Who's Spear-Phishing the CEO of Mandiant?

According to this Foreign Policy article, someone spear-phished Kevin Mandia, CEO of the information security firm Mandiant, using one or more fake invoices from the company which provides his limo service. According to Mandia the name of his limousine service has never been publicly announced so the question is, how did the attacker know it?

One possibility according to Kevin Mandia is that Chinese foreign nationals have followed him to speaking engagements and observed which car service he used. Personally, I've never seen a limo with a billboard mounted to it or the name painted on the side. When I use Uber, for example, I'm given the license plate number of the driver so that I can tell which black town car is the one I'm waiting for. Usually limos and SUVs that belong to private transportation services are pretty discrete, unlike taxi cabs.

Another possibility is that the someone is targeting CEOs at companies based in MD/DC/VA metroplex with a spear phishing attack that assumes they use a particular high end car service. There's probably not more than a few dozen reputable car services, if that.

Yet another possibility is that the attack came from a disgruntled former employee or competitor with inside knowledge of the Mandiant CEO's travel preferences. I've heard that thanks to Mandiant's rapid growth, it's been actively recruiting security engineers from other companies. That's probably left a bad taste in more than one person's mouth and this might be someone's idea of getting a small measure of revenge.

Or it could be that despite Mandiant's best efforts, an attacker was able to access inside information on the company's network and he sent the email just to stir the pot.

Mandiant's security team believes that they've identified the attacker as an "advanced hacking group back in China". Such groups focus on stealing intellectual property. China, like many states, is investing money in information security research and development. Would Mandiant's intellectual property match and/or accelerate China's own InfoSec R&D priorities? If so, that would be yet another explanation for this attack.

The bottom line is that no one is immune from a motivated attacker; not even a leading information security company.

UPDATE (10/15/13): A reader reminded me of this article which described a Chinese group engaged in espionage-as-a-service via a significant foothold in the travel and tourism industry.

Add to Cart View detail

APT1, Shanghai Jiao Tong university, and Xenophobia

A few things have caught my attention recently which I'd like to share with you all in a somewhat abbreviated manner (meaning I'm swamped but this is important):

A Security Engineer's Forensic Review of Mandiant's APT1 report

Please read this security engineer's forensic review of the evidence contained in Mandiant's Appendix. He's discovered a lot more evidence which casts doubt on Mandiant's conclusions.

Shanghai Jiao Tong University's Collaboration with U.S. InfoSec Companies

Shanghai Jiao Tong University School of Information Security Engineering is just that - one of many Chinese universities that teaches information security. It is not a PLA school nor does it engage in hacking attacks. If it did, then I doubt that BreakingPoint Systems, a company that conducts "cyber warrior training" and does "cyber range deployments" for the U.S. government would have signed a "strategic cooperation agreement" with them.

Mandiant CSO Richard Bejtlich's view on Hiring Foreign Nationals

While I've disagreed often with Mandiant and Richard Bejtlich's views on China, I never heard him say anything remotely as awful as this quote from the Washington Examiner. I hope he was misquoted:

Bejtlich said he opposed placement of any foreign citizen of a suspect country like China in any sensitive government position.
"If you're considering them for a job at a national lab or a government agency, I think we're at the point now where it's recognized that's probably not a good idea," he said.

If that's an accurate quote, I can only hope that U.S. companies will ignore that incredibly poor advice. I think that most intelligent people in today's globalized economy have experienced working side by side with honest, talented, and skillful "foreigners" in many high technology settings including national labs and other environments. In fact, the U.S. would be hard-pressed to continue to innovate without them. The above quote is an example of xenophobia that's not far removed from McCarthyism and other witch-hunts and it has no place in the U.S. in 2013.

Add to Cart View detail

Mandiant's APT1 "Mission" problem

Mandiant's APT1 report's table of proof listed six categories that Mandiant deduced tied APT1 to PLA Unit 61398. The first, which Mandiant called the Mission area, made the claim that PLA Unit 61398 "targets strategic emerging industries in China's 12th Five year Plan" (see table 12 on p.59). Earlier in the report the authors claimed that "APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan" (p.24).

