Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.

 

Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.

 

[1] Or conceive the notion themselves, naturally.

The Chilling State of Cyber Affairs

CWWith all the attention pointed towards PRISM, another interesting publication was virtually overlooked. Earlier last month, a taskforce belonging to the US DoD’s Defense Science Board (DSB) released a final report titled “Resilient Military Systems and the Advanced Cyber Threat” [PDF], that reports on the findings of an 18-month research project. The DSB is a committee of civilian experts that is to advise the US DoD on scientific and technical matters. I just threw that line in here to point out that this committee is staffed by individual civilians and not representatives of the industrial military complex. This is worth mentioning, because a good portion of the report is absolutely riveting in its description of how bad they think the situation is, and this is automatically bound to become a target for those people who still don’t believe in Cyber Warfare. The report starts off with a sentiment many of us will find reasonable, and applying to cyber security as a whole (as opposed to cyber warfare specifically):

Cyber is a complicated domain. There is no silver bullet that will eliminate the threats inherent to leveraging cyber as a force multiplier, and it is impossible to completely defend against the most sophisticated cyber attacks. However, solving this problem is analogous to complex national security and military strategy challenges of the past, such as the counter U-boat strategy in WWII and nuclear deterrence in the Cold War. The risks involved with these challenges were never driven to zero, but through broad systems engineering of a spectrum of techniques, the challenges were successfully contained and managed.”Mr. James R. Gosler & Mr. Lewis Von Thaer – Resilient Military Systems and the Advanced Cyber Threat.

In this same opening letter, some fairly damning statements are made. One of the most significant observations was that DoD Red Teams were defeating defending teams in exercises ‘with relative ease’ by hammering them with exploits and tools found on the internet. It also mentions that the DoD networks and systems have a weak cyber hygiene position, and even the Classified networks have experienced “staggering losses” in compromised data due to successful breaches (full quote to follow).

As an aside it is mentioned that in general, security practices have not kept up with adversarial tactics and capabilities. This statement is significant because of the context it is placed in. You see, the DoD security practices are fairly solid and, in general, followed quite well. These are the same (though possibly more stringent) security practices they teach infosec practitioners in certifications such as CISSP and apparently they don’t work anymore.

The report has a long list of very interesting little factoids, but the following list of bulletpoints is a direct quote from the report:

  • “The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.” – Resilient Military Systems and the Advanced Cyber Threat.

One has to wonder how much of these observations are grounded in actual fact, and what is part of the disinformation operation that is almost certainly running in the background somewhere. Regardless, there has been sharp criticism about this level of public disclosure. Should the US be publishing this information so openly? Why and to what end? Truth be told, it is hard to argue that the experience of publication is merely a positive one. You can be certain that every other nation on the planet is carefully pouring over every word, analyzing if weaknesses can be discovered. If the following quote is to believed, the US found plenty on their own:

 The DoD, and its contractor base are high priority targets that have sustained staggering losses of system design information incorporating years of combat knowledge and experience. <…> Perhaps even more significant, they gained insight to operational concepts and system use (e.g., which processes are automated and which are person controlled) developed from decades of U.S. operational and developmental experience—the type of information that cannot simply be recreated in a laboratory or factory environment. Such information provides tremendous benefit to an adversary, shortening time for development of countermeasures by years.Resilient Military Systems and the Advanced Cyber Threat.

And of course, the US faces challenges in the Cyber arena that few other players will ever encounter because of the high costs associated with it. I am speaking, of course, of Supply Chain Security – also known as Hardware Hacking. In 2010, the 2nd International Conference on Information Engineering and Computer Science (ICIECS), published an article titled “Towards Hardware Trojan: Problem Analysis and Trojan Simulation” authored by members of the Zhengzhou Institute of Information Science and Technology in China, which outlined the technical approach elements for developing covertly modified hardware.

A successful corruption in an enemy’s supply chain which manages to insert malicious chips onto say, a desktop or server, would evade all security measures installed on said device. Only a particularly well tuned (and carefully looked at) network monitor would have a chance at picking up the phone-home signal or, in case of a successful intrusion, the data exfiltration itself. Given the costs associated with supply chain corruption, it would be a very safe bet that the utmost effort is done to hide any outbound traffic or to make it seem innocuous enough that you miss it when investigating. You would need a really excellent understanding of your network traffic to spot traffic that wants to stay hidden.

