Thursday, February 19, 2015

Boards Not Briefed on Strategy?

I'd like to make a quick note on strategy, after reading After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says:

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months...

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy.

Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources.

1. Check out my earlier blog posts on strategy, especially the first two articles.

2. Watch the keynote I delivered at ArchC0n last year. My section starts around 8:30.

3. For those who want to apply strategic thought to network security monitoring, I addressed that in a Webcast for O'Reilly last year.

At the end of the day, we need to be talking in strategic terms with business leaders, not technical terms. They are not having the conversations they need, and too few of us know how to speak a language that aligns with their interests and goals.

We need to convince boards and CxOs that we are understand their goals, and that security teams are implementing the correct strategy and running the right campaigns to achieve business objectives. We should not be talking to them about the tactics and tools to support the strategy and campaigns. Sell executives on your strategy, not your technical knowledge.

Elevating the Discussion on Security Incidents

I am not a fan of the way many media sources cite "statistics" on digital security incidents. I've noted before that any "statistic" using the terms "millions" or "billions" to describe "attacks" is probably worthless.

This week, two articles on security incidents caught my attention. First, I'd like to discuss the story at left, published 17 February in The Japan Times, titled Cyberattacks detected in Japan doubled to 25.7 billion in 2014. It included the following:

The number of computer attacks on government and other organizations detected in Japan doubled in 2014 from the previous year to a record 25.66 billion, a government agency said Tuesday.

The National Institute of Information and Communications Technology used around 240,000 sensors to detect cyberattacks...

Among countries to which perpetrators’ Internet Protocol addresses were traced, China accounted for the largest share at 40 percent, while South Korea, Russia and the United States also ranked high.

NICT launched a survey on cyberattacks in Japan in 2005, when the number of such incidents stood at around 310 million. The number rose to about 5.65 billion in 2010 and to 7.79 billion in 2012.

25.66 billion "computer attacks"? That seems ridiculous at first glance. Based on observations from "around 240,000 sensors," that's over 100,000 "attacks" per sensor per year, or nearly 300 per sensor per day. That still seems excessive, although getting closer to an order of magnitude that might make sense.

You might find the trend line more interesting, i.e., 310 million to 5.65 billion to 7.79 billion to 25.66 billion. However, it is important to adjust for increased visibility at each point. I doubt that 240,000 sensors were operating prior to 2014.

(On a secondary note, I'm not thrilled by the section saying that Chinese IP addresses accounted for 40% of the "attacks." While that may be a "fact," it doesn't say anything by itself that helps with attribution.)

Nevertheless, talking about individual "attacks," especially when counting them discretely, is outmoded thinking, in my opinion. "Attacks" could include anything from transmitting a TCP segment to a specific port, to attempting SQL injection on a Web site, to sending a phishing email.

If properly defined, "attacks" become somewhat interesting, but their value as indicators should extend beyond being simple atomic events.

I was much more encouraged by the second article, at right, published 18 February by Reuters, titled Lockheed sees double-digit growth in cyber business. It included the following:

[Chief Executive Officer Marillyn] Hewson told the company's annual media day that Lockheed had faced 50 "coordinated, sophisticated campaign" attacks by hackers in 2014 alone, and she expected those threats to continue growing.

The use of the term "campaign" is significant here. Campaign aligns with the operational level of war, between Tactics and Strategy. (Tactics are employed as actions at the individual battle or skirmish level, while Strategy describes matching ways and means to achieve specific ends. See my posts on strategy for more.)

Campaigns are sets of activities pursued over days, weeks, months, and even years to accomplish strategic and policy goals. The term campaign indicates purpose, applied over an extended period of time. When the LM CEO speaks in these terms, she shows that her security team is thinking at an advanced level, likely aligning campaigns with specific threat actors and motives.

When a CEO talks about 50 campaigns, she can have a more meaningful discussion with the executives and board. She can talk about threat actors behind the campaigns, what happened during each campaign, and how the team detected and responded to them. The term Campaign also matches well with business operations; think of "marketing campaigns," "sales campaigns," etc.

I would very much like to see security teams, officials, and others think and talk about campaigns in the future, and place statistics on "attacks" in proper context. Note that some threat researchers talk about campaigns when they write reports on adversary activity, so that is a good sign already.

Saturday, February 14, 2015

Five Reasons Digital Security Is Like American Football

Butler's Interception (left) Made Brady's Touchdowns (right) Count
In Kara Swisher's interview on cyber security with President Obama, he makes the following comment:

"As I mentioned in the CEO roundtable, a comment that was made by one of my national security team — this is more like basketball than football in the sense that there’s no clear line between offense and defense. Things are going back and forth all the time,” he said.