The Mission evidence is particularly of interest to me because I've been mining adversary state R&D since 2009 and while knowing what a potential adversary state is after is important, it cannot be done at the 50,000 foot view which is what China's Five Year Plans do. Taia Global published a white paper almost a year ago (a copy of which was requested by one of Mandiant's executives) which provided a similar high level look at 13 nation state R&D priorities and it too was not sufficiently granular to be of much use in an attribution effort however it does make clear that certain technologies are of value to at least a half dozen threat actors (see below). And frankly, this is a very valid approach, if done properly, to help a company understand which files may be at risk. In fact, that's precisely what Taia Global's new product Chimera is being developed to do. However, it's not enough to just say that because "energy" is part of China's FYP, then it must be China whenever an energy company is attacked. France, Germany, and Russia are also spending money on Energy related research and all three of those states have engaged in industrial espionage. But even that's not sufficient evidence to blame a state actor. What's more likely in my opinion is that a professional hacker group is making money by stealing valuable IP and selling it to competitors, state-run companies, and/or the states themselves.

Here are the seven new strategic industries identified in China's 12th FYP. The report didn't disclose which 4 of 7 were targeted:

• Energy conservation and environmental protection industries
• New-generation IT industry
• Biological industry
• High-end equipment manufacturing industry
• New energy industry
• New material industry
• New-energy automobile industry

Below are some of the R&D priorities for six other nation states who have engaged in industrial and cyber espionage. It's not exhaustive but it illustrates how little deviation there is at the broadest level of international R&D. We can safely say that companies in these industry segments are being targeted for their IP. We can't say that only China is doing the targeting.

France:

• Energy
• Biotechnology
• IT (Information Technology)
• Space
• Transportation

Germany:

• Energy
• IT and Telecommunications
• Manufacturing
• Biotechnology
• Medicine
• Climate research

Israel:

• Telecommunications
• Medicine
• Chemistry
• Information Technology
• Biotechnology
• Nanotechnology

Pakistan:

• Telecommunications
• Agriculture
• Medicine
• Education

Russia:

• Energy
• Robotics
• Information and Telecommunications
• Nanotechnology
• Life sciences
• Environment

South Korea

• Manufacturing
• Nanotechnology
• Semiconductors
• Transportation
• Chemicals

Add to Cart View detail

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail

More on Mandiant's APT1 Report: Guilt by Proximity and Wright Patterson AFB

The blog post that I wrote earlier in the week "Mandiant Report APT1 Has Some Critical Analytic Flaws" was based upon my history of interacting with some Mandiant folks online and in person as well as my interpretation of the facts as they were presented in the report. Thanks to some feedback that I received from readers as well as a teleconference that I had with three Mandiant executives yesterday, I've learned some new things that color my earlier article.

1. Mandiant has expanded their original definition of APT

Yesterday, I spoke with three Mandiant executives and learned that their meaning of the term has evolved with the times and it no longer represents a Who, but a What; or more precisely, a well-documented multi-staged process that attackers from multiple nation states have adopted. Mandiant has not formally announced this change (although they probably will later this year) so when I wrote my article on their APT1 report, I was referencing their former definition which I know now is no longer in use. While Mandiant often sees Chinese hackers at work stealing trade secrets and intellectual property, they also acknowledge that other countries may be doing the same thing. I'm happy to report this change because it's been a point of contention between myself and some folks at Mandiant ever since 2010. I'm glad that we're closer to being on the same page.

2. Mandiant did some negative analysis before publishing their report

Another thing I learned from that phone meeting was that there was an effort made to look at alternative  scenarios that might explain the facts that Mandiant had before them. Mandiant isn't a part of the Intelligence Community (even though they have some ex-IC folks working there) and they don't have the time, resources, or manpower to do the same type of analysis that is performed at Langley. It's also not their mission to do nation state attribution so I want to give them at least some credit for the counter-analysis that they did do, even though the significance of their conclusion demanded a more rigorous methodology in my opinion.

Thanks to input from my readers, I've also learned some additional negatives about the report.

1. Mandiant's reliance on proximity to prove its claim that PLA Unit 61398 is Comment Crew aka APT1 is harmed by simple geographical mistakes such as:

• p.10 of Mandiant's report refers to Hebei as a borough in Shanghai. Hebei is actually a province about 600 miles and 3 provinces away from Shanghai.
• NEC and Intel along with many other high tech companies operate less than 8 miles from PLA Unit 61398 and all would be served by the same fiber optics cable provided by China Unicom.
• There are more free proxy servers in China than anywhere else in the world and some of those proxy servers overlap with the IP blocks identified in the Mandiant report. 
• An IP registration for UglyGorilla was described by Mandiant as being "across the river" from Unit 61398. In fact, it was 33 kilometers away.

