According to Mr. Solomon, in order to properly defend your network you have to understand it. You also have to build in flexibility to your protection in order to respond to changing security needs. If you can add and change protection to evolve with your environment, you won’t have to start over as new threats develop.

Hacking has grown from a hobby to an organized system. Much like in the Industrial Revolution, innovation has led to easier ways for hackers to attack systems. As hacking has become increasingly profitable, new methods are developed to make it more efficient.

Much as transportation improvements in the Industrial Revolution led to a more connected world, so have new advances in networks, devices and technologies have made it easier to transport malware and conduct attacks anywhere in the world. Communications innovations such as mobile devices allow for widespread connections for users, exposing new security threats. It is increasingly easier for hackers to gather personal information from unwitting users and to upload malware from the wide variety of platforms used to access the internet. It is difficult for IT administrators to control and keep up with new threats posed by the variety of devices used to connect to the network.

Hackers used to be motivated simply by the ability to break into a system. Now hackers are motivated by financial gains. Hackers are becoming more secretive about their methods and have more incentive to launch new and increasingly sophisticated attacks. Security technologies need to stay ahead of hackers while staying within an organization’s budget constraints. Mr. Solomon suggest methods that provide the ability to detect malware and quarantine files, as well as analyze and evolve threat detection based on information gathered from attempted attacks.

The best investment seems to be hands-down, training. Advanced training that covers the leading advanced persistent threat (here is my Advanced Persistent Threat training class) techniques that are new and cutting edge.

Here are some thoughts I had while I was watching it:

• Cyber is a DOMAIN (eg: Land, Sea, Air, Space – now Cyber)
• Shaping military thinking (Global, Strategic, etc)
• My thought is – how feasible/scalable is this? It’s not kinetic/measurable!

He makes an analogy of how we (IT people) make the IT world like the north German plain (flat). Then we bitch about getting invaded.

• In terms of military strategy how would you deal with this.
• There is no high ground to seek.
• There is no real front or rear.
• From a military standpoint I think your advantage would be visibility, and you would focus on ensuring that you are not flanked or overrun.
• Immediate tasks to execute are:
• Set up extended observation posts to know when the enemy is approaching
• Dig in (trenches, foxholes, etc), focus on communication and the ability to move
• Set up strategic firing positions
• I guess the question is how do you replicate this in the Cyber world – which seems to be his point as well.

The General made a statement that was very powerful (MARTIN C. LIBICKI: CounterDeterrance & CyberWar)

• I think this is the reference from RAND (I could be wrong): Cyberdeterrence and Cyberwar
• I think this is his book: http://www.amazon.com/Cyberdeterrence-Cyberwar-Martin-C-Libicki/dp/0833047345

I would sum all of this up with what I hear from a lot of the military people I work with.

• The problem with selling CyberWar is that it is NOT kinetic.
• Attribution is nearly impossible

In the “Cyber” world I see a lot of the functional equivalent of Explosive Ordinance Disposal (EOD) – analyzing malware and trying to collect Intel on it like an EOD guy examines bombs to learn about the enemy. I think there are just too many rules placed on those guys doing that kind of work. The General references it (in my opinion) by talking about the relationship between CND/CNE/CNA.

1. Interesting paradigm:
   • CND = DHS money and rules
   • CNE = Intel community – title 50 (secret squirrel stuff – people stuck in a SCIF)
   • CNA = DoD – title 10 laws of armed conflict

1. Chinese Espionage Effort (23 minute point)
   • Build/Buy/Steal whatever it is they need to make things equal

1. Cyber Domain Difference:
   • Intel precedes OPs in the physical world
   • OPs preceeds intel in the Cyber world
   • This is profoundly important – way to go on articulating this sir.

I don’t know if it is just because the military is so near and dear to my heart, or if I’m just a freak for CyberWar stuff, or what. I thought this was a really good presendation.

To wrap up the subject of CyberWar for this blog post I want to add one other tidbit of info. It’s part of a blog post that I started writing a few weeks ago and of course didn’t finish, but I think it will wrap up this post here fairly well.

It all started a few weeks ago. I was talking to a good friend of mine Marco about CyberWar, and APT. We were talking specifically about ney sayers – people that don’t believe in APT and CyberWar.

I did some Googling and found a pretty interesting debate about whether the CyberWar threat is grossly exagerated or not.

It’s not deeply technical, but it does have some good speakers or debators if you will.

Arguing for the Cyber War Threat being grossly exagerated are Bruce Schneier, and Marc Rotenberg.

Arguing against the Cyber War Threat not being exagerated Mike McConnell, and Jonathan Zitrain.

Bruce Schneier is..well…umm..he’s Bruce. There are no words to describe Bruce.

http://en.wikipedia.org/wiki/Bruce_Schneier

Marc Rotenberg is an Internet Privacy rights type.

http://en.wikipedia.org/wiki/Marc_Rotenberg

Mike McConnel was a Vice Admiral in the Navy, former Director of the NSA, and Director of National Intelligence (2007 – 2009), and now Executive Vice President at Booz Allen Hamilton.

http://en.wikipedia.org/wiki/John_Michael_McConnell

Jonathon Zitrain is an Internet Law professor at Harvard

http://en.wikipedia.org/wiki/Jonathan_Zittrain

I thought the debate was good (for the most part) – there were a few times that I thought Marc Rotenberg was pushing the Internet privacy agenda a bit too much, but overall I thought it was a good debate.

Take a look for yourself and let me know what you think.

