Mandiant's APT1 "Mission" problem

Mandiant's APT1 report's table of proof listed six categories that Mandiant deduced tied APT1 to PLA Unit 61398. The first, which Mandiant called the Mission area, made the claim that PLA Unit 61398 "targets strategic emerging industries in China's 12th Five year Plan" (see table 12 on p.59). Earlier in the report the authors claimed that "APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan" (p.24).

The Mission evidence is particularly of interest to me because I've been mining adversary state R&D since 2009 and while knowing what a potential adversary state is after is important, it cannot be done at the 50,000 foot view which is what China's Five Year Plans do. Taia Global published a white paper almost a year ago (a copy of which was requested by one of Mandiant's executives) which provided a similar high level look at 13 nation state R&D priorities and it too was not sufficiently granular to be of much use in an attribution effort however it does make clear that certain technologies are of value to at least a half dozen threat actors (see below). And frankly, this is a very valid approach, if done properly, to help a company understand which files may be at risk. In fact, that's precisely what Taia Global's new product Chimera is being developed to do. However, it's not enough to just say that because "energy" is part of China's FYP, then it must be China whenever an energy company is attacked. France, Germany, and Russia are also spending money on Energy related research and all three of those states have engaged in industrial espionage. But even that's not sufficient evidence to blame a state actor. What's more likely in my opinion is that a professional hacker group is making money by stealing valuable IP and selling it to competitors, state-run companies, and/or the states themselves.

Here are the seven new strategic industries identified in China's 12th FYP. The report didn't disclose which 4 of 7 were targeted:

• Energy conservation and environmental protection industries
• New-generation IT industry
• Biological industry
• High-end equipment manufacturing industry
• New energy industry
• New material industry
• New-energy automobile industry

Below are some of the R&D priorities for six other nation states who have engaged in industrial and cyber espionage. It's not exhaustive but it illustrates how little deviation there is at the broadest level of international R&D. We can safely say that companies in these industry segments are being targeted for their IP. We can't say that only China is doing the targeting.

France:

• Energy
• Biotechnology
• IT (Information Technology)
• Space
• Transportation

Germany:

• Energy
• IT and Telecommunications
• Manufacturing
• Biotechnology
• Medicine
• Climate research

Israel:

• Telecommunications
• Medicine
• Chemistry
• Information Technology
• Biotechnology
• Nanotechnology

Pakistan:

• Telecommunications
• Agriculture
• Medicine
• Education

Russia:

• Energy
• Robotics
• Information and Telecommunications
• Nanotechnology
• Life sciences
• Environment

South Korea

• Manufacturing
• Nanotechnology
• Semiconductors
• Transportation
• Chemicals

Add to Cart View detail

Mandiant APT1 Report Has Critical Analytic Flaws

Mandiant's APT1 report is the latest infosec company document to accuse the Chinese government of running cyber espionage operations. In fact, according to Mandiant, if a company experiences an APT attack, then it is a victim of the Chinese government because in Mandiant-speak, APT equals China.

"We tend to perceive what we expect to perceive" 

- Richard J. Heuer, "The Psychology of Intelligence Analysis

The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an "expectation bias", but it's much worse than that.

Mandiant's alleged proof is summarized in Table 12 (pp. 59-60): "Matching characteristics between APT1 and Unit 61398". Mandiant's entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:

"Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398." (APT1, p. 60)

If this report were written by a professional intelligence analyst at CIA, it would most likely undergo a vetting process known as ACH (Analysis of Competing Hypotheses):

"Analysis of competing hypotheses, sometimes abbreviated ACH, is a tool to aid judgment on important issues requiring careful weighing of alternative explanations or conclusions. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve."

In other words, ACH forces the intelligence analyst to look for all alternative hypotheses and assess them one at a time to see which best fits the data collected. This is rarely if ever done by information security companies, and it's the single biggest objection that I have when it comes to individuals making claims of attribution to nation states. Heuer's iconic "Psychology of Intelligence Analysis" explains why ACH is so important:

"The way most analysts go about their business is to pick out what they suspect intuitively is the most likely answer, then look at the available information from the point of view of whether or not it supports this answer. If the evidence seems to support the favorite hypothesis, analysts pat themselves on the back ("See, I knew it all along!") and look no further. If it does not, they either reject the evidence as misleading or develop another hypothesis and go through the same procedure again. Decision analysts call this a satisficing strategy. (See Chapter 4, Strategies for Analytical Judgment.) Satisficing means picking the first solution that seems satisfactory, rather than going through all the possibilities to identify the very best solution. There may be several seemingly satisfactory solutions, but there is only one best solution." 

