Two Dimensional Thinking and APT
I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan's tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says:He is intelligent, but not experienced. His pattern indicates two-dimensional thinking.
I though this quote could describe many of the advanced persistent threat critics, particularly those who claim "it's just espionage" or "there's nothing new about this." Consider this one last argument to change your mind. (Ha, like that will happen. For everyone else, this is how I arrive at my conclusions.)
I think the problem is APT critics are thinking in one or two dimensions at most, when really this issue has at least five. When you only consider one or two dimensions, of course the problem looks like nothing new. When you take a more complete look, it's new.
- Offender. We know who the attacker is, and like many of you, I know this is not their first activity against foreign targets. I visited the country as an active duty Air Force intelligence officer in 1999. I got all the briefings, etc. etc. This is not the first time I've seen network activity from them. Wonderful.
- Defender. We know the offender has targeted national governments and militaries, like any nation-state might. What's different about APT is the breadth of their target base. Some criticize the Mandiant report for saying:
The APT isn't just a government problem; it isn't just a defense contractor problem. The APT is everyone's problem. No target is too small, or too obscure, or too well-defended. No organization is too large, two well-known, or too vulnerable. It's not spy-versus-spy espionage. It's spy-versus-everyone.
The phrasing here may be misleading (i.e., APT is not attacking my dry cleaner) but the point is valid. Looking over the APT target list, the victims cover a broad sweep of organizations. This is certainly new. - Means. Let's talk espionage for a moment. Not everyone has the means to be a spy. You probably heard how effective the idiots who tried bugging Senator Landrieu's office were. With computer network exploitation (at the very least), those with sufficient knowledge and connectivity can operate at nearly the same level as a professional spy. You don't have to spend nearly as much time teaching tradecraft for CNE, compared to spycraft. You can often hire someone with private experience as a red teamer/pen tester and then just introduce them to your SOPs. Try hiring someone who has privately learned national-level spycraft.
- Motive. Besides "offender," this is the second of the two dimensions that APT critics tend to fixate upon. Yes, bad people have tried to spy on other people for thousands of years. However, in some respects even this is new, because the offender has his hands in so many aspects of the victim's centers of power. APT doesn't only want military secrets; it wants diplomatic, AND economic, AND cultural, AND...
- Opportunity. Connectivity creates opportunity in the digital realm. Again, contrast the digital world with the analog world of espionage. It takes a decent amount of work to prepare, insert, handle, and remove human spies. The digital equivalent is unfortunately still trivial in comparison.
To summarize, I think a lot of APT critics are focused on offender and motive, and ignore defender, means, and opportunity. When you expand beyond two-dimensional thinking, you'll see that APT is indeed new, without even considering technical aspects.
Comments
That said, I still take issue with: "Looking over the APT target list, the victims cover a broad sweep of organizations. This is certainly new."
Reading the Mandiant Report, we see:
1.) Government
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).
Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.
Mandiant's technical staff has always done great work. By itself and without the hype, the M-Trends document is great. But how can you possibly maintain that there is a new threat profile here?
On the defender side of things...
The phrasing is not at all misleading. Mandiant is absolutely correct in what they are saying. One thing to remember is that the victim organization is not always the target. They use staging servers, jump points and establish C2 at sites not mentioned by Mandiant. Which is to say, not DIB, Finance, etc...The mom and pop shops are just as involved in this, especially with all the sleeper nodes out there.
I agree and disagree with that statement. I agree that "everyone's problem" is one of many gross exaggerations made by whoever authored that report. However the idea that only "enemies" are targeted is equally mistaken. For one thing, the PRC doesn't view the U.S. as its enemy. They are as dependent on our economic engine as we are on their buying dollars, and hiring their rapidly growing pool of intellectual talent. Neither the RF nor the PRC targets "enemies" for cyber espionage. They target assets from which they can extract the technical knowledge they need to accelerate their respective nations development in everything from weapons to critical infrastructure.
Anyway, in all your foreign policy blogging I am surprised you have not mentioned that the Chinese bailed us out of the financial crisis
http://www.ft.com/cms/s/0/ffd950c4-0d0a-11df-a2dc-00144feabdc0.html
It ain't just 5 dimensions its six, you need to factor economics into your analysis for it to be relevant. Economics trumps political/military every time, you can look it up.