The entire DSB report contains so much interesting information that I couldn’t possibly put all of it in one article. One last tidbit that I would like to include here, is a quote that contains some of the ideas I wrote about in my very first article on Cyber Warfare (emphasis below is mine).

The benefits to an attacker using cyber exploits are potentially spectacular. Should the United States find itself in a full-scale conflict with a peer adversary, attacks would be expected to include denial of service, data corruption, supply chain corruption, traitorous insiders, kinetic and related non-kinetic attacks at all altitudes from underwater to space. U.S. guns, missiles, and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed. Military Commanders may rapidly lose trust in the information and ability to control U.S. systems and forces. Once lost, that trust is very difficult to regain.” 

The impact of a destructive cyber attack on the civilian population would be even greater with no electricity, money, communications, TV, radio, or fuel (electrically pumped). In a short time, food and medicine distribution systems would be ineffective; transportation would fail or become so chaotic as to be useless. Law enforcement, medical staff, and emergency personnel capabilities could be expected to be barely functional in the short term and dysfunctional over sustained periods. If the attack’s effects were reversible, damage could be limited to an impact equivalent to a power outage lasting a few days. If an attack’s effects cause physical damage to control systems, pumps, engines, generators, controllers, etc., the unavailability of parts and manufacturing capacity could mean months to years are required to rebuild and reestablish basic infrastructure operation“. – Resilient Military Systems and the Advanced Cyber Threat.

There really isn’t more I could add to this. I have no doubt that development on offensive cyber capabilities will continue and the next decade will bring about possibilities we can only dream of now. With this build-up of virtual arms between the worlds’ largest nations, a comparison with the Cold War is hard to avoid. Lets just hope cooler heads will prevail again.

On Iran and Pre-Emptive Cyber Attacks

irancyberEarly in February of 2013, many news outlets came out with articles about the US Government having a ‘secret legal review‘ on the use of its cyber-arsenal. This legal review concluded that the US government could launch a cyber attack against a threatening nation if the country needed to defend itself. Essentially it boils down to ‘legitimately’ having the power to order a pre-emptive cyber attack, even though only the President himself can authorise such an attack.  As many nations are developing their own Cyber program, and some nations are very actively using cyber attacks to get a definite leg up, nobody really expected any other outcome. A very damning report by Mandiant on “APT1” recently emphasised yet again how professional and broad-scoped China’s cyber espionage apparatus has become, and the United States finds itself a major target in these operations. Even though this same report is heavily criticized by experts for having critical analytical faults, it is hard to deny that Cyber is still increasing in overall popularity on the world’s geopolitical stage.

Some say that this ‘right to strike pre-emptively’ is a warning shot across the bow of China, but it cannot be said that it is a timely revelation in any respect. After all, not having formally asserted this right to strike pre-emptively did not deter the cyber attack against Iran’s nuclear enrichment facilities in Natanz, which was devised during the Bush Jr. administration but was executed under Obama. A cynical view might take that to mean that not one, but two separate administrations had already asserted that right years before. Also, even though it was never confirmed officially, the Washington Post published an article in 2012 that claimed Flame, a piece of malware dubbed the successor to Stuxnet, was also developed by the US government years before, and launched against Iran in roughly the same period of time, also with the intent of slowing down Iran’s nuclear enrichment program.

What makes this all especially interesting is the recent publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, as commissioned by NATO’s Cooperative Cyber Defence Center of Excellence in Estonia. It’s lead author, Michael D. Schmitt, is also a professor of international law at the US Naval War College in Newport. In a recent interview with the Washington Times professor Schmitt revealed that the collective of authors who worked on the Tallinn Manual were of the opinion that the Stuxnet attack was indeed an Act of Force. These are “Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force”. This is significant because it means that by the opinion of the worlds leading legal minds on Cyber Law (lead by an American, no less), Iran has a legitimate legal reason to declare war against the United States. I should point out that the reverse is not the case, even ifIran is actively seeking nuclear weapons (which does seem likely, seeing as how it would level the geopolitical playing field for them).

Given the already volatile nature of the Middle East as a whole, you’d have to wonder if cyber weapons are a blessing or a curse. The threshold to their use seems to be significantly lower than kinetic means, but this –in turn- may quickly give legitimate claim to escalate matters into the kinetic spectrum. Whatever else may happen, on this front it will be a most interesting decade.