Intelligence Squared US: Cyber War Debate

My goal is for this site to become the top resource on the internet for Advanced Persistent Threat related information, and more importantly have everything on the site be free. I don’t want the site to be about FUD (Fear Uncertainty and Doubt), hype, or vendor BS.

Anyone that deals with APT is tired of the hype, and even more tired of vendors trying to scare us into buying their products only to find out that they don’t work for identifying and stopping APT.

I’m looking for help with developing relevant content for this site. I’m hoping to get the community involved in the following areas:

Intel (you can be completely anonymous – we won’t leak who you are or where you work):

• Providing information about state sponsored hackers (Targets, tactics, techniques, etc)
• Providing information about cyber crime hackers (Targets, tactics, techniques, etc)
• Providing information about zero-day exploits, highly specialized back doors

Tool Development:

• Providing tools that can be used to either emulate APT tools/tactics
• Providing tools that can be used to identify APT attacks

Signatures:

• Providing signatures that can be used in helping organizations identify APT attacks

Please contact me at: joe {no spam} strategicsec.com. If you need to encrypt emails to me, you can you use my public key.

=-=-=-=-=-=-=-=-=-=-=-=-=-
“..when a new attack involving a zero-day bug in one of Adobe’s products starts, it typically will begin with attacks against a select group of high-profile organizations. That usually means defense contractors, government agencies or large financial services companies. Once the security teams at those organizations find and analyze the threat, Arkin said his team will begin getting a flurry of calls within an hour or two as the campaign hits.

From there, the attack will often then move down the ladder to other large enterprises and then smaller ones as the new exploit shows up in crimeware packs and automated attack tools. By that time, it’s likely an entirely different set of attackers using the exploit. But it’s the well-funded and highly skilled attackers who are doing the real heavy lifting in terms of finding new bugs and designing methods to exploit them.

“These samples trickle downhill really quickly and show up in crime packs,” Arkin said. “The actual exploits it turns out are very, very expensive and difficult to build. Finding the flaw is a lot easier than writing the exploit.

=-=-=-=-=-=-=-=-=-=-=-=-=-

This is really good, and it is something that isn’t very well understood in my opinion. I do however think that there is another wrinkle here and that is the actual sale of zero-day exploits. A good PDF zero-day exploit for example can be worth over $50,000 dollars.

Charlie Miller wrote a good whitepaper about the legitimate buying and selling of exploits while he was working at Independent Security Evaluators.In one of Charlie’s presentations at AuCert2008 security conference his presentation had a chart with a price breakdown for the various exploit types commonly sold. Although the presentation was given in 2008, the pricing still holds fairly well today as a reference. Note everywhere in the chart that you see Vista, just mentally replaace it with Windows 7.

Security.StackExchange.com has the question “Which companies facilitate payment in return for vulnerability disclosure?” answered and they provide a very good list of companies that actually purchase zero-day exploits from security researchers and exploit developers.

• Zero Day Initiative (ZDI) by TippingPoint
• iDefense
• iSight
• SecuriTeam
• Netragard
• COSEINC
• Immunity

Certain companies like Mozilla and Google have established bug bounty programs – they buy vulnerabilities of their software themselves. These bug bounty programs are generally paying anywhere from few hundred to a few thousand dollars.

A ripple in the pond of exploits for sale is the buying and selling of non-zero day exploits. Now off hand you’d probably think these types of exploits don’t have any real value because there is already a known fix for them, but au contraire mon frere, check out ExploitHub. They’ve even gotten some decent press as well:

• Forbes
• eWeek
• Dark Reading
• Softpedia

http://www.f-secure.com/weblog/archives/00002226.html

Here are a few more references you can take a look at:

I know this video is an overly simplified explanation of the attack, but hey man you gotta start somewhere.

Here is a little more of a technical walk-through about the RSA attack:

News articles:

Security Researcher Presentations:

http://media.blackhat.com/bh-dc-11/Parker/BlackHat_DC_2011_Parker_Finger%20Pointing-Slides.pdf

Whitepapers:

http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

http://abterra.ca/papers/How-Stuxnet-Spreads.pdf

http://www.aisec.fraunhofer.de/content/dam/sitmuc/en/pdf/studien/studie_stuxnet.pdf

http://www.fas.org/sgp/crs/natsec/R41524.pdf

http://www.xmco.fr/actu-secu/XMCO-ActuSecu-27-STUXNET_EN.pdf

Videos:

More technical information:

LNK vulnerabilities/Stuxnet

There are very few public details about how bad this attack really was. Those of us that work in or with the DoD have an idea of how critical the attack must have been because of the defensive measures that have been put in place since the attack.

http://cnettv.cnet.com/av/video/cbsnews/atlantis2/cbsnews_player_embed.swf

Here is opening quote from the blog post:

“China is often blamed for launching online attacks, but the evidence is almost always circumstantial. Many of the targeted espionage trojans seem to come from China, but we can’t actually prove it.

However, some new evidence has just surfaced.”

Source:

http://www.f-secure.com/weblog/archives/00002221.html

The follow-on blog post shows how the video proof was removed:

http://www.f-secure.com/weblog/archives/00002224.html

It’s hard to have a real conversation about CyberWar that’s not FUD, and I think this 60 minutes special is pretty good, but it’s a little on the FUD side in my opinion.

I do love the point made that we (meaning the USA) do this stuff too.

http://cnettv.cnet.com/av/video/cbsnews/atlantis2/cbsnews_player_embed.swf