Enterprise Security vs. Nation State Threat Actors

enterprisevnationThe recently published Snowden/NSA/GCHQ slides regarding the Gemalto hack have caused quite a stir amongst security practitioners, board members and politicians alike. But the uproar is minor when considering that it is now more than clear that not only non-allied nations such as China, Russia and Iran are attacking commercial entities. Nation states that we are on good terms with are apparently equally willing and able to attack their allies, just to get ahead in the Intelligence and Battlefield Preparation game. Good friend and excellent analyst Richard Stiennon already acknowledged (allied) nation states as a threat actor for the commercial industry in his article “NSA Surveillance Extends the Threat” in 2013. He asserted that the NSA was leading the threat hierarchy and was advocating a global re-evaluation of ones’ security stance. From what has been unveiled recently this is due for a revision yet again, as it is clear that British GCHQ is following the same playbook. Given both their membership in the “Five Eyes” community (of which all nations in the Five Eyes are core participants) it is increasingly safer to assume that Australia, Canada and New Zealand follow the same methodology, but that is beside the point of this article.

What does this mean?

When comparing the slides and modus operandi concerning Gemalto with what was disclosed about the Belgacom hack, useful observations can be made regarding the tactics employed by GCHQ and the NSA. And that MO demonstrates quite clearly what the real problems for commercial entities are when faced with a nation state as an adversary.

First off, they are difficult to expect. That’s right: Expect, not Detect (although that is probably equally true). Nation states have considerably different motives and these may not always be obvious. Gemalto and Belgacom were targeted because they were gatekeepers to communication networks; in this case telecommunications. They in turn contained what the NSA and GCHQ were actually after: the communications (potentially) running over those networks. It seems like arguing semantics when we differentiate between the targeting the communications networks and the communications themselves, but it is quite relevant: Both the NSA and GCHQ have other legal recourses to obtain the communications they are looking for, but are actively and purposely choosing other avenues. In short, it is not usually obvious what governments are interested in, and even if they have other (legal) means to obtain their target, they might still attack you if that proves to be more useful or less of a hassle.

Second, they are nearly impossible to deter. Cyber criminals generally tend to pick the low-hanging fruit. This will probably remain true as long as there remains so much of it available. The other major category popular with cyber criminals is the ‘big score’, where the spoils of a successful heist are so rich high that attackers consider their time and resources a good investment. Naturally this last group has more staying power than the first group, but both will eventually bug out if the operation is found to be too difficult or risky. Corporate espionage can potentially stay in the game where a cyber-criminal would have given up, but that is very dependent on the level of resources and risk that a firm is willing to commit.  You can deter them by securing your infrastructure to such a degree that the reward of breaking in is not worth the effort. Governments have deeper pockets and thus far seem to be more-or-less immune to criminal prosecution. This significantly alters the equation for such parties. The local social environment of the attacker also plays a role. Corporate spies or criminals basically get told[1] “Get in there if you can”, while soldiers get told “Get in there [period]”. Government operatives don’t get deterred by tedious work or lack of funds. To keep them out it has to be made impossible to break in and, provided it can be done, the task will be Herculean and costly.

It should also be pointed out that governmental espionage is not solely about national security. Many intelligence services are tasked not only with security, but also so-called ‘Economic Intelligence’. To put it bluntly, they are also looking for anything that might give their national corporations an edge against foreign competitors. The reason is simple: successful corporations are a boon to any nation. Not just for the additional tax income they generate, but also for the additional jobs and innovation power they bring. Some intelligence agencies focus more on this than the others, but most do it to some degree. We have seen evidence of this before, during the Echelon program. Several high stake deals were won by American firms due to the intelligence provided to them by the American intelligence apparatus. We can only guess at what intelligence the NSA is currently feeding to American firms. Perhaps the tech firms that are under the NSA yoke are being rewarded sub-rosa as compensation for the multi-billion dollar loss they have incurred (or will incur) over lost trust.

Third, they have capabilities unique to this category of attacker. When looking at the Belgacom and Gemalto hack, it is clear that one major new factor in their approach is Intelligence. Highly trained government intelligence agents are tasked with scoping out the target. They will find key target personnel in short order. It is their job to do so, and even in small nations these operatives are trained and experienced to a degree that will never be matched by a corporate entity. This might be the most effective tool in their arsenal, and next to impossible to defend against. The average person working for a corporate entity will be completely unarmed against people professionally trained in disciplines such as surveillance and interrogation. Would they spot a tail when walking or driving? Would they realize they are being interrogated during a seemingly innocuous conversation with a stranger? Would their family? What is worse, is that nothing private is off-limits when gathering intelligence. Private emails, browsing history, social media, cellphone conversations and text messages are all scrutinized in the hopes of finding a way inside the target organization. They are not above infecting a staff member with a piece of custom-made malware if it furthers their goal. The more staff a company has, the bigger this attack vector is. The problem is exacerbated when dealing with technologically advanced nations, due to higher degrees of technological refinement in their attacks.