2. Speaking of guilt by proximity, one of the "obviously false" IP address registrations according to Mandiant was for an address in Yellow Spring, Ohio. It should have been spelled "Yellow Springs". However, a cursory check shows that the address is real except for that one missing "s". Even more interesting is that it is located 13 miles from Wright-Patterson Air Force Base which is the Air Force's "boot camp for cyber warriors".

Directions via Google Maps

Either this is a bizarre coincidence or someone on the Comment Crew has a wicked sense of humor. As it turns out, Michael Murphy is a real person who lives in Yellow Springs, Ohio and who used to be the director of admissions at Antioch College whose office is located at 795 Livermore St., Yellow Springs, OH - the address that Mandiant assumed was fake.

3. (UPDATED 23 FEB 13)  On page 11 of the report, under "Size and Location of Unit 61398's Personnel and Facilities", Mandiant wrote "public sources confirm that in early 2007, Jiangsu Longhai Construction Engineering Group completed work on a new building for Unit 61398 located at Datong Road 208 within the Pudong New Area of Shanghai. At 12 stories in height and offering 130,663 square feet of space, we estimate that this building houses offices for approximately 2,000 people." In reality, it's the Unit's pre-school:

English translation via Google Translate

And this isn't all of the errors. It's just a fraction. While each may seem minor, collectively they call into question Mandiant's final conclusion and, at the very least, should serve as a lesson to policy makers not to rush to judgment on matters of attribution. There's plenty of evidence that China engages in cyber espionage without upping the ante by trying to claim the Peoples Liberation Army is involved. 

At the end of the day it's important to remember that Mandiant isn't a U.S. government agency nor are they trained to do intelligence collection and analysis at the same level that it's done at Langley. They're a group of highly skilled professionals who serve their customers as incident responders and have a well-deserved reputation for excellence. 

Add to Cart View detail

Mandiant APT1 Report Has Critical Analytic Flaws

Mandiant's APT1 report is the latest infosec company document to accuse the Chinese government of running cyber espionage operations. In fact, according to Mandiant, if a company experiences an APT attack, then it is a victim of the Chinese government because in Mandiant-speak, APT equals China.

"We tend to perceive what we expect to perceive" 

- Richard J. Heuer, "The Psychology of Intelligence Analysis

The fact that Mandiant refuses to acknowledge that other nation states engage in cyber espionage when the facts show otherwise demonstrates what Heuer calls an "expectation bias", but it's much worse than that.

Mandiant's alleged proof is summarized in Table 12 (pp. 59-60): "Matching characteristics between APT1 and Unit 61398". Mandiant's entire premise that APT1 is PLA Unit 61398 rests on the connections made in that table and that no other conclusion is possible:

"Combining our direct observations with carefully researched and correlated findings; we believe the facts dictate only two possibilities: Either a secret, resourced organization full of mainland Chinese speakers with direct access to Shanghai-based telecommunications infrastructure is engaged in a multi-year, enterprise scale computer espionage campaign right outside of Unit 61398’s gates, performing tasks similar to Unit 61398’s known mission or APT1 is Unit 61398." (APT1, p. 60)

If this report were written by a professional intelligence analyst at CIA, it would most likely undergo a vetting process known as ACH (Analysis of Competing Hypotheses):

"Analysis of competing hypotheses, sometimes abbreviated ACH, is a tool to aid judgment on important issues requiring careful weighing of alternative explanations or conclusions. It helps an analyst overcome, or at least minimize, some of the cognitive limitations that make prescient intelligence analysis so difficult to achieve."

In other words, ACH forces the intelligence analyst to look for all alternative hypotheses and assess them one at a time to see which best fits the data collected. This is rarely if ever done by information security companies, and it's the single biggest objection that I have when it comes to individuals making claims of attribution to nation states. Heuer's iconic "Psychology of Intelligence Analysis" explains why ACH is so important:

"The way most analysts go about their business is to pick out what they suspect intuitively is the most likely answer, then look at the available information from the point of view of whether or not it supports this answer. If the evidence seems to support the favorite hypothesis, analysts pat themselves on the back ("See, I knew it all along!") and look no further. If it does not, they either reject the evidence as misleading or develop another hypothesis and go through the same procedure again. Decision analysts call this a satisficing strategy. (See Chapter 4, Strategies for Analytical Judgment.) Satisficing means picking the first solution that seems satisfactory, rather than going through all the possibilities to identify the very best solution. There may be several seemingly satisfactory solutions, but there is only one best solution." 

