An article on securityweek.com (http://www.securityweek.com/industrialization-hacking-new-era-it-security) examines what author Marc Solomon calls the “Industrialization of Hacking” likening it to the rise of the Industrial Revolution. He also offers advice on how to best protect systems from these increasingly sophisticated attacks.
According to Mr. Solomon, in order to properly defend your network you have to understand it. You also have to build in flexibility to your protection in order to respond to changing security needs. If you can add and change protection to evolve with your environment, you won’t have to start over as new threats develop.
Hacking has grown from a hobby to an organized system. Much like in the Industrial Revolution, innovation has led to easier ways for hackers to attack systems. As hacking has become increasingly profitable, new methods are developed to make it more efficient.
Much as transportation improvements in the Industrial Revolution led to a more connected world, so have new advances in networks, devices and technologies have made it easier to transport malware and conduct attacks anywhere in the world. Communications innovations such as mobile devices allow for widespread connections for users, exposing new security threats. It is increasingly easier for hackers to gather personal information from unwitting users and to upload malware from the wide variety of platforms used to access the internet. It is difficult for IT administrators to control and keep up with new threats posed by the variety of devices used to connect to the network.
Hackers used to be motivated simply by the ability to break into a system. Now hackers are motivated by financial gains. Hackers are becoming more secretive about their methods and have more incentive to launch new and increasingly sophisticated attacks. Security technologies need to stay ahead of hackers while staying within an organization’s budget constraints. Mr. Solomon suggest methods that provide the ability to detect malware and quarantine files, as well as analyze and evolve threat detection based on information gathered from attempted attacks.
The best investment seems to be hands-down, training. Advanced training that covers the leading advanced persistent threat (here is my Advanced Persistent Threat training class) techniques that are new and cutting edge.
I’m doing Hacker’s Breakfast. 3-hr Workshops in MD and VA. Check it out: http://ow.ly/9bRnG
I don’t know how I hadn’t seen this before, but I have to admit that I thought General Hayden gave a really thought provoking speech that touched a lot of important areas. I strongly encourage you to watch the video.
Here are some thoughts I had while I was watching it:
- Cyber is a DOMAIN (eg: Land, Sea, Air, Space – now Cyber)
- Shaping military thinking (Global, Strategic, etc)
- My thought is – how feasible/scalable is this? It’s not kinetic/measurable!
He makes an analogy of how we (IT people) make the IT world like the north German plain (flat). Then we bitch about getting invaded.
- In terms of military strategy how would you deal with this.
- There is no high ground to seek.
- There is no real front or rear.
- From a military standpoint I think your advantage would be visibility, and you would focus on ensuring that you are not flanked or overrun.
- Immediate tasks to execute are:
- Set up extended observation posts to know when the enemy is approaching
- Dig in (trenches, foxholes, etc), focus on communication and the ability to move
- Set up strategic firing positions
- I guess the question is how do you replicate this in the Cyber world – which seems to be his point as well.
The General made a statement that was very powerful (MARTIN C. LIBICKI: CounterDeterrance & CyberWar)
- I think this is the reference from RAND (I could be wrong): Cyberdeterrence and Cyberwar
- I think this is his book: http://www.amazon.com/Cyberdeterrence-Cyberwar-Martin-C-Libicki/dp/0833047345
I would sum all of this up with what I hear from a lot of the military people I work with.
- The problem with selling CyberWar is that it is NOT kinetic.
- Attribution is nearly impossible
In the “Cyber” world I see a lot of the functional equivalent of Explosive Ordinance Disposal (EOD) – analyzing malware and trying to collect Intel on it like an EOD guy examines bombs to learn about the enemy. I think there are just too many rules placed on those guys doing that kind of work. The General references it (in my opinion) by talking about the relationship between CND/CNE/CNA.
- Interesting paradigm:
- CND = DHS money and rules
- CNE = Intel community – title 50 (secret squirrel stuff – people stuck in a SCIF)
- CNA = DoD – title 10 laws of armed conflict
- Chinese Espionage Effort (23 minute point)
- Build/Buy/Steal whatever it is they need to make things equal
- Cyber Domain Difference:
- Intel precedes OPs in the physical world
- OPs preceeds intel in the Cyber world
- This is profoundly important – way to go on articulating this sir.
I don’t know if it is just because the military is so near and dear to my heart, or if I’m just a freak for CyberWar stuff, or what. I thought this was a really good presendation.
To wrap up the subject of CyberWar for this blog post I want to add one other tidbit of info. It’s part of a blog post that I started writing a few weeks ago and of course didn’t finish, but I think it will wrap up this post here fairly well.
It all started a few weeks ago. I was talking to a good friend of mine Marco about CyberWar, and APT. We were talking specifically about ney sayers – people that don’t believe in APT and CyberWar.
I did some Googling and found a pretty interesting debate about whether the CyberWar threat is grossly exagerated or not.
It’s not deeply technical, but it does have some good speakers or debators if you will.
Arguing for the Cyber War Threat being grossly exagerated are Bruce Schneier, and Marc Rotenberg.