Fourth, that we know of their operations does not mean they have stopped. It sounds strange, but for some reason many people seem to think the threat is over now that we are aware of it. It is stating the obvious, but that is not the case. All that has really changed is that we now have some measure of tangible proof to something that was strongly suspected for a long time. The repeated wake-up calls are working to force a long overdue focus on security, but it still has to be acted upon and followed through on. The security industry finally has the clout to address the serious issues, and it can be done without overhyping the matter. Throw away old disparaging sayings such as “if they want to get in, they’ll get in” and do what can be done.

 

Naturally there is more to this issue than the points described above. What is clear is that the corporate world is faced with a potential adversarial class that it is not equipped to deal with. In this regard the world is not that different from the Dutch Golden Age in the 17th century. The Dutch VOC company had a large fleet of merchant ships that were regularly attacked by foreign ships of war belonging to nations that the Netherlands was at war with at the time. The naval frigates outclassed the often cumbersome trading vessels, and defending themselves to a sufficient degree simply wasn’t economically feasible. This problem grew to such an extent that valuable VOC convoys eventually received Dutch naval escorts for protection, even though they did have to help pay for them. What is worth wondering about, is whether we can find a similar common ground with Government and truly co-defend in a meaningful manner.

 

[1] Or conceive the notion themselves, naturally.

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer. Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to saying that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else.

What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia. This is (most often) invisible to the end user, and very often special effort is made to keep this invisible to the end user, and to make it one big system regardless of what server you are connecting to, or from where. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia. You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storages all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data. The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the internet.

Improving the IT & Security Industry – A Top-Down Effort

The ever ongoing debate about quality IT staff once again received a nudge, this time by an article of J.Oquendo. In his article he takes another brutally honest stab at the Industry by pointing out that the new Shady RAT attacks aren’t that new and would have been easily caught by capable personnel. I agree with that view very strongly and would also like to point out that Shady RAT is really no different than Night Dragon in that both attack waves used techniques that have been known for a decade or more. Oviously someone is asleep at the wheel, but who?

In several articles I’ve seen about this topic, I have seen in-depth descriptions of the observed failures of the staff itself as well as the certifications that should have tested their skills. These seem to me to be symptoms rather than a cause, and one that I don’t see in many other industries. Most industries have some kind of self-correcting function built in. In the Medical profession there is a Medical Board that reviews its members and is able to punish shoddy work. Lawyers can be disbarred by the Bar Association in their district. A bad carpenter may well find himself nailed upside-down to a wall if he doesn’t pull his weight during a large construction project. All of these are examples of Peer Review. What makes the IT industry so different?

Two major differences immediately came to mind:

  • Cost of mistakes are hard to quantify (or even detect) in IT and;
  • Line- and Project management are much less skilled in IT than other industries are in theirs.

Cost of mistakes are hard to detect and quantify
Compared to other industries, mistakes made by IT personnel aren’t always obvious. Systems may keep on working and may even work properly when its poorly configured. If a system does crash, its often very hard to quantify exactly how much damage there is and what it has cost the company.  If a surgeon makes a mistake, the effect is often immediate (e.g. a patient keels over). If a construction worker makes a mistake, a building may collapse. In either case a problem is usually clearly visibly detectable and peer review takes place. Lack of visibility and immediate effects inhibit such peer review in the IT industry.  

Line- and Project Management personnel are not sufficiently skilled in IT to manage its staff
The fact that IT is still somewhat of an ethereal topic to most people is reflected in the poor choices made when hiring management personnel. You wouldn’t believe how often I’ve heard it said that ‘IT managers don’t need to know IT, they just need to manage the people’. This is just plain wrong. Yes they need to be skilled in managing people, but they also have to make regular professional judgement of the quality of work provided by the staff they are managing. Virtually every other profession does this better than we in the IT industry.

I believe this has a lot to do with the fact that there are less IT-savvy managers to begin with and so management accepts second-best as its defacto standard. There also seems to be less promotion from the ranks than in other industries. Maybe the stigma of IT personnel having less social skills (think Geek or Nerd) has its part in this problem, I don’t know and wouldn’t care to judge its veracity. What is evident is that there aren’t nearly as many well-educated (in IT!) CIO’s as we should have. We need those proper CIO’s to hire proper IT managers, who in turn hire proper personnel instead of the pseudo-specialists that are so often the topic of negative discussion.