I understand why someone on the President's national security team would use a basketball analogy; we all know the President is a big hoops fan. In this post I will take exception with the President's view, although I am glad he is involved in this topic.

The following are five reasons why digital security is like American football, not basketball.

1. Different groups of athletes play offense, defense, and special teams in football. It is rare to see a single player appear on more than one squad. (It does happen, though. Julian Edelman is a punt returner and wide receiver. JJ Watt has caught touchdowns a few times. And so on...) In basketball, five players are on the court, and they play both offense and defense. In digital security, it is exceptionally rare to find professionals who routinely work offensive and defensive operations. I recommend that they do, but daily life is generally not a mix of these disciplines. Digital security pros are more like American football players due to these groupings of expertise.

2. Digital security is highly specialized. There are simply too many areas of expertise to expect any single person to master more than one aspect. This is true within American football. It is rare for a player to routinely fill multiple positions, whether on the offense or defense. A few athletes come to mind, like Kordell Stewart, but they are exceptions. Basketball has positions and specialties as well, but they are not as distinct as football.

3. Lines and direction of activity in digital security are more like American football than basketball. It is rare for defenders to "score points," compared to the points scored by the offense. This is true for digital security and American football. Basketball, like ice hockey, is much more fluid, with the flow of play going back and forth. Now, some players in basketball and hockey are more offensive-minded than defensive minded, and vice-versa, but the idea of the "defense" scoring points against the "offense" doesn't really make sense in those sports.

Sources: Business Insider, Arizona Cardinals
4. Digital security is really complicated. Similarly, American football is extremely complicated compared to basketball. There are 22 players on the field compared to 10, for starters. I found examples of real NFL plays from an old copy of the Arizona Cardinals playbook. It reminds me of the gyrations an intruder might have execute in order to accomplish his mission. Obviously basketball has plays, but they are not as intricate as those in football.

5. Digital security involves progression across territory, in a manner more like football than basketball. Most of the action in a basketball game occurs in either team's half-court. In football, teams spend time across most of the field. This reminds me more of the progression of actions that must take place for an intruder to accomplish his mission.

Now, those of you with long memories of this blog may remember my 2006 post Digital Security Lessons from Ice Hockey. In that story I emphasized the benefits of "being well-rounded..." having "knowledge and capability in offense and defense." I still advocate that position, but I recognize that it is really tough to achieve it.

Those with slightly longer memories may remember my 2005 post Soccer-Goal Security, showing a player kicking the ball into a goal, while the goalie looks elsewhere. The point of that post was to focus one's defense on actual attacks, not theoretical concerns.

Bejtlich's Mandiant Helmet
My hope with this post is to offer a counter-example to the views of the President and some of his staff. As with all analogies, they are open to interpretation, and some fail more quickly and spectacularly than others. Please try not to get too twisted out of shape or take offense. It's only a game, and this is only a blog post.

Given that we used to get football helmets at Mandiant, you might have predicted this post...

Learning the Tufte Way to Present Information

Source: The Economist, 31 Jan 2015

TaoSecurity Blog readers know I am a fan of Edward Tufte. When I see a diagram that I believe captures the tenets of his philosophy of presenting information, I try to share it with readers.

Two weeks ago in its 31 January 2015 edition, The Economist newspaper published Saudi Arabia: Keeping It in the Family. The article discussed the ascension of King Salman to the Saudi crown. The author emphasized the advanced age of Saudi kings since the founding of the monarchy in 1932.

To make the point graphically, the article included the graphic at left. It captured the start and end of the reigns of the monarchs, their ages at the beginning and end of their reigns, and the median age of the population.

Readers are able to quickly compare the duration of each monarch's reign, the monarch's ages, and the trend toward older monarchs. Readers can see the traditional widening gap in ages of rulers compared to the population, as well as the recent closing of that gap as the population becomes slightly older.

I would have preferred to have seen King Abdel Aziz, founder of Saudi Arabia, included beyond the abbreviated line and asterisk. Perhaps the sources for the image didn't include median population age prior to 1950?

Nevertheless, this is an excellent example of a Tufte-esque graphic, in my opinion.

I strongly recommend attending Tufte's one-day class, which will occur in the DC area at the end of March.

