Reverse Deception: Organized Cyber Threat Counter-Exploitation (109 page)

APTs and Value Networks

Our security products have always protected against advanced threats, and all threats are persistent, which is why we continue to push LOVELETTER virus definitions to our clients’ desktops. By including the buzzword “APT” in our marketing materials and webcasts, we are now able to educate our clients on why they should give us more money for the same products we’ve been selling them for years. In 2011, we will continue to enhance our customers’ experiences by adding an APT Gauge to all our product dashboards, for a minimal price increase
.

—Joe Smith, President, CEO, and CMO of BigFictionSecurity

In legal and illicit businesses alike, the quest for profits guides their respective markets. That implies that not all APTs are created equal. Those entities with more investment capital and resources are typically in a better position to appropriate higher quality tools. As an example, consider LOVELETTER. Although it is true that LOVELETTER is still out there and functions, it is in a substantially different category than a “designer tool” like an APT. LOVELETTER is an Internet worm that has been around for quite a while. It is coded in VBScript, so it is dependent on Windows Script Host.

Once activated, LOVELETTER mapped the afflicted systems and attempted to download a password-cracking file named WIN-BUGSFIX.exe. After that, it packaged up the login information and shipped that data back to the adversary. Although a multifunctional tool, it was not very specialized.

LOVELETTER took advantage of a common vulnerability at that time, and attempted to propagate to as many boxes as possible. It did not have a vetted target list of specific targets based on the relationships and sensitive information. This is like a mugger who attempts to steal from everyone walking down a sidewalk.

The more advanced APTs are selective. An APT is like a thief who breaks into a high-end automobile with the goal of using the garage door opener to later break into the car owner’s mansion. APTs target systems because of their relationship with other potential targets or the target contains sensitive information that is of genuine value.

An APT is just a fancy way of categorizing a long-term threat that is activated at a date and time known only to God and the adversary. Adversaries may choose to lie in wait for a long time for a trigger, or they may choose to act immediately if the situation is favorable. The posture for network defenders is not favorable. It is entirely up to the adversaries to decide when they will execute the exploitation or attack, so the playing field is definitely not level.

Businesses have struggled to keep the upper hand in the cyber realm for years, but find themselves in the precarious position of being caught with their proverbial knickers around their ankles on more than one occasion (as a matter of fact, it is more the norm than the exception). Resources are limited, and qualified, knowledgeable people are scarce and expensive. With high-quality resources so limited, business leaders must innovate to secure their data and remain competitive in their industry.

Who can blame the adversary? If you were attempting to extract data from a network, wouldn’t you develop or acquire tools that support your desired objectives—the crown jewels of a company with its hands in hundreds of other companies and countless governments around the world? How would you do it?

Would you limit your options or increase your options? Increasing options and not closing any doors of opportunity is an obvious choice. Additionally, you would want to keep access as long as possible. Who knows when you might want to pop back in and see what new technologies are available or what new information can be used to influence your adversary?

Now we will look at some examples of major breaches that were in the news, focusing on the values involved.

The RSA Case

RSA recently posted a letter on its website stating that it had been the target of an attack. In that attack, proprietary data was stolen that compromised the security of RSA’s SecurID tokens. The adversary now has the ability to create the string to successfully authenticate without the need for a user ID and PIN. The RSA attack is an example of a stealthy maneuver that requires the adversary’s utmost patience and importunate focus. APT attacks are performed by skillful adversaries with sufficient funds to stay the course. RSA recognized that the attack was an APT (
www.rsa.com/node.aspx?id=3872
).

APTs are often associated with a vulnerability being exploited via social engineering efforts and social networking sites. Often, people use the term “APT” to describe a state-sponsored act of espionage. However, it is not the identification of a particular sponsor, but the tools and techniques used in executing the action. The SecurID theft was performed in a professional manner, and the worst can be expected. What of RSA’s two-factor authentication? It is the preferred method to improve security over a username and password alone.

RSA is known throughout the industry as the standard in the computer security market. It has held this position for years, so can we assume that RSA uses its own products to defend its enclave? It would be quite a statement if RSA didn’t use its own products, but the fact that the security products that RSA is pushing out to industry were not good enough to protect the company from an attack is even more of a statement. How can that be? Why would the company continue to push products that did not work for its systems?

RSA recently admitted in an open letter to customers that the compromise in its SecurID tokens led to the security breach at Lockheed Martin, but that did “not reflect a new threat or vulnerability in RSA SecurID technology.” That admission adds to the question, “Is RSA the target of the adversary, or is it something bigger?” The compromise at Lockheed Martin has far-reaching implications because Lockheed is a global security company that depends on research and development to bolster its bargaining position to gain contracts (
www.rsa.com/node.aspx?id=3872
).

On June 21, 2011—just days after Lockheed’s compromise announcement—someone claiming to represent the hacking group LulzSec posted an announcement claiming the group had successfully hacked and acquired the UK 2011 Census data. For two days, this claim received significant media attention, in part because Lockheed Martin was rumored to be the prime contractor for the UK Census information systems, leading to the suspicion that the hackers had used their earlier access to Lockheed to obtain the data.

On June 23, the UK Office of National Statistics confirmed that the data had not been stolen (“Census data attack claim was hoax, says government,” David Meyer, ZDNet UK, June 2011). To make the matter even more interesting, LulzSec notified the press that the hoax did not originate with LulzSec, and reminded them that only notices posted on the LulzSec Twitter feed were “official.”