"Chapter 4 discussed the weaknesses in this approach. The principal concern is that if analysts focus mainly on trying to confirm one hypothesis they think is probably true, they can easily be led astray by the fact that there is so much evidence to support their point of view. They fail to recognize that most of this evidence is also consistent with other explanations or conclusions, and that these other alternatives have not been refuted."

If Mandiant or another organization were to use ACH on this evidence, here's how Heuer recommends it be done. It's an 8-step process:

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspectives to brainstorm the possibilities.
2. Make a list of significant evidence and arguments for and against each hypothesis.
3. Prepare a matrix with hypotheses across the top and evidence down the side. Analyze the "diagnosticity" of the evidence and arguments--that is, identify which items are most helpful in judging the relative likelihood of the hypotheses.
4. Refine the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.
7. Report conclusions. Discuss the relative likelihood of all the hypotheses, not just the most likely one.
8. Identify milestones for future observation that may indicate events are taking a different course than expected.

I don't have the time to run Mandiant's evidence through an ACH process but I'd like to propose that a volunteer group of intelligence students at Mercyhurst Institute of Intelligence Studies do that very thing. My friend Professor Kris Wheaton who teaches there and writes the outstanding Sources and Methods blog is an expert in this area and I'm hopeful that he'll pick up the challenge.

In the meantime, the following table has four columns. The first three are from Mandiant's table 12. The "Other" column contains a partial group of alternatives that I've provided for each of Mandiant's "characteristics". These alternatives need to be analyzed and ruled out using a rigorous analytic process like ACH before Mandiant or anyone else can claim that APT1 is a part of China's Peoples Liberation Army.

In summary, my problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

UPDATE (22 FEB 2013): I've published a follow up to this article: "More on Mandiant's APT1 Report: Guilt by Proximity and Wright-Patterson AFB"

Add to Cart View detail

Lessons for CEOs from the Saudi Aramco Breach

Source: Joint Intelligence Preparation of
the Operational Environment (JP 2-01.3)

It's doubtful that Saudi Aramco will issue any substantive statements about the scope of the network attack that it suffered last week. However the information that's been privately shared with me by people with inside knowledge as well as by the attackers themselves reveals enough about the incident to draw certain lessons that CEOs from multi-national corporations (MNC) need to pay attention to. Here are my top 3 recommendations:

1. The Conventional Cyber Threat Landscape Is Too Narrowly Viewed
Most if not all companies' security operations centers are monitoring for the now conventional Advanced Persistant Threat-style of attack and their defensive tactics are geared towards interrupting that attack by use of an "intrusion kill chain". The attack suffered by Saudi Aramco didn't fit this model, and hence would have been completely missed by most of the world's largest companies. A multinational corporation must perform a comprehensive review of its entire threat landscape prior to designing its security framework. This includes evaluating its network exposure through its offices in foreign nations, its vendors (including U.S. vendors) and their relationships with the governments of potential adversary states, compromise of its senior executives while traveling, legal access to its intellectual property (i.e., source code) by foreign intelligence services (FIS) if the company conducts business in those same states, and so on. None of these potential attack vectors rely on spear phishing, social engineering, or other commonly watched-for schemes nor would any of them be caught by the vast array of security software being shopped by vendors today. While MNCs are busy sticking their fingers into the APT holes in their dike, State FIS are quietly re-routing the entire river behind the dike.

2. Companies Need To Pay Closer Attention to the Insider Threat
It's my understanding from a confidential source that the initial infection vector wasn't through a spear phishing attack but instead was via a Shamoon-infected USB stick which was inserted into a workstation in one of Aramco's foreign offices. This required the cooperation of an insider which, in fact, has been a serious and growing threat vector for a number of years. It's also one that conventional defenses like anti-virus, firewalls, and IPS/IDS cannot stop and that more sophisticated defenses like encryption and virtualization are not entirely effective against. This threat vector requires a more specific and potentially intrusive security posture which monitors for early signals that an insider typically presents prior to his malicious act.

