Mike Cloppert on Defining APT Campaigns

Please stop what you're doing and read Mike Cloppert's latest post Security Intelligence: Defining APT Campaigns. Besides very clearly and concisely explaining how to think about APT activity, Mike includes some original Tufte-esque figures to demonstrate APT attribution and moving up the kill chain.

Read More

Answering APT Misconceptions

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week, and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer these misconceptions, I decided to consolidate them here.

1. Myth 1. APT is a "new term," invented by Mandiant. Reality: Mandiant did not invent the term. The Air Force did in 2006. More info: What Is APT and What Does It Want?


2. Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers. More info: Two-Dimensional Thinking and APT


3. Myth 3. APT is "marketing hype." Some companies with little to no experience with APT are clearly jumping on the counter-APT bandwagon, even registering domain names related to APT. That is sad but not unexpected. However, companies like Mandiant are not suddenly releasing reports because of Google v China. Mandiant offered a public Webcast (which I attended) in March 2009 called State of the Hack - Addressing the Advanced Persistent Threat. They and certain other companies have been public about APT for a while, but a lot of people were ignoring them. More info: You Down With APT?


4. Myth 4. APT is a "class of attacker." Reality: Most of the counter-APT community uses APT to refer to specific threats or "threat agents" if you prefer that term. Those threats are associated with a certain country. In some cases, certain counter-APT community members prefer to include other countries with similar capabilities. If required to differentiate during discussions, I prefer to prefix APT with the named country.


5. Myth 5. APT is "FUD." Reality: Fear can be healthy if it helps reallocate resources away from wasteful and ineffective compliance regimes like FISMA. No one I know who fights APT sleeps very well. Regarding uncertainty and doubt, what more do you need to know? Read my post Is APT After You? to get a better sense if you should worry. It's better to prepare your defenses now than to start once a Federal agent comes knocking. More info: DNI Blair Leads with APT as a "Wake-Up Call"

I may add more myths as they appear, but for now those five seem sufficient.

By the way, I appreciate the private communication and public comments from people genuinely interested in learning about this issue. It helps focus my attention away from the critics who refuse to align with reality. It's also clear that many of you understand why I use certain phrases or address this subject in the manner that I do. I am glad those of us with similar backgrounds can at least share in that sense of solidarity. Thank you.

Read More

Attribution Using 20 Characteristics

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post.

Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.

1. Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.?


2. Victims or targets. Who is being attacked?


3. Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.?


4. Delivery mechanism. How is the attack delivered?


5. Vulnerability or exposure. What service, application, or other aspect of business is attacked?


6. Exploit or payload. What exploit is used to attack the vulnerability or exposure?


7. Weaponization technique. How was the exploit created?


8. Post-exploitation activity. What does the intruder do next?


9. Command and control method. How does the intruder establish command and control?


10. Command and control servers. To what systems does the intruder connect to conduct command and control?


11. Tools. What tools does the intruder use post-exploitation?


12. Persistence mechanism. How does the intruder maintain persistence?


13. Propagation method. How does the intruder expand control?


14. Data target. What data does the intruder target?


15. Data packaging. How does the intruder package data for exfiltration?


16. Exfiltration method. How does the intruder exfiltrate data?


17. External attribution. Did an external agency share attribution data based on their own capabilities?


18. Professionalism. How professional is the execution, e.g., does keystroke monitoring show frequent mistakes, is scripting used, etc.?


19. Variety of techniques. Does the intruder have many ways to accomplish its goals, or are they limited?


20. Scope. What is the scope of the attack? Does it affect only a few systems, many systems?

As you can see, there are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems.

Read More

Attribution Is Not Just Malware Analysis

In a recent Tweet I recommended reading Joe Stewart's insightful analysis of malware involved in Google v China. Joe's work is stellar as always, but I am reading more and more commentary that shows many people don't have the right frame of reference to understand this problem.

In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the broader problems caused by advanced persistent threat. It's enough for them to look at the malware and then move to the next sample, or devise their next exploit, and so on. Those of us responsible for defending an enterprise can't just look at the problem from a malware, or even a technical, perspective.

I was reminded of this imperative when I read Waziristan: The Last Frontier in a recent Economist magazine.

[I]t is tempting to think Waziristan has hardly changed since those colonial days... Mostly, [the Pakistani Frontier Corps] discuss their belief that India is behind the current troubles on the frontier. Lieutenant-Colonel Tabraiz Abbas, just in from fighting the Mehsud militants, describes finding Indian-made arms on the battlefield. Substitute “Russian” for “Indian” and you have the standard British Great-Game gripe. As late as 1930, a senior British official, in dispatches stored in India’s national archives, reported that a clutch of Russian guns had been found in Waziristan: “Of these 36 are stamped with the ‘Hammer and Sickle’ emblem of the Soviet government, while one is an English rifle bearing the Czarist crest.”

Imagine if policy decisions were made on "rifle analysis" alone. Think of the havoc that an interloper could introduce by scattering weapons from other armies where a target of psychological operations would find them.

In summary, malware analysis is definitely an important part of attribution, but it's not the only part. Malware analysis is also not the only relevant aspect of Google v China. If you address the malware you won't solve the problem. The same goes for any vulnerabilities discovered during this event.

For some related thoughts on profiling an adversary using indicators and not just malware, see Mike Cloppert's post Security Intelligence: Attacking the Kill Chain.

Read More