Reverse Deception: Organized Cyber Threat Counter-Exploitation (108 page)

I
n the previous chapters, you have read about the varying levels of threats to your enterprise, ranging from the curious novice to the SSCT. In this chapter, we will dive into the actual threats from the perspective of an attacker. We will explain the nature, motives, and preamble of advanced and organized persistent threats, and how they operate at a level that is understandable to you and your immediate chain of management.

Most of us (possibly even you) have poked around networks or systems at some point in our life, usually for personal or professional education purposes, with one tool or another. However, when trying to understand an advanced or organized persistent threat, you need to weigh all of the observables to understand the level of effort required to push the threat either into an area where you can track and engage the threat or simply identify what is needed to expunge the threat out of your enterprise. The bottom line is that when dealing with a threat, you always want to gain the upper hand and operate from a perspective of power.

Espionage

Spying goes back centuries, as information is considered more valuable than currency and can be used to advance attackers’ initiatives or against the victims. Espionage is generally a term reserved for world governments, but it is also applicable to the private sector, where it is called “industrial espionage.”

The most effective way to execute espionage in a cyber environment is to exploit, infiltrate, and embed yourself into your target’s network undetected for as long as possible. This enables remote control and listening points for the attacker’s objectives.

Along with direct exploitation of an enterprise via a targeted e-mail or client-based exploit, there is also the
human
factor. A threat could identify someone within your organization who is unhappy with his role, work, rank, or pay, or dissatisfied for any number of reasons. This employee could be exploited by an adversary and be used as the injection point into your enterprise. One of the most recent examples of this is Bradley Manning, who did not agree with some of the US policies and decided to leak classified information to the ever-so-popular WikiLeaks. This isn’t direct state-sponsored espionage, but rather an example of how humans can exploit their own access to systems and use it against their own organization.

By infiltrating an organization’s enterprise network, you are able to monitor and record traffic, extract sensitive or proprietary information, modify system settings, and perform many other actions if you have control of one or more systems. The other actions can be summed up as D5, for degrade, deny, disrupt, deceive, and destroy, which is an extension of the traditional D3 (degrade, deny, and disrupt), an old term that has been used for years in military-based organizations. In the cyber realm, infiltration is much easier to achieve for a number of reasons than in traditional kinetic military actions. This is one of the primary reasons the abuse of the Internet and services has evolved over the past two decades for purposes of espionage (both state-sponsored and industrial).

The core objective of any government is the acquisition of intelligence (information) about or from any country that is considered a competitive government—economically, technologically, or militarily. Almost every person with some level of access to the Internet is aware of all of the news articles surrounding purported SSCTs and industrial espionage between rival or competitive nations. Some of the more prominent examples are articles accusing a handful of powerful nations of exacting cyber espionage against each other for competitive advantages.

Costs of Cyber Espionage

Cisco Systems, Inc., reported that in the second quarter of 2011, targeted attacks were five times as expensive to pull off, but would yield as much as ten times the profit. Cisco also reported that large-scale campaigns helped cyber criminals rake in more than $1 billion in 2010 and $500 million by June 2011. Consider that massive attacks across any single organization, or multiple organizations at the same time, can include subscribers of an ISP. Such massive intrusions can cost billions of dollars, and often they do (
www.cisco.com/en/US/prod/collateral/vpndevc/cisco_global_threat_report_2q2011.pdf
).

Targeted attacks can cost even more. An example is what happened in March 2011 to RSA Corp, which lost an unknown volume of customer and corporate data. The company needed to reissue hundreds of thousands of SecurIDs (keychain-like devices that, based on a specific algorithm, encryption seed, and time-based combination, provide two-factor authentication for remote users’ secure access to corporate networks). RSA also stated an interesting measurement for remediation after an intrusion. The cost for every dollar lost by the victim organization also cost RSA dearly in remediation (the cleanup effort, investigations, forensics, and mitigation) and reputation repair. The cost to EMC (RSA’s parent corporation) exceeded $66M with RSA offering to reissue new tokens to the 1/3 of their customers and the remaining customers were offered additional monitoring services (
www.informationweek.com/news/security/attacks/231002833
).