Of course you could say that its up to the IT professionals to get themselves skilled, but we’ve tried that and it doesn’t work. And why would they? Many of them skate by excellently with a minimum of effort because of that ‘peoplemanager’ with the bachelor degree in napkin folding you thought would do just fine (and wasn’t he cheap!). As an organization, try the following:

  • Stop assuming that ‘any bachelor/master degree’ will suffice for an IT position. The higher up the manager is going to be, the more skill you can ask for the position. That includes the CIO position! Although their knowledge has to be scoped broader, it must still be present and relevant.
  • Promote from the ranks where possible. The pecking order in an IT department is established fairly quickly and its almost always based on skill and knowledge. Leverage that information in getting the right people promoted. If you choose right, they’ll be perfectly capable of hiring their own replacement.
  • When hiring technical personnel, have each applicant vetted by your best tech(s), even if it is a contractor. Listen to their advice.
  • Don’t let certifications dazzle you. Many certifications don’t mean much anyway. Look to match certifications with practical experience and you’ll fare better.
  • Remember: If you pay peanuts, you’ll get monkeys. If you don’t have money, find other ways to entice new personnel such as exciting projects or nice perks.
  • Recruiting agencies often play it fast and loose with matching your needs to their staff. Don’t assume their personnel is any better – verify! Remember: You’re paying a premium and deserve quality. Ask them about the training their staff receives. If they’re any good, it should be at least a periodically recurring thing. I know companies that demand an x-amount of study a year per employee.

Monetary Value per System Owned – The Evolution of Endpoint Attacks

Endpoint Security remains the name of the gameRecently some people working for a client of mine expressed the sentiment that they felt that their business wasn’t a target for an actual hacker (as opposed to automated attacks). This despite the fact that they had been attacked on two different occasions in a manner that indicated it was the same (thankfully clueless) attacker. Also, the company in question is doing business in a field that seems especially ripe for the proverbial plucking; a lot of money is being made by virtually every player there. One would think that security would be a bigger issue for these folks, but apparently the message hasn’t fully landed everywhere.

This got me thinking about endpoint security and how incredibly understated (and often underestimated) the need for security is on these machines. In many companies it is the largest group of machines in the network, owned and operated by the least technically skilled and security-ignorant users in the company, yet most companies consider the protection of these systems as an afterthought. “Just install AV, Jimmy. That’ll do!” they say, and turn back to tweaking their firewalls (if you’re lucky).

At the same time, an attacker simply lures the gullible users to a specially crafted malicious website or sends out a mass mailing of an infected PDF. Despite having been told thousands of times before not to open attachments from people you don’t know (or that you don’t expect), you just know that someone will do it anyway. And really, all it takes is a single user to take leave of their senses to create a backdoor into your network. I would also like to point out, because this thought seems to float around a lot, that no amount of Group Policy settings will change the outcome. What you need is user sensibility and proper endpoint protection.

Considering the above point and observing the evolution of the purpose behind botnet malware, it becomes clear that the shift is financially motivated. A few years ago botnets were used mostly for DDOS purposes, but ever since there has been a change towards monetary gain. From basic DDOS, the botnets were deployed to make money through click-advertisement programs and surfing behavior studies. After that came the stealing of financial information, often leading to credit card fraud, and identity theft. Currently we’re seeing the re-emergence of ransomware, where user data is being held hostage until the user pays a certain amount before a deadline. If they don’t pay, their data is lost forever.

The criminals involved (often organized crime) seem to be refining their strategy. Where they once made relatively small amounts with a large number of systems they now aim to make a larger amount per system. Essentially they realized that there is a Monetary Value per Owned System, and by becoming more efficient they are raising that value per system to maximize profits.

This idea swam around in my head for a while. What would I do to make the most money? If the idea is to squeeze the most cash out of each system, then we should be looking for the systems that have the most potential cash to be stolen. For me, this ruled out the average internet user. You’d have to be very lucky to stumble onto a rich and clueless target, there just aren’t that many around. Also, how would you know that your target is actually wealthy?

The answer was simple: Companies. Companies usually have deeper pockets than the average internet user and the ways to exploit them are myriad: extortion, data theft, corporate espionage, credit card fraud; you name it. There’s another upside to this approach: most companies deploy their workstations through imaging. That often means that if one workstation is vulnerable to a certain attack, chances are good that the other workstations in the network are too. More targets mean more potential access to the information I’d want. Also, in most cases the users of said workstations are a lot less motivated to be secure; its not their workstation and its not their money.

Following this logic, the future of corporate security looks grim. Workstations are a hell of a lot more tempting a target than any server; they are easier to crack and there’s a lot more of them. Administrators need to realize that attackers (both real and automated) won’t attack the shield you hold up, but rather go after the target behind the shield in any way possible. This means that the hard-shell/soft-interior methodology in securing a network is dead, and actually has been so for quite some time.

Endpoint protection will remain the name of the game, and what software vendors are doing right now isn’t working. Its a failing approach, something that’s becoming increasingly obvious with each new report of a major breach. A change needs to be made before Organized Crime realizes its full potential.