ APT instantly ends up on my snake oil list. There isn’t a tool on the market, or even a collection of tools, that can eliminate these attacks. It’s like the TSA – trying to apply new technologies to stop yesterday’s threats. We can make it a lot harder for the attacker, but when they have all the time in the world and the resources of a country behind them, it’s impossible to build insurmountable walls.
As I said in Yes Virginia, China Is Spying and Stealing Our Stuff, advanced attacks from a patient, persistent, dangerous actor have been going on for a few years, and will only increase over time. As Richard noted, we’ve seen these attacks move from targeting only military systems, to general government, to defense contractors and infrastructure, and now to general enterprise.
Essentially, any organization that produces intellectual property (including trade secrets and processes) is a potential target. Any widely adopted technology services with private information (hello, ISPs, email services, and social networks), any manufacturing (especially chemical/pharma), any infrastructure provider, and any provider of goods to infrastructure providers are on the list.
The vast majority of our security tools and defenses are designed to prevent crimes of opportunity. We’ve been saying for years that you don’t have to outrun the bear, just a fellow hiker. This round of attacks, and the dramatic rise of financial breaches over the past few years, tells us those days are over. More organizations are being deliberately targeted and need to adjust their thinking. On the upside, even our well-resourced opponents are still far from having infinite resources.
Since this is the FireStarter I’ll put my recommendations into a separate post. But to spur discussion, I’ll ask what you would do to defend against a motivated, funded, and trained opponent?
I hate to be the voice of doom but there isn’t a way to keep out a skilled, patient, and motivated opponent because the most vulnerable attack vector is the human being, not the network. That’s why client-side attacks are so much more effective than server-side attacks.
Having said that, I still support “Segregate and Simplify” as a good starting point. Equally important though is identifying your critical assets. Then you can begin to narrow the list of potential adversaries based on who’s interested in those assets and mount an informed defense.
Yep- I went ahead and did another post on strategies for APT late yesterday. To be honest they are a bit trite, and are mostly about setting yourself up for stronger security controls in general. COmpartmentalization, monitoring, and trying to keep things at least somewhat up to date.
As David has pointed out the best method is IMO to simplify and segregate. This is easier said than done in existing enterprise configurations.. For new ones it’s simple enough. At certain gov agencies they have terminals where say the developers/coders do their work on their machines that have no physical access for CD’s, usb’s, anything. These machines also have complete segregation and routing to the internet. Then when the employee wants to get on the internet they have to go to a centralized area that has the terminals that do route to the internet. The real problems created are when we blend the two configurations in workplaces while trying to enforce the rules and at the same time pleasing the customer. No-win battle..I know Captain Obvious to the rescue…
By Ben K
Thought provoking post. Thank you.
To answer your question: I think the answer isn’t a technological one. It’s simply vigilance/minimizing the risks, being prepared for the event and having a Plan B.
By James Tay
In my little corner, I haven’t seen CISOs overreact. The only thing that’s changed is a bit more evidence to support your existing risk assessment.
When you have the conversation with the business owners re: the latest, present them with the same options on the cost/convenience spectrum and your recommendation of control changes. Empower them to chose what’s best and move on until the next learning event.
With every disclosed breach we move farther away from being victims toward accepting the risk in order to do business efficiently. Nothing wrong with <risky practices> if expectations are set.
The only thing you can do is reduce, simplify and segregate. Reduce access and exposure. Simplify the ways-in and ways-out. Segregate high risk assets.
There are too many screen doors protecting the goods - it literally only takes minutes to skim resources that afford one a list of thousands of launching points. From then it’s just a matter of statistics. The more opportunities the higher likelihood that one will work. That’s all you need - one.
I still don’t understand why most organizations have workstations / laptops anymore. You don’t need them. And if you do, it should be special purpose that’s highly restricted.
I hear “Protect our intellectual property!” quite often. But there is nothing done to actually reflect this. You can’t win in this scenario unless you actually address it. And that means convenience is going to go straight back out the screen door. That’s how it is.
By David J. Meier