3. Companies Cannot Keep a Dedicated Adversary Out of their Network
Saudi Aramco's attackers have threatened another attack today, the 25th at 2100 GMT to prove their ability to cause harm to the company. And the fact is, they can. This is a David and Goliath scenario if there ever was one. The world's wealthiest company cannot stop a small group from successfully performing an attack. No one can. Therefore, the correct course of action for not only Aramco's CEO but every CEO is to focus on being able to absorb an attack and not have it affect its critical operations. This requires making choices between what's critical and what isn't. Keeping your website up 24/7 in the face of a DDOS attack isn't critical. Keeping your oil production from being interrupted is. Keeping your intellectual property from being stolen is. An MNC's CEO and Board of Directors need to perform a difficult but necessary inventory of their corporation's assets and divide them into critical and non-critical groups. Different security protocols and controls need to be applied based upon criticality and resiliency.

While I haven't had the privilege of consulting with Aramco's leadership on their breach, my team and I have provided counsel for other MNCs and the above guidance is a very high level overview of our recommendations in those cases. Obviously, the devil is in the details and specifics on how to implement the above guidance will vary on a company by company basis. The bottom line is that if a company's board still believes that their company is safe from being breached, they have their heads up their collective asses.

RELATED:
Was Iran Responsible for Saudi Aramco's Network Attack?
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail

Words Matter: Dump APT for APA

I've written about my objections to the term Advanced Persistent Threat before, and explained why the term is both inaccurate and illogical, but I didn't propose an alternative term and clearly journalists need one. Therefore, I'd like to propose that we put this abused, over-used, and ill-fitting term to a well-deserved retirement and use in its place "Adaptive Persistent Attack" or APA.

ADAPTIVE
Adaptive should replace "advanced" because advanced malware costs time and money to develop and an adversary crew won't use something expensive and sophisticated if a mundane spear phishing attack crafted by some social engineering will do the trick. In other words, the bad guy's attack profile is adaptive, not advanced.

PERSISTENT
Persistent is exactly the right word. Once they're in, you aren't getting them out. The Fortress defense paradigm needs to die the same death as "APT".

ATTACK
As I pointed out in my post "The APT Logical Fallacy", APT is an oxymoron. A threat is not an attack. You've been attacked. Call it an attack.

But APT is a Who, not a What
Almost everyone who makes this statement believes that APT is a code word for the Peoples Republic of China. Period. Only China. I refuted this argument in my above-referenced post with detailed examples of the same attacks coming from the Russian Federation. Frankly speaking, it's stupid to keep using a code word when the meaning of the code word is widely known. Back in 2006, only other Air Force insiders knew what was mean't by the term APT so it fulfilled its purpose back then. Now the secret is out. There's no reason to keep referring to China as APT when we all now what you're talking about, including China. So either name the State that you're accusing or don't name it, but don't call China APT, APA, or any other code word. It's silly and it doesn't fool anyone.

Conclusion
Today, the Advanced Persistent Threat (APT) has become a huge FAIL, both as a "who" and as a "what" so please, let's all stop using it. I think that APA fits the bill rather nicely. If you've got a better idea, by all means suggest it as a comment. Words matter, and the world of information security has lots of horrible ones. This will be the first of a series of Words Matter posts that I hope to write in the near future with the hope of stimulating discussion and arriving at a more precise terminology for this emerging threat environment. Please contact me in the comments or via email if you have suggestions for a future Words Matter post (like "cyberwar").

Add to Cart View detail

The APT Logical Fallacy: More Harm Than Good

A preferred attack vector in 2011 is the precisely targeted spear phishing email which delivers a malicious payload to the victim's computer and soon compromises the company's network for the purpose of finding and extracting valuable intellectual property (IP). This attack vector has compromised numerous high profile organizations in 2011 including EMC's RSA SecurID division (March), the International Monetary Fund (June), and Battelle Memorial Institute (July). McAfee "Night Dragon" report identified 5 energy companies that were attacked in the same way. In fact, a July 1st report by Cisco [1] announced that spam is decreasing in favor of this attack vector because it's more efficient and the return on investment is greater for the actors who engage in it.

The problem arises when the a decision is made by the company executives or government officials to label such an attack an "Advanced Persistent Threat". First, the name itself is an oxymoron if it's used to describe what happened. Once an attack occurs, you can't call it a "threat". Someone "acted" against you. They didn't "threaten" to act. And a spear phishing attack isn't "advanced".  It's rather mundane, albeit effective. Granted the payload may be advanced, but it doesn't have to be.