At a basic level of analysis, this case raises questions with disturbing implications. Are the Lockheed research programs secure? What is secure? How do we measure it? How can the IT security staff at Lockheed really be sure? Lockheed services dozens and dozens of sensitive government research and development programs, so what does a compromise mean there? What about General Dynamics or any number of other big contracting companies around the globe? What does that mean to a country’s national security? And here’s a better question: What does that mean to international security? As we have seen over and over again, all it takes is a thumb drive to go from one enclave to another to compromise security. Once security is compromised in the event of an APT, it is dubious that the adversary is ever really expunged from the infected systems.

Through the lens of VNA, however, this case opens up even more disturbing implications. What is the impact to the loss of trust in organizations who are clients of both RSA and Lockheed? How many UK citizens heard the original story of the Census data breach but didn’t hear that it was a hoax? And the most ironic question of all: What are the potential threats to the value of public trust if even the hackers themselves lack effective security to protect against attacks of “public relations”?

It appears that these types of attacks and the resulting nonobvious and multidimensional value network effects might be just the tip of the iceberg. The adversary now has the ability to circumvent the security. RSA seems to be the launching point from which the intruders have improved their access to many systems and programs that use the RSA SecurID authentication. Art Coviello additionally stated in his open letter, “RSA’s technologies, including RSA SecurID authentication, help protect much of the world’s most critical information and infrastructure” (
www.rsa.com/node.aspx?id=3872
).

The RSA breach is exceptionally disturbing for many reasons. An adversary with the skill to bypass all network security for an IT security giant and the patience to wait for the right opportunity with the tools that enabled the activity are worrisome. However, the most disturbing part is that with the stolen two-factor authentication keys, the adversary now has the ability to access any network secured by RSA SecurID as a trusted user. Even with RSA accelerating the process of replacing the SecurID hardware tokens for all clients, this is an expensive process that requires months, not hours, to complete.

As a result of violating secure authentication mechanisms at the source, it will be very difficult (nearly impossible) for industry-standard hardware and software to identify these sessions as actual exploitations unless they have specifically been configured to request or look for additional authentication parameters and/or suspicious behavior. Automated scripts and tools are useless for restricting access, because there is no way to distinguish between a legitimate and malicious login.

With this type of access, there might be no way of knowing who, where, or how the exploit is being conducted if the computer defense and insider threat disciplines do not have an open line of communication. The adversaries know an organization’s operational limitations and procedures as well as best business practices. This knowledge allows them to use it against the corporate organization.

The Operation Aurora Case

In January 2010, Google made public an exploit that emerged in mid-2009, which involved a well-funded and sophisticated activity that was consistent with an APT. Google claimed that the Gmail accounts of Chinese dissidents were accessed. That was the just surface level. Additionally, there were several well-known businesses targeted with this exploit. All the victims may never be known, but among them were the likes of Morgan Stanley, Symantec, Juniper, Adobe, Dow Chemical, Rackspace, and Northrop Grumman.

At first glance, this group of victims appears to be random. It is true that all the aforementioned companies have an international presence, but what else makes this group so desirable to adversaries that they invest resources to ensure they gain access and exploit these companies? By mapping the value networks in which these companies participate, some interesting facts emerge. All these companies invest an extraordinary amount of intellectual property into their products, which support and run processes inside dozens and dozens of customers’ systems.

From an adversary perspective, it’s as if they were following a typical business plan, which we will go through step by step.

Step 1: Obtain a Financial Stream (Victim: Morgan Stanley)

Morgan Stanley is a huge financial company that focuses on investment banking. With assets totaling nearly $800 billion, Morgan Stanley is a wildly successful and very popular corporation. Great name recognition translates into billions of dollars in transactions each year.

Why would the adversaries use their own resources to develop these APTs and recruit the right people to get the job done? Continued access into a major financial firm would allow skimming and could lead to huge financial theft, which could possibly fund many more APT operations.

Additionally, manipulation of transactions and other exchanges could give the perspective of impropriety in numerous forms. Manipulation of activity could cause distrust in a large fund manager, other influential person, or system—like the Dow Jones itself! Such manipulation was seen in the suspicious number of stock trades immediately before 9/11 that “shorted” the airline industry.

Few things can unnerve a society as much as a collapse in its financial institutions. How bad will it be when the next financial crisis occurs not because of structural issues (like the subprime mortgage crisis), but simply an activated APT that cascades destructively across the value network? The APT activity in Morgan Stanley may have ceased, but is the threat really gone?

Step 2: Customer Lock-in for Recurring Revenue (Victim: Symantec)

This is not the first time Symantec has been targeted, and because of what the company does, it won’t be the last. Symantec and the other big antivirus companies are the perfect targets to ensure an APT remains a viable APT. Breaking the code at Symantec could lead to a modification and omission in the signature database that is designed to detect the APT, thereby ensuring safe passage to all Symantec customers.

With consistent and frequent updates and well-known protocols and ports for its antivirus software, Symantec has a steep hill to climb to break free from APT activity and remain in the clear. It is probable that APTs will be developed in the future to specifically target companies that rely on the public trust for services. History shows that Symantec and companies like it are sure to remain at the top of the target list for sophisticated adversaries and organizations with a vested interest. Of course, nefarious actors recruited by various sponsors will be empowered and resourced to achieve specific goals and will be in a better posture than the network defenders who don’t know what is coming their way.

Step 3: Expand into New Markets (Victim: Juniper Networks)