Thursday, February 12, 2015

Focus on the Threat: Bank Heists

Thief Retrieves Cash, from Bloomberg Businessweek
The February 2nd issue of Bloomberg Businessweek featured a story titled Boom: Inside a British Bank-Bombing Spree. The article describes how "five men, dressed all in black" used "crowbars, power tools, coils of flexible tubing, and two large tanks of explosive gas" to blow apart ATMs in the UK, then retrieve cash inside.

The story opens by describing a raid that netted "almost £250,000, or about $375,000" and

was the group’s biggest score in a single night yet. Their MO, using cheap, common, and legal gas, was nearly impossible to trace, and they left precious little forensic evidence for the police. To stop the rampage, there was little Britain’s banks could do.

What is the history of this sort of attack? The article states:

Bank security experts think the first ATM gas attack may have been in Italy in 2001. Early statistics are shaky, but by 2005 there were almost 200 across the continent, according to EAST, or the European ATM Security Team. (Their figures include physical explosives, but gas dominates.) In 2013 there was a 31 percent increase from the year before, to 696 attacks in eight countries. Gas bomb gangs have struck in Australia (2008), Brazil (2010), and Chile (2014), but they’re primarily a European phenomenon. 

Now, I know how many of my readers think. They jump immediately to consider technical approaches for countering this attack pattern. Indeed, the Bloomberg article includes the following:

The rise in gas attacks has created a market opportunity for the companies that construct ATM components. Several manufacturers now make various anti-gas-attack modules: Some absorb shock waves, some detect gas and render it harmless, and some emit sound, fog, or dye to discourage thieves in the act.

This is the standard reaction from the tech community: treat every problem as an engineering challenge, preferably to be solved by a start-up!

Thinking in terms of the risk equation (R = V x T x A), the engineers want to reduce the Vulnerability, or V, and consequently reduce Risk, or R.

(It might also be possible to reduce A, or Asset value, by having less money in ATMs. As we move to a cash-deficient society, that's possible. However, it doesn't address the immediate problem -- dozens of crime scenes, with more expected.)

Suspects and Convicts: Bloomberg Businessweek
However, despite the friendly engineer's desire to refactor the environment, the article spends only the three sentences cited earlier on technical solutions. Instead, and appropriately here, the article explains how law enforcement worked on identifying and arresting the threat actors (T), eliminating them from the risk equation.

Now, it's entirely possible that other threat actors could take on the ATM-exploding mantle, replacing those who have been arrested. However, the police have demonstrated that they have the capability to perform threat attribution and containment. We will have to see if this sort of crime continues in the UK, or if it shifts elsewhere.

Incidentally, it may have been the introduction of better digital security that resulted in a rise of physical crime. The article says:

It’s a low-tech, low-investment, more immediate alternative to modern thievery involving card skimmers, PIN–capturing cameras, and malware. ATM fraud is declining steeply in Europe, EAST says, down 42 percent in the first half of 2014 compared with the same period in 2013, while physical attacks—explosions, plus crowbar jobs, “ram raids,” etc.—are up 3 percent.

What does this mean for the US?

As far as anyone knows, there has never been a gas attack on an American ATM. The leading theory points to the country’s primitive ATM cards. Along with Mongolia, Papua New Guinea, and not many other countries, the U.S. doesn’t require its plastic to contain an encryption chip, so stealing cards remains an effective, nonviolent way to get at the cash in an ATM. 

Encryption chip requirements are coming to the U.S. later this year, though. And given the gas raid’s many advantages, it may be only a matter of time until the back of an American ATM comes rocketing off.

The bottom line for me is this: it's entirely appropriate for engineers to develop more secure products to reduce vulnerabilities. However, it's also entirely appropriate for law enforcement to identify, arrest, and prosecute threat actors. That requires attribution and forensics. In other words, identifying the threat is a necessary and critical aspect of security, as it has been in the physical world and is finally being recognized as such in the digital world.

And for the record, I still like engineers and start-ups, including engineers who work at start-ups.

Sunday, February 08, 2015

Where Russia and North Korea Meet

Last week the Christian Science Monitor published a story titled How North Korea built up a cadre of code warriors prepared for cyberwar. It contained the following section:

North Korea is faced with tremendous limitations. All of its Internet connections go through servers in China, for example. But it soon may find other ways to connect to the outside world. North Korean leader Kim Jong-Un is expected to meet with Russian President Vladimir Putin later this year in a bid to, among other things, begin running networks through Russia, too.

This caught my attention. Years ago I bought a giant map of Asia for my office at Mandiant. I was fascinated by the small part of the world where Russia and North Korea share a border, shown below.

If you zoom into that area, you see the following.