If you belong to the "APT is a Who" school, like my friends at Mandiant and the U.S. Air Force (who use my book in their cyber certification courses, by the way), then APT is a code word meaning "China". No such code word exists for other countries who use targeted spear phishing attacks, which is where the logical fallacy in the title of this post comes in to play. It's proponents say that's because no other country engages in this type of attack. Simply put, Eastern European hackers rob banks, Chinese hackers steal IP. End of story. So when an incident occurs that involves a non-financial organization like Battelle, the IMF, or an energy company, and if the attack vector is a targeted email with a malicious payload, the culprit must be China. Why? Because it fits the modus operandi of the APT.

When you diagram that belief as a logical syllogism, it might look like this:

Major Premise: A targeted spear phishing attack against ABC company (a non-financial target) is an APT.
Minor Premise: All APT attacks originate from China.
Conclusion: China attacked ABC company.

Unfortunately for APT advocates, the evidence presented often doesn't support this logic when it relies on IP addresses based in China. See my earlier post on the fallacy of Chinese IP addresses. It also ignores the fact that Ukrainian, Romanian, Russian, and other Eastern European hackers have moved from financial crime to IP-related attacks utilizing the spear phishing model and the Zeus (aka Zbot) trojan as far back as January 2010 and have continued to the present day. NetWitness [2] released an excellent report on the Kneber botnet which is responsible for compromising data from about 2500 corporate and government organizations world-wide. Chinese IP addresses figure prominently in these attacks, yet the responsible parties are Eastern European hacker crews who would find a receptive audience among the Russian Federation security services for at least some of the exfiltrated data.

Domains registered to Hilary Kneber

One of several times that my name has been used by this crew was in a spear phishing attacks aimed at military employees on in mid-June, 2010. It happened to be launched 24 hours before a briefing that I was scheduled to give to Maj General Abraham Turner (COS USSTRATCOM) on June 16. Fortunately, I was able to include it as a real-time example in my briefing by way of this slide:

Part of an UNCLASS briefing to COS USSTRATCOM 16 JUN 10

The APT logical fallacy does more harm than good because it overstates the threat from one nation while denying the activities of others that are equally widespread and possibly more effective operationally. This may not make much difference to the corporate executive whose defensive strategies would be the same regardless of where the attack originates from but it makes a huge amount of difference to policy makers, military leaders, and politicians who, because of bad conclusions stemming from faulty evidence assessment may influence national policy in ways that can harm the interests of the U.S. while aiding its adversaries. Is China engaging in widespread theft of IP? Yes, of course, but so are other nations. We used to call it industrial espionage or just plain spying. Unless you've got code names for every developed and developing nation on earth, blaming everything on APT/China is the equivalent of running a disinformation campaign for the Russian Federation. After all, it can't be the Russians, they only do financial crime, right?

References:
[1] Cisco White Paper "Email Attacks: This Time Its Personal", June 2011
[2] NetWitness White Paper "The Kneber Botnet: A Zeus Discovery and Analysis", released January 2010

Add to Cart View detail

EMC's Anti-Security Culture: Business First, Security Second

(Updated with additional copy and links - 1920 EST 10 Jun 2011): NetWitness' Chief Security Officer Eddie Schwartz has apparently become the first CSO that EMC's RSA Security division has ever had, which I thought was pretty amazing for a world leader in security technology. In the course of looking into who holds the position at RSA's parent company, EMC, I ran across an EMC Leadership and Innovation article written by former EMC CSO Roland Cloutier that expressed a corporate philosophy which, in my opinion, contributed to the success of the RSA attack earlier this year:

Security must be a business enabler 

Cloutier is adamant that security must be deployed in the service of business goals, enabling the innovation and responsiveness that create competitive advantage. "As security practitioners, our aim is to create an environment for our executives, engineers, and sales folks to build, deliver, and service the absolute best technologies without any impedance or concern about security in our environment," he says. "We want them to understand that security is not a business inhibitor."

