The Best Cyber-Defense...

I've previously posted Taking the Fight to the Enemy and Taking the Fight to the Enemy, Revisited. I agreed with sentiments like the following, quoted in my posts:

The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.

“History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...”

I found this idea echoed in the book Enemies: How America's Foes Steal Our Vital Secrets--and How We Let It Happen by Bill Gertz which I mentioned in Counterintelligence: Worse Than Security?. The author argues that the best way to protect a nation's intelligence from enemies is to attack the adversary's intelligence services. In other words, conduct aggressive counterintelligence to find out what the enemy knows about you. When you know what the enemy knows about you, you fight a more informed battle. You may even be able to alter his perception of you, and avoid a fight altogether.

I think Joe Stewart's latest post, Tracking Gimmiv, illustrates this point very well. Joe isn't a .mil or .gov operative, so he can't bomb anyone or put them in jail. He can conduct research operations, however, to learn the truth about the enemy's capabilities. Joe writes:

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all...

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used - the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008...

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea.
(emphasis added)

Joe took the fight to the enemy. This is what most malware researchers do; they infiltrate the adversary's systems to figure out what is happening. This isn't a task for novices, but it does yield excellent results.

Joe's work isn't strictly counterintelligence, since he is probably not opposing a foreign intelligence service. Speaking of counterintelligence, I noticed this August article New Unit of DIA Will Take the Offensive On Counterintelligence about the Defense Counterintelligence and Human Intelligence Center:

The Defense Intelligence Agency's newly created Defense Counterintelligence and Human Intelligence Center is going to have an office authorized for the first time to carry out "strategic offensive counterintelligence operations," according to Mike Pick, who will direct the program...

In strategic offensive counterintelligence operations, a foreign intelligence officer is the target, and the main goals most often are "to gather information, to make something happen . . . to thwart what the opposition is trying to do to us and to learn more about what they're trying to get from us," [Toby] Sullivan [director of counterintelligence for James R. Clapper Jr., the Undersecretary of Defense for Intelligence] said.
(emphasis added)

I found the transcript of the news conference contained this section mentioning cyber:

Q: Could you talk about the threats that you guys are sort of arrayed against? I’m thinking China has got to be high on your list. They seem to be in the news a lot for particularly defense technology, espionage. And I’m wondering where you fit into the whole cyber initiative that seems to be – so could you just talk about those and other things that you’re particularly focused on?

MR. SULLIVAN: The cyber initiative – there are other parts of the department that are responsible for protecting the IT systems of the department. The counterintelligence role in that – and we do have a role – is to provide some analysis and then, quite frankly, from an offensive capability, it provides us another venue to perhaps engage the enemy. But we don’t have a role in protecting the systems, if you will. There are other folks in the department that do that. As far as the threats, we had the Cold War threats and we have the today threats. There hadn’t been a whole lot of change over the last 20 or 30 years.

It will be interesting to (not) see how this new organization develops.


apolicastro said…
This is just what is needed in light of the looming cyber threats that are no longer limited to hackers breaking into databases. Based on my years of research into hacker activities, I have written a book where a well-funded group of hackers take control of the US power grid and the cell phone network and hold the US hostage. My book, Dark End of the Spectrum, is based on real events. Take a look at
I'm offering it as free download during November.
Anonymous said…
I recently spoke at length with someone who heads up a team at a private company that does cointel. It was a very interesting conversation. This is not something to be entered into lightly. There are legal and personal safety issues. Members of this organization's team go to great lengths to conceal their real life identities due to threats of violence.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4