Offender: Agreed, enough said.
Defender: If you're suddenly on the APT list of the Offender, that doesn't mean you're under a new breed of attack. It might be new to you, but the Offender is exercising their techniques, tactics and procedures (TTP) on a new target; your systems. Just because Google, Adobe, et al are targets, not the Army and Navy, doesn't mean it's a new breed of attacks. I admit the coordination involved is impressive. But I wonder to myself if this is new TTP, or just their TTP turned to (please forgive the Spinal Tap reference) 11.
Means: Computer network exploitation (CNE) is, in relative terms, cheap. This opens the opportunity to have non-state actors to get in the business and attempt to sell information to interested parties (which doesn't always go so well [1] [2] ).
Motive: Again with the Spinal Tap reference. Just because we're seeing pervasive attacks, is it something new, or just "something" cranked up to 11? I agree the pervasiveness creates the need for new solutions to old problems, (sarcasm)but hey, that's what vendors are for, right?(/sarcasm) ;)
Opportunity: If you have the means to run Metasploit, you're now a small fish in a big pond, but you have the opportunity to be in the pond. Or if you're an insider ([1] [2]), you're just looking for the buyer...
In my opinion, the persistence of the Offender can't be overstated. It's not one big flood that made the Grand Canyon, but many smaller persistent ones.
All that said: Are we seeing something new or is it just the same as it ever was? I, for one, am still chewing the fat..
Good post, Richard. It's great dialogue.
[1] http://www.darkreading.com/insiderthreat/security/government/showArticle.jhtml?articleID=212902962
[2] http://www.msnbc.msn.com/id/16038691/%5Benter%20URL%5D
Bill, Chinese hackers were inside the California Independent System Operator's network for at least 3 weeks, maybe longer, before they were discovered and that was back in April-May, 2001. China decided to switch to a netcentric model of warfare in the early 90's. In my opinion, and with all due respect to Richard, this is not a new method of conducting network exploitation.
I have yet to see the detailed analysis on the "Aurora Attacks", so until then I reserve definitive statements. Could it be "Attack B" turned up to 11? Or a new TTP named "Attack C"? I'm very interested to find out. . .
http://www.damballa.com/solutions/advanced-persistent-threats.php
Or if that's too touchy to say in public, why not just say "nation-states"?
Really, my issue with "APT" is that it's a euphemism, in the grand tradition of obfuscated military jargon. It's like "entrenching tool" (shovel) and "high/low boundary" (firewall). It's better to say what you mean. Otherwise, civilians are going to project whatever they want onto it.
The bottom line is that there are going to be some tactics that have worked against "classic" espionage that are also applicable to CNE, and some that are not. In a tactical sense, effective CND needs to be built from the ground up, but informed by knowledge of traditional espionage. If we accept this, then the old/new argument is immaterial.
If anyone was at the recent DoD Cybercrime Convention, we spoke about this at some length on Thursday afternoon. If anyone reading was unable to make it, and is interested in the material, most of it is available on the SANS 4n6 & IR blog (1, 2, 3). The rest will be posted soon. Richard's MMO above corresponds to our "IOC" (intent, opportunity, capability) with a little different lens. Nevertheless, I think thought leadership on the subject by those who've been involved the past number of years is beginning to converge. Exactly how we can reach true consensus I have yet to see, however.
Orthogonally, I want to briefly state that CND is bigger than incident response. Many have talked about responding to incidents involving APT, but I see few discussing how to defend against it. Proper APT CND is, in my opinion, encompassing of IR but balances focus with preventing incidents in the first place through leveraging intelligence; something incompatible with classic IR approaches. Mandiant's much-discussed report, to give but one example, is good but neglects this point.
Finance, oil, and telecommunications fits the interest of any espionage related attacks while Universities make a great place to test attack code. Very small organizations are pivot points and card merchants are good for organized crime.
A multifaceted equation would help you understand how likely you are to an APT vs. the run of the mill attacks.