"Chapter 4 discussed the weaknesses in this approach. The principal concern is that if analysts focus mainly on trying to confirm one hypothesis they think is probably true, they can easily be led astray by the fact that there is so much evidence to support their point of view. They fail to recognize that most of this evidence is also consistent with other explanations or conclusions, and that these other alternatives have not been refuted."

If Mandiant or another organization were to use ACH on this evidence, here's how Heuer recommends it be done. It's an 8-step process:

1. Identify the possible hypotheses to be considered. Use a group of analysts with different perspectives to brainstorm the possibilities.
2. Make a list of significant evidence and arguments for and against each hypothesis.
3. Prepare a matrix with hypotheses across the top and evidence down the side. Analyze the "diagnosticity" of the evidence and arguments--that is, identify which items are most helpful in judging the relative likelihood of the hypotheses.
4. Refine the matrix. Reconsider the hypotheses and delete evidence and arguments that have no diagnostic value.
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses rather than prove them.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that evidence were wrong, misleading, or subject to a different interpretation.
7. Report conclusions. Discuss the relative likelihood of all the hypotheses, not just the most likely one.
8. Identify milestones for future observation that may indicate events are taking a different course than expected.

I don't have the time to run Mandiant's evidence through an ACH process but I'd like to propose that a volunteer group of intelligence students at Mercyhurst Institute of Intelligence Studies do that very thing. My friend Professor Kris Wheaton who teaches there and writes the outstanding Sources and Methods blog is an expert in this area and I'm hopeful that he'll pick up the challenge.

In the meantime, the following table has four columns. The first three are from Mandiant's table 12. The "Other" column contains a partial group of alternatives that I've provided for each of Mandiant's "characteristics". These alternatives need to be analyzed and ruled out using a rigorous analytic process like ACH before Mandiant or anyone else can claim that APT1 is a part of China's Peoples Liberation Army.

In summary, my problem with this report is not that I don't believe that China engages in massive amounts of cyber espionage. I know that they do - especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges - that there are multiple states engaging in this activity; not just China. And that if you're going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

UPDATE (22 FEB 2013): I've published a follow up to this article: "More on Mandiant's APT1 Report: Guilt by Proximity and Wright-Patterson AFB"

Add to Cart View detail

The New York Times / China Hack: What Really Happened and Who Really Did It?

The New York Times reported that it has been fending off a persistent attack by hackers which coincided with its publication on October 25, 2012 of an article on the wealth of the family of China's prime minister Wen JiaBao. However that appears to be an assumption because according to Jill Abramson, nothing was taken:

“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.

What did the hackers actually do?

• They first accessed the network around September 13
• Installed malware that wasn't detected by Symantec's anti-virus
• They installed backdoors.
• Obtained passwords for 53 Times employees who didn't work in the Times' newsroom
• They "created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" but that conflicts with Ms. Abramson's above statement.

So no customer data was stolen, and nothing about the Wen family was accessed, downloaded or copied. That's not really much of a story so far. Better add everyone's favorite bad guy - China.

Why blame China?

“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”

What's Wrong With This Picture?
This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit).

I think that Mandiant does good incident response work and I know Richard Bejtlich and some other Mandiant folks to be honest, hard-working professionals however their China-centric view of the hacker world isn't always justified in my opinion. Here are a few of the reasons mentioned in the New York Times article for why Mandiant believes that China was responsible. None of them hold water.

The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn - all of whom have active hacker populations.

The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the "same universities used by the Chinese military to attack U.S. military contractors in the past." If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.

Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn't use its military for that. It would use its Ministry of State Security (China's equivalent of the CIA). And they wouldn't be stupid enough to run the attack from their own offices, which if you're interested in checking IP addresses, is in Beijing - 274 miles from Jinan.

The Hackers' Techniques. The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Another tool whose use is often blamed on Chinese hackers is the "xKungFoo script". Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese.

The Wen JaiBao Argument. Mandiant believes that the hackers gained access to the New York Times network around September 15, 2012, during the time that the Wen story was being researched. We also know that the hackers gained access to the emails of the Times Shanghai Bureau Chief David Barboza and it's South Asia Bureau Chief in India Jim Yardley. Does this mean that China was responsible? Maybe it does, but the Wen story could have been a coincidence. Check out how many stories Mr. Barboza and Mr. Yardley worked between August and December, 2012 - several dozen between the two of them. And Yardley's name isn't associated with the Wen story at all.

Asian politics and economics are pivotal in some way to every developed and developing nation in the world. And the New York Times has its finger on the pulse of that region. The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China. 

