In a revealing discussion on cyber security at the National Policy Centre in Washington DC, Good Harbor Chief of Staff Emilian Papadopoulos and Richard Bejtlich, Mandiant Chief Security Officer discussed the technical and organisational challenges of defining and meeting threats to national and corporate security.
Merely developing consistent definitions across the broad spectrum of networks is yet to be achieved. It’s a work in progress, more or less.
Three levels of cyber security threats (brief, brief description) that are out there and what they are:
- Basic Denial of Service attacks that almost anyone with a grudge or an agenda can hit a target with, smothering it under a deluge of traffic that can slow operations to a crawl. This is a fairly common event and tools to accomplish this are available to almost anyone.
- Level two is a step up and includes defacing web sites and sending disinformation out in another party’s name. Usually this is something like vandalism. The threat here (often not exercised) is that the intruder in fact did gain access to a server or network and might have dig deeper if so inclined, even erasing or downloading files and passwords, etc.
- Level three is what poses the deepest threat to government and corporate networks: embedding a persistent Trojan that can curate and process activity on an infected system and send the information to a remote host. This can be files, login activity, usage logs (enabling deeper, focused penetration) and are virtually undetectable by users. They can persist for years and can manifest as a permanent leak of national security information, intellectual property, and system control of municipal utilities, air traffic, and other infrastructure.
Of course, much of the talk today focused on a level three infection by China People’s Liberation Army’s (PLA) unit 61398 and a building located in Shanghai. After the recent uproar when Mandiant revealed they had been tracking this source since about 2006 in February 2012, which revealed a persistent pattern of massive thefts of internal emails and technical information, notable for the outrageous network infection of both the New York Times and the Washington Post. (disclaimer: that’s my local paper!) activity quieted down some. In recent days however, the number of attacks sourced at 61398 are ramping up.
The attacks were (and are) focused mainly on English language sites and servers. The Chinese are in high denial of this information and are ignoring multiple protests from around the globe about their failure to pull back from the activity. Even Russia is responsive when other nations object to activity originating in the Russian Federation. It’s impossible to deny it’s happening though. In fact the construction billing for the building (PLA) and the posts of a disgruntled soldier-hackers have all been uncovered in addiction to masses of IP address logs and “breadcrumbs” leading to a faceless 12-story building, roof covered with satellite dishes and sidewalks patrolled by strolling guards who strongly discourage photography.
Meeting these threats onshore here in the US requires more than simple installation of anti-virus software. For an individual user this may be adequate. But for corporate organisations, it is much more fraught, something firms such as Good Harbor are prepared to deal with. A sure metric of an organisation’s preparedness is the answer to the question…
“Was the threat detected in 1 day and steps initiated to deal with it?”
For all too many organizations the reply is “no, it wasn’t.”
CEOs often are reluctant to initiate instant response and do not want to reveal attacks–stock market values can be effected almost instantly on news (or rumours/disinformation) of proprietary information thefts or confidentiality breaches. Best practices for acquisitions and business partnerships calculations must include network security verification or the cost of security upgrades before deals are closed and operations begin.
This collateral effect of security leak “value” malaise from reports means that companies are reluctant to be open about the details. And the murky and inconsistent regulatory turmoil emanating from Washington’s agencies and Congress, let alone from National Security and Military agendas, show few signs of fostering a confident and sort-of-transparent system for accurate, consistent threat reporting and analysis. This must be resolved.
For soon a new threat is sure to arise in the Mideast and South Asia as thousands of unemployed and skilled network-savvy youth take on tasks, legitimate or unsavoury, within the next ten years. More sophisticated players in the regions such as Iran, Israel, Saudi Arabia and a few other parties in dispersed pockets already are playing a sophisticated cat-and mouse game that has wrecked 30,000 Saudi computers in the oil-production networks. The Stuxnet attack on Iran’s nuclear refinement centrifuges is another example of a very lethal network attack. And recently Iran is suspect of a monster hit on Western banking systems.
As the major players in “the great game” of the Internet today deal with security, cyber spying, and governance, the new threat may be arising with workers schooled in the rough-and-tumble school of hard knocks and experiential knowledge of political unrest and oppressive regimes. Who knows where a new open-source Arabic Language compiler will lead? It behooves the large entities managing and exploiting the Internet right now to look beyond utter self-interest and to develop robust metrics and consistent governance. Cooperation among present rivals and the future’s players will lift all users, unbridled rivalry may not.
- Mandiant Executive Summary: Exposing one of China’s cyber espionage units (chinadailymail.com)
- Pentagon accuses China of cyber attacks on U.S military, business targets (infoworld.com)
- Iran-based hackers attacking US: security expert (smh.com.au)
- Iran-Based Hackers Traced to Cyber Attack on U.S. Company (bloomberg.com)
- Iran-based hackers allegedly traced to cyber attack on U.S. company (theiranproject.com)
- Chinese military unit said to resume cyber spying (stripes.com)
- Proposed US Cyber-Crime Law Increases Pressure On China (techweekeurope.co.uk)
- Iran-based hackers traced to cyber attack on US company (en.trend.az)
- Network Effects (freebeacon.com)
- Chinese military unit said to resume cyber spying (sacbee.com)
- Pentagon accuses China of cyber attacks (counterinformation.wordpress.com)