One of the recommendations that Cloutier makes in order to keep security from becoming a "business inhibitor" is contained in a special EMC 2009 report "Top Global Security Officers Reveal Strategies for Driving Business Advantage in an Economic Crisis" when he apparently shrunk EMC's security department by 25% in order to create more "efficiency":

"In a tough economy, it's tempting for enterprises to rein in business innovation," said RSA President Art Coviello. "However, strategic initiatives that enable revenue growth and operational transformation are more critical than ever. Security practitioners can help business leaders safely pursue the most lucrative business opportunities by understanding the risk picture and identifying the right trade-offs. At the same time, security teams must find ways to squeeze the most out of every dollar. For example, EMC's Chief Security Officer and council member Roland Cloutier recently freed 25% of EMC's monitoring and response operational resources and achieved a four-fold improvement in alert performance by consolidating device, application and technology monitoring into a centralized SIEM solution."

 EMC's commitment to automation as a "sound" security practice continued right up to February 2011 with the release of their latest RSA security paper "Mobilizing Intelligent Security Operations for Advanced Persistent Threats" (.pdf). No wonder the marketing buzzword "APT" showed up in Art Coviello and Uri Rivner's statements about the March attack. The entire EMC technology and security leadership just finished writing a white paper on it! Here's one of the authors' three recommendations for defending against an APT attack:

3. Focus on developing capabilities that enable the analysis of security information in real time and the automatic adaptation of IT-based defenses. Automation will be essential in minimizing reaction times to attacks: the faster organizations can adapt and stay ahead of the attack, the less time the APT has to cause damage. 

The common theme underscoring all three reports is that in EMC's view automation as an efficiency measure AND a security necessity. It may be a necessity for enabling profitability in a down economy but automated defenses are counter-intuitive for any company that wants to protect its crown jewels from a dedicated and well-funded adversary. Here's why:

An automated solution will never stop a customized attack because the attack was designed to circumvent it!

I'm giving the keynote speech at Basis Technology's Government Users Conference next week on the lack of Cloud security and how Cloud services are becoming sophisticated attackers' preferred targets. Finding economies of scale works for an adversary. It almost never works for the defender. This is a lesson that EMC should have learned by now - the hard way.

Add to Cart View detail

What the RSA and NASDAQ Directors Desk Attacks Have In Common

When I first wrote about the NASDAQ Directors Desk attack on Feb 6 and Feb 8, I pointed out the core problem with an electronic boardroom application:

Your company’s critical data along with identifying information for your key executives joins hundreds of other companies’ critical data in a private “Cloud” that is no better secured than your own home network. In fact, you’re now worse off than before because your company is part of a larger, more target rich environment that gives an adversary the efficiency of scale. Instead of just one company’s “crown jewels”, he can have access to hundreds without increasing his risk. 

There are a growing number of "electronic boardroom" service providers besides Directors Desk. A 2008 article at the National Association of Corporate Directors mentions Boardbooks by Diligent, Directors Desk by NASDAQ, BoardLink by Thompson, BoardVantage, Leaders4 Board Information Management by 80-20, as well as smaller players like BoardWorks, BoardEffect, IntraLinks, Info-Street, and Endexxhas.

There are always pros and cons to making the details of an attack public. The NASDAQ Directors Desk attack has been in the news since early February and has just had a resurgence of interest with the announcement that the NSA has joined the FBI in their investigation. Personally, I had never known about the existence of an electronic boardroom prior to writing about this attack. Now that I do, I've been advising client companies to either not use them or to drastically reduce the amount of exploitable data that they contain before another attack takes place.

After the RSA attack was announced on March 17th, and with EMC's (RSA's parent company) poor job of providing information about it publicly (not to mention their disgraceful job of not sharing details with their own customer base privately), I wondered how many electronic boardroom services use RSA technology as part of their security. After a little bit of searching, I found four:

BoardBooks by Diligent
BoardLink by Thompson
BoardWorks
IntraLinks

I highly recommend that above companies either contact EMC and demand answers regarding the extent of the RSA breach so that they can determine their own exposure or drop EMC as a security provider altogether. EMC's conduct in disclosing details about their attack has been pathetic. Their SEC filing was word-for-word identical to their press release and the latest blog post "Anatomy of an Attack", written by a marketing executive and not an engineer (which is telling in and of itself), only made matters worse by indulging in folksy descriptors and mixed metaphors as a substitute for providing hard facts on the state of the breach and offering specific guidance to its customers. I wouldn't be surprised if a class action lawsuit was filed against EMC's Board of Directors by their corporate customers for negligence. EMC, like many InfoSec companies, are charging small fortunes for products and services while assuming no responsibility for keeping their customers' data safe. A backlash is sure to follow. 

Add to Cart View detail