Add to Cart View detail

Debate: "Private Companies Should Be Authorized To Take Measured Offensive Action Against Attackers"

On Feb. 8-9, 2013, up to 100 people including some of the world's leading experts in law, incident response, reverse-engineering and intelligence will meet in Washington DC to debate the topic: "Private Companies should be Authorized to take Measured Offensive Actions against Attackers". The list of speakers includes CrowdStrike's Dmitri Alperovich, Mandiant's Richard Bejtlich, Microsoft's Dave Aucsmith, Dambala Labs' Gunter Ollmann, CrySys Labs' Boldi Bencsath, ReVuln's Donato Ferrante, INTERPOL's new Digital Crime Center's director, the ITU's Marco Obiso, The Grugq, The Jester, and many more.

The Agenda of Suits and Spooks DC will feature the most intriguing panel discussions every held on the highly controversial issue of "striking back" at those responsible for cyber attacks as well as how offensive markets for malware are changing the world of vulnerability exploits. The second day will include breakout sessions as well as an afternoon debate between two teams consisting of 12 volunteers from our attendees along with time for research and strategizing over a working lunch.

Friday, February 8, 2013 - Waterview Conference Center

9:00am - Registration and Continental Breakfast

9:45am - Welcome and Briefing on the Day's Activities

10:00am - 12:00pm: Panel Discussion - Offensive Tactics and Takedowns by Security Vendors

Featuring Mr. Dmitri Alperovich (CTO and Co-Founder, Crowdstrike), Mr. Richard Bejtlich (CSO, Mandiant), Mr. David Aucsmith (Sr. Director, Microsoft Institute of Advanced Technologies for Governments), and Mr. Nick Selby (Police Officer, DFW Area Department of Public Safety; Partner, Enterprise Security at N4Struct, Inc.).

12:00pm - 1:00pm: How Duqu, Flame, Gauss, and Shamoon can be reconfigured and reused against different victims

Featuring Dr. Boldizsár “Boldi” Bencsáth (Associate Professor, Laboratory of Cryptography and Systems Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics)

1:00pm - 1:45pm LUNCH (provided on-site)

1:45pm - 3:45pm: Panel Discussion - Finding Exploitable Loopholes in the Computer Fraud and Abuse Act and International Law for Offensive Actions in Cyberspace

Featuring Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University),  Mr. Stewart A. Baker (Partner, Steptoe & Johnson), Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute at George Washington University, and Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU)

3:45pm - 4:00pm BREAK

4:00pm-6:00pm: Panel Discussion - Offensive Markets for Vulnerability Research - Pros and Cons

Featuring Mr. Donato Ferrante (Co-Founder and Security Researcher, ReVuln), The Grugq (a security engineer who specializes in reverse-engineering and anti-forensics), Mr. Gunter Ollmann (Chief Technology Officer, Damballa Labs)

Saturday, February 9, 2013 - Waterview Conference Center

9:00am Continental Breakfast

9:30am Welcome and Briefing on the Day's Activities

9:45am - 10:45am (Classroom A): Calculating The Adversary's Return-On-Investment and How That Can Inform Defense

Featuring Mr. Josh Corman (Director of Security Intelligence, Akamai)  and Mr. David Etue (Vice President, Corporate Development Strategy at SafeNet)

9:45am - 10:45am: (Classroom B): (topic to be announced)

Featuring Mr. Spencer Wilcox (Lead Security Strategist and Special Assistant to the Vice President of Corporate and Information Security Services for Exelon Corporation)

9:45am - 10:45am: (Classroom C): Q&A with The Jester via IRC "Is Offense The Best Defense, and Who Should Conduct It?"

This will be a moderated discussion with The Jester via IRC chat. Attendees will be able to pass their questions to the moderator and The Jester will respond in real-time.

 10:45am - 12:45pm: What's the Downside of Private Sector Offensive Engagement?

Featuring Dr. Anup Ghosh (Founder and CEO at Invincea), Mr. Jeffrey Carr (Founder and CEO, Taia Global, Inc.), Mr. Gunter Ollmann (Chief Technology Officer, Damballa Labs), and Mr. Josh Corman (Director of Security Intelligence, Akamai)

12:45pm-2:00pm: Working Lunch

12 attendees will volunteer to debate the proposition (6 per team). The working lunch will be spent dividing into teams and assisting the debaters in preparing research and debate strategies.