Cisco reported that targeted attacks worldwide alone cost an average of more than $1.2 billion. This is simply from large-scale crimeware campaigns by organized and unorganized (perhaps solo) cyber criminals whose simple desire is to make money. This is what keeps most organizations in reactive mode and prevents security professionals from going into the details of an intrusion and also from engaging active threats. The overall costs have not afforded executive and financial officers much financial wiggle room to enable the security team to move past reactive mode into proactive mode. Setting up the infrastructure to run a large-scale campaign on a targeted attack requires additional skills and resources. According to the Cisco report, the estimated cost for a large-scale campaign averages $2,000, and a targeted campaign averages about $10,000 (
www.cisco.com/en/US/prod/collateral/vpndevc/cisco_global_threat_report_2q2011.pdf
).

Value Network Analysis

Value networks are “any set of roles, interactions, and relationships that generate specific types of business, economic, and social value” (“Verna Allee describes Value Networks,” YouTube). This definition implies a conceptual framework where two or more actors (people, social groups, and formal organizations) engage in exchanges (intangible as well as material).

Value Network Analysis (VNA) extends this conceptual framework through a formal discipline. The value network is represented using a link-node graph, where the directional and labeled links represent value exchanges between the nodes, and each node carries a dynamic score that represents the total value to the node of the exchanges in which it participates (“Value Networks,” Internet Time Blog, Jay Cross, January 2010).

The general increasing trend of technology and social integration increases the number of value exchanges using Internet technologies. Additionally, new types of value
and
value exchanges have emerged in the intertwining technical and social changes of global, standardized computer networking. New types of value include wholly digital services and “assets” like lucrative DNS names (for example,
movies.com
) and wholly digital goods such as virtual land in Second Life or virtual currencies like Bitcoin. New types of value exchanges include the act of “following” someone on Twitter, “liking” a Facebook post, and content sharing by uploading a self-produced video to YouTube.

In traditional economic theory, social cues such as trust and popularity are considered intangibles. While general VNA recognizes the contribution and importance of incorporating intangibles into the collective value of a network, Internet-enabled social media has shifted these exchanges clearly into the tangible realm, especially from a business perspective.

Advertisers can now access with predictive reliability the cash value of influence, derived from metrics of both trust and popularity calculated across social networks and interactions that are facilitated and quantified by software. User-generated content (UGC) has become a direct generator of revenue (typically via advertising). In particular, creative, innovative, and otherwise popular content acts as a generative “meme,” with original but derivative follow-on content acting along Long Tail principles (which are that statistically, a larger share of the population rests within the tail of a probability distribution than seen under Gaussian distribution).

There are many stated reasons for computer exploitation; none of them are mutually exclusive, and all of them reinforce each other. Some hack for personal pride, others want to prove themselves to their peer groups, and quite a few (such as Anonymous and LulzSec) appear to act primarily out of spite. Hacktivists form a powerful group. Collectively, they wreak havoc on their victims with every engagement, and in many cases, the mere threat of action sends chills down the spine of potential victims. But the most common and prevalent of all reasons is financial gain. As a result, we believe that to effectively understand, predict, and interdict computer exploitation, a framework such as VNA (that includes intangibles on equal footing with tangible financial rewards) is a requirement.

As with any conflict between unethical criminals and the rest of society, innovations on both sides ensure that adversaries are always creating new ways to take something of value for their own profit. Even if they are unsuccessful, the consequences of (and responses to) financially driven computer-enabled crime decrease the value of the Internet for everyone.

Hacking, economic espionage, exploitation—it is all big business, and has a business culture similar to that of the legitimate corporate world. Within the elicit world of computer crime, there are ethics, rules, and tort guidelines. Just as the corporate world strives to achieve a profit, even more so does the hacker world, without much consideration for human life. State-sponsored hackers are looking forward to a payday, just like the hackers employed by organized crime. And just like the traditional economy, the hacking economy has benefited from adopting a free market approach.