Arguing against the Cyber War Threat not being exagerated Mike McConnell, and Jonathan Zitrain.
Bruce Schneier is..well…umm..he’s Bruce. There are no words to describe Bruce.
http://en.wikipedia.org/wiki/Bruce_Schneier
Marc Rotenberg is an Internet Privacy rights type.
http://en.wikipedia.org/wiki/Marc_Rotenberg
Mike McConnel was a Vice Admiral in the Navy, former Director of the NSA, and Director of National Intelligence (2007 – 2009), and now Executive Vice President at Booz Allen Hamilton.
http://en.wikipedia.org/wiki/John_Michael_McConnell
Jonathon Zitrain is an Internet Law professor at Harvard
http://en.wikipedia.org/wiki/Jonathan_Zittrain
I thought the debate was good (for the most part) – there were a few times that I thought Marc Rotenberg was pushing the Internet privacy agenda a bit too much, but overall I thought it was a good debate.
Take a look for yourself and let me know what you think.
Intelligence Squared US: Cyber War Debate
I Need Help!!!!
My goal is for this site to become the top resource on the internet for Advanced Persistent Threat related information, and more importantly have everything on the site be free. I don’t want the site to be about FUD (Fear Uncertainty and Doubt), hype, or vendor BS.
Anyone that deals with APT is tired of the hype, and even more tired of vendors trying to scare us into buying their products only to find out that they don’t work for identifying and stopping APT.
I’m looking for help with developing relevant content for this site. I’m hoping to get the community involved in the following areas:
Intel (you can be completely anonymous – we won’t leak who you are or where you work):
- Providing information about state sponsored hackers (Targets, tactics, techniques, etc)
- Providing information about cyber crime hackers (Targets, tactics, techniques, etc)
- Providing information about zero-day exploits, highly specialized back doors
Tool Development:
- Providing tools that can be used to either emulate APT tools/tactics
- Providing tools that can be used to identify APT attacks
Signatures:
- Providing signatures that can be used in helping organizations identify APT attacks
Please contact me at: joe {no spam} strategicsec.com. If you need to encrypt emails to me, you can you use my public key.
I just finished reading a pretty good article from Kaspersky’s ThreatPost.com website. The article was about how Nation State Attackers target Adobe products (PDF reader, flash, shockwave, etc). I especially liked the part about the article where Dennis Fisher, the article writer describes the evolution of a zero-day working its way down to crimeware attack packs (note – where Arkin is mentioned below – the author is referring to Brad Arkin, the senior director of product security and privacy at Adobe):
=-=-=-=-=-=-=-=-=-=-=-=-=-
“..when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funded and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.
“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit.
=-=-=-=-=-=-=-=-=-=-=-=-=-
This is really good, and it is something that isn’t very well understood in my opinion. I do however think that there is another wrinkle here and that is the actual sale of zero-day exploits. A good PDF zero-day exploit for example can be worth over $50,000 dollars.
Charlie Miller wrote a good whitepaper about the legitimate buying and selling of exploits while he was working at Independent Security Evaluators.In one of Charlie’s presentations at AuCert2008 security conference his presentation had a chart with a price breakdown for the various exploit types commonly sold. Although the presentation was given in 2008, the pricing still holds fairly well today as a reference. Note everywhere in the chart that you see Vista, just mentally replaace it with Windows 7.
Security.StackExchange.com has the question “Which companies facilitate payment in return for vulnerability disclosure?” answered and they provide a very good list of companies that actually purchase zero-day exploits from security researchers and exploit developers.
Certain companies like Mozilla and Google have established bug bounty programs – they buy vulnerabilities of their software themselves. These bug bounty programs are generally paying anywhere from few hundred to a few thousand dollars.
A ripple in the pond of exploits for sale is the buying and selling of non-zero day exploits. Now off hand you’d probably think these types of exploits don’t have any real value because there is already a known fix for them, but au contraire mon frere, check out ExploitHub. They’ve even gotten some decent press as well:
I really like this blog post about the RSA attack by F-Secure. Take a look at this – I think you’ll really like it:
http://www.f-secure.com/weblog/archives/00002226.html
Here are a few more references you can take a look at:
I know this video is an overly simplified explanation of the attack, but hey man you gotta start somewhere.
Here is a little more of a technical walk-through about the RSA attack:
Quite frankly I’m tired of talking about Stuxnet, but I have to admit that for as tired as I am of I really don’t like when people get their facts wrong about it. I decided to put together a list of resources Stuxnet related info.
News articles:
Security Researcher Presentations:
http://media.blackhat.com/bh-dc-11/Parker/BlackHat_DC_2011_Parker_Finger%20Pointing-Slides.pdf
Whitepapers:
http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
http://abterra.ca/papers/How-Stuxnet-Spreads.pdf
http://www.aisec.fraunhofer.de/content/dam/sitmuc/en/pdf/studien/studie_stuxnet.pdf
http://www.fas.org/sgp/crs/natsec/R41524.pdf
http://www.xmco.fr/actu-secu/XMCO-ActuSecu-27-STUXNET_EN.pdf
Videos:
More technical information:
LNK vulnerabilities/Stuxnet
