Further Discussion of Chinese Cyber Threat

As a follow-up to this post, I found this forum transcript to be a mildly informative overview of the Chinese cyber threat. This question is really troubling, if true:

Joe in Groton, CT: I am an administrator of a DoD network. Why haven't I heard anything from up above about what types of attacks they are using, and whether or not Sysadmins need to take any extra steps to secure our networks? As a matter of fact, I haven't even heard anything from the DoD that there was a compromise at all. There was not even a post at the infosec web site about any compromise. If it wasn't for the SANS newsletter, I wouldn't have even found the GCN website. I feel that we need to share information within our community so we can all be more proactive in protecting our networks and our data. I get the impression that without this cohesion, we are sitting ducks.

That is sad. DoD is being owned and the people in one of the best positions to resist, and potentially detect and respond, are not aware of what's happening!

Comments

Unknown said…
Big Bureaucracy...

Likewise, the opposite is sad. What if this all didn't really happen as we infer and is just leverage? Argh!
4:28 PM
Anonymous said…
Just a comment aimed at Joe in CT and others that are in DoD that claim "non-awareness" - since he is a sysadmin on a DoD Network, he should have at least a SECRET clearance*. That being said, getting access to SIPRNET might require going to another building or organization if he doesn't have his own SIPRNET connectivity. This stuff has been going on awhile and reported in the press. So is Joe taking care of his network and patching his boxes, looking at his logs, implemented the IA/CND software that has been purchased by DISA for the DoD Enterprise (eEye Retina, Hercules, etc)?

Bottom line: It isn't hard to do a search on Intellink on Titan Rain once the hit the press, I mean was he under a "rock" last year at this time? Maybe he should be asking his G2/J2/x2 for a cyber intel threat brief, maybe he's part of a civilian DoD Agency that doesn't have an intel section - use the briefs available on SIPRNET that are produced by the Services CERT/CIRT/NOSC/etc. Common on, there is even a Wikipedia entry for Titan Rain. Again a little initative to stay informed shows that he cares about his network. This type of lack of interest on the part of sysadmins is probably why this problem is there in the first place. `Nuff said!

* OK, he could be a foreign national sysadmin working for DoD in an overseas location, but he's in CONUS so it's 99% bet that he is a US citizen with a background investigation and clearance.
9:51 PM
Anonymous said…
I worked on the investigation for Titan Rain (hell, I'm one of the guys who figured it out), notice that I have made my self anonymous for that reason.

How 'they' broke in, is still classified. The exact details. I know how how they did it, because I was one of the ones that found it, but I was read off of that program when i left DoD, the secret dies with me.

However, I agree with the previous anonymous posting, go to your servicing CERT site (I know ACERT used to have a good sipr site), and read their slides. If you don't keep up with your Intel on at least a weekly basis, you won't know how they are coming at you
3:45 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more