China, Russia, and North Korea share a common border near the Russian town of Khasan. From that location, Russia and North Korea share a border dividing the Tumen River, approximately 19 km southeast to the Sea of Japan.

There is a bridge across the Tumen River near Khasan, shown in the next image.

The blog "English Russia" published a December 2014 post titled This Is Where Russia Borders with China and North Korea. It features some amazing aerial photography of the area. The blog notes the bridge over the Tumen river is called "The Railway Bridge of Friendship."

Returning to the origin for this post, namely North Korea "running networks through Russia," it's possible this is the place where it could happen. What sort of connectivity is nearby?

A search for information on the geography of the Russian Internet noted a "Transit Europe – Asia" line with connectivity to places like Stockholm and Frankfurt, from the Russia city of Khabarovsk. The city of Khabarovsk is also mentioned for a "Khabarovsk – Nakhodka – Tokyo" line. Where are Khabarovsk and Nakhodka? The next image shows the answer.

As you can see, Nakhodka (B) is about 100 miles northeast of Khasan (A). Khabarovsk (C), the terminus for the major lines to Europe mentioned earlier, is several hundred miles to the northeast, along the border with China.

Given the investment in connectivity to Nakhodka, I suggest that, if the Russians are serious about providing physical Internet connectivity to the North Koreas, we should see activity between Nakhodka and Khasan. I am not sure if the Russians would want to lay cable along the A188/A189 highway between the two cities, or if they would install a submerged cable. Given that Vladivostok, home of the Russian Pacific Fleet, lies between the two cities, I don't think the Russians would want to deploy an undersea cable there. It might be a risky location for such a high-traffic waterway.

If anyone has satellite or stealthy drone to spare, you may want to watch for cable installation along the A188/A189 highways between Nakhodka and Khasan, and along the "The Railway Bridge of Friendship" to North Korea.

Thank you to Google Maps and English Russia blog for these images.

Monday, February 02, 2015

A Word of Caution on Fraudulent Routing

If you've read TaoSecurity Blog for a while, you remember me being a fan of companies like Renesys (now part of Dyn Research) and BGPmon. These organizations monitor Internet-wide routing by scrutinizing BGP announcements, plus other techniques. (I first posted on the topic almost 12 years ago.)

I am well aware that an organization, from its own Internet viewpoint, cannot be absolutely sure that the other end of a conversation truly represents the IP address that it seems to be. The counterparty may be suffering a BPG hijack.

An attacker may have temporarily positioned itself in BGP routing tables such that the legitimate IP address owner is not the preferred route. There have been many examples of this, and on Thursday Dyn Research posted a great new blog titled The Vast World of Fraudulent Routing that describes six recent examples.

A Tweet by Space Rogue about Dyn's post caught my attention. He said:

You really want to tell me that an IP Address is enough for attribution?

Then he linked to the Dyn blog post.

There are several problems with this statement.

First, no one in their right mind says "an IP address is enough for attribution." If you want to comfort yourself by standing up a straw man that's easy to knock down, have fun with that.

I fear Tweets like this are swipes against the Update on Sony Investigation FBI statement, which includes this section:

The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

The straw-man-building critics neglect the qualifier that precedes this statement:

While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following...

For those who can't decode this statement, or aren't familiar with the phrasing, the text means:

"We have other information that isn't worth disclosing in order to convince critics. Our ability to detect and respond to future attacks, thanks to the sources and methods we preserve by keeping them our of the spotlight, is more important than publicizing sensitive intelligence."

Furthermore, the FBI statement includes other reasons for attribution, which you can read in the original document.

Second, and most importantly, the Dyn post demonstrates that it is possible, and routine, to identify when IP addresses are being hijacked.

Let me say that again. Once you step outside your organization's view of the Internet, by using a service like Dyn/Renesys, you can tell when IP addresses are being abused by BGP hijackers.

Services such as Dyn/Renesys and BGPmon provide alerts when they detect hijacking of an organization's IP address space. I know commercial customers who pay attention to these notifications, as well as other sources, to identify when odd activity is happening on the Internet.

Third, and finally, there is a difference between seeing an IP address in the logs of a victim organization, and having direct observation of intruder infrastructure. You can read the excellent New York Times piece N.S.A. Breached North Korean Networks Before Sony Attack for details on that angle.

Some critics, at least those with history in the field, should know better. It would be more productive to talk about serious issues, rather than straw men and incomplete arguments.

Update: I amended the post to make it clear that law enforcement is not a customer of Dyn/Renesys.