2:00pm - 3:30pm: Debate the Proposition "Private Companies Should be Authorized to Take Measured Offensive Actions Against Attackers"

The debate will be judged by a panel of 5 of our speakers

3:30pm - Closing Remarks

The Waterview Conference Center is one of Washington D.C.'s most beautiful and exclusive facilities but it has a capacity of only 100 people so don't miss out. Register today and be a part of one of 2013's most important events.

We are also still looking for companies to join Basis Technology in sponsoring this important event. Please contact me for more information.

Add to Cart View detail

China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it. 

Add to Cart View detail

Why I Oppose The 12 Chinese Hacker Groups Claim

The claim that I'm referring to was reported by Associated Press to a variety of news outlets and essentially stated that "as few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts."

My view is that this claim is bullshit. Here's why:

ONE. It's self-serving. The cybersecurity analysts and experts quoted in the article from Mandiant and Dell SecureWorks have 1) a vested interest in painting China as the bad guy since the bulk of their marketing is APT-centric (APT being a code word for China) and 2) SecureWorks has a less than stellar track record in analysis (Stuxnet and Duqu 2011) and attribution (Kyrgyrzstan 2009) - they've made highly questionable claims in both cases.

TWO. The 12 hacker groups have not been named which prevents independent analysis being performed by individuals who don't have a vested interest in the outcome.

THREE. There's been no proven reliable way to assign attribution. Digital DNA is a marketing ploy, not a fact.

FOUR. It conflicts with our own research on State and non-State actors involved in cyber espionage.

FIVE. It conflicts with our confidential work in incident response and protection for Taia Global clients including members of the Defense Industrial Base.

SIX. It lacks rigor. For example, I highly doubt that either Mandiant or Dell SecureWorks applied negative analysis to their findings before making their claims (i.e., looked for reasons why their findings could be wrong - a standard analytic technique).

The companies behind this claim should make their case publicly and present their evidence for peer review or not make it at all. This type of sensationalist reporting, besides trolling for government contracts, feeds anti-China paranoia while minimizing the role of many other State actors engaging in the same activity as China. Senators and Congressmen unfortunately don't have enough knowledge about cybersecurity to discern truth from fiction so what starts off as highly questionable analysis soon becomes terrible U.S. government policies; especially when it is advocating for permission for civilian U.S. companies to counterattack a specific nation's network. There has never been a worse idea in the history of bad ideas than that one.

Add to Cart View detail

Words Matter: Dump APT for APA

I've written about my objections to the term Advanced Persistent Threat before, and explained why the term is both inaccurate and illogical, but I didn't propose an alternative term and clearly journalists need one. Therefore, I'd like to propose that we put this abused, over-used, and ill-fitting term to a well-deserved retirement and use in its place "Adaptive Persistent Attack" or APA.

ADAPTIVE
Adaptive should replace "advanced" because advanced malware costs time and money to develop and an adversary crew won't use something expensive and sophisticated if a mundane spear phishing attack crafted by some social engineering will do the trick. In other words, the bad guy's attack profile is adaptive, not advanced.

PERSISTENT
Persistent is exactly the right word. Once they're in, you aren't getting them out. The Fortress defense paradigm needs to die the same death as "APT".

ATTACK
As I pointed out in my post "The APT Logical Fallacy", APT is an oxymoron. A threat is not an attack. You've been attacked. Call it an attack.

But APT is a Who, not a What
Almost everyone who makes this statement believes that APT is a code word for the Peoples Republic of China. Period. Only China. I refuted this argument in my above-referenced post with detailed examples of the same attacks coming from the Russian Federation. Frankly speaking, it's stupid to keep using a code word when the meaning of the code word is widely known. Back in 2006, only other Air Force insiders knew what was mean't by the term APT so it fulfilled its purpose back then. Now the secret is out. There's no reason to keep referring to China as APT when we all now what you're talking about, including China. So either name the State that you're accusing or don't name it, but don't call China APT, APA, or any other code word. It's silly and it doesn't fool anyone.

Conclusion
Today, the Advanced Persistent Threat (APT) has become a huge FAIL, both as a "who" and as a "what" so please, let's all stop using it. I think that APA fits the bill rather nicely. If you've got a better idea, by all means suggest it as a comment. Words matter, and the world of information security has lots of horrible ones. This will be the first of a series of Words Matter posts that I hope to write in the near future with the hope of stimulating discussion and arriving at a more precise terminology for this emerging threat environment. Please contact me in the comments or via email if you have suggestions for a future Words Matter post (like "cyberwar").

Add to Cart View detail