Reverse Deception: Organized Cyber Threat Counter-Exploitation (62 page)

Operational Deception

Today’s computer network security industry operates like this: They go up into the observatory and look at the stars. They look into the night skies and see the stars and refuse to accept what they are looking at happened billions of years ago, not just a few moments ago. Computer security “experts” today sit and look at the activities that have happened on their network and refuse to accept that the damage is done and the event is over. Once they see it, it is too late. They look at defending their networks all wrong
.

—Angelo Bencivenga, Chief of the Army Research Lab Computer Incident Response Team

B
y now you have come to understand how counterintelligence and deception have been used in traditional military and corporate life. You have even learned about some of the tools and methods you can use to engage an active threat within your or your customer’s enterprise. Now we need to switch gears a little and give you some tales that were interpreted by two individuals based on professional experiences.

There are ways for you to construe a perfectly perceptually consistent deception plan for the enterprise you are defending, and as long as it is written on paper offline, cyber threats would almost never have access to that information until they have moved into your deception (or if someone spills the beans in an e-mail—executives and line managers are infamous for these type of ego trips among peers).

Deception can come in the form of a single e-mail from a compromised system all the way up to the creation of an entire program that cost billions of dollars to build just to deceive adversaries into backing down or expending their resources in the wrong ways. Misdirection, diversion, and engaging of a threat are essential when working with deception.

In this chapter, we are going to talk lightly about some recent events where misdirection, diversion, or engaging a cyber threat would have resulted in success instead of epic failure, waste, and abuse. OPSEC is also a factor in whether threats can walk into your organization unquestioned, social engineer their way in, or simply dive through your trash looking for anything of interest.

NOTE

The ideas, conclusions, and opinions expressed in this chapter are those of the author. They do not reflect the official position of the US government or the Department of Defense. You also need to be aware that the tales that are included in this chapter are true stories that have been rewritten to protect the names of the innocent and guilty (even though we know who both of you are).

Deception Is Essential

The computer security business in both the public and private sectors is led by an important and influential group of people who know so little about so much. Vendors and governments worldwide parade such terms as
governance
,
enterprise solutions
, and
compliance
, pushing products, solutions, and regulations to try to protect us from all manner of viruses, spyware, hackers, and APTs. We are courted and married off into long-term commitments with antivirus and spyware companies promising the best protection against every kind of known and unknown threat you could find on the Internet today and tomorrow. The problem is that all these computer network defense tools are lagging and responsive defense products, meaning that they operate on what has already occurred. Something must have occurred in order for the company to build a signature or identify an IP address and label it as “bad,” or the detection engine must have enough anomalous information for the heuristics to compute a solution.

Companies do not have premonitions regarding the next exploit that is going to wreak havoc on the multitude of devices connected to the digital world compassionately called the Internet. There is no soothsayer on staff at McAfee or Kaspersky Lab, and no fortune-tellers at Symantec to warn the industry about the next logic bomb or zero-day attack. The truth is that reactive defense can offer only so much protection. Is it important? The answer is unequivocally yes. Does any antivirus company guarantee that you will not get infected? Does any company promise that if you use its product, you will not get hacked? Is there a money-back guarantee if a virus destroys your computer, router, network, product line, or corporation? What guarantees are given at all, and what good would a guarantee be if you got one from these folks anyway?

More often than not, the computer defense and IT security industry offer a “feel good” product line of solutions. Most nations around the world spend billions of dollars on security each year, only to be repeatedly hacked and exploited. Private corporations who offer solutions and are industry leaders in computer security are not exempt either. HBGary suffered a big loss when the company’s system was hacked and had thousands of internal proprietary e-mail messages posted on the Internet. In 2009, both Kaspersky and Symantec had their secure sites penetrated by a SQL injection attack. These are some of the international leaders in computer security succumbing to fairly rudimentary attacks. How secure are they? How secure can they make you? Who really knows?

In September 2007, the US Department of Homeland Security (DHS) made headlines when hackers compromised its unclassified systems. In 2008, DHS made headlines again when a hacker broke into its Voice over IP (VoIP) phones and made more than 400 calls using the Federal Emergency Management Agency (FEMA) PBX. And what was the response from the agency with the charter to protect our digital homeland? It was the same as the rest of the US federal government and every other government out there. They will agree that it is an issue, allocate more money, and pat each other on the back for solving the problem once again. The end result is diminished resources and no reduction in exploitation of vulnerabilities. When was the last time a CEO or CIO was fired because a company lost significant proprietary information? Most don’t think they have ever seen that, but the day is long overdue to really get serious and stop throwing money at a problem that is very difficult to fix with our current network defense mindset.

There’s no such thing as “secure” any more… The most sophisticated adversaries are going to go unnoticed on our networks… We have to build our systems on the assumption that adversaries will get in…

—Deborah Plunkett, Director of the National Security Agency’s Information Assurance Directorate (in comments at a Cyber Security Forum held by The Atlantic and Government Executive)

In January 2002, Bill Gates, the then CEO of Microsoft, declared that Microsoft would secure all its products and services, and initiated a massive training and quality control program. Just seven short years later, the Conficker virus infiltrated and devastated millions of Microsoft PCs around the world.

Here is a network defender at his best—imagine a town in the Wild West, the streets are empty and two lone gunmen face off. The first is the net defender, the second is the adversary. As the clock strikes high noon, the adversary draws his revolver, the net defender waits for something to happen. Once the adversary fires the first six shots, he reloads and shoots six more shots, the net defender is mortally wounded but is now ready to draw. He raises his revolver with great speed and loads his arrows. With blurred vision and eyesight failing, he takes aim and wildly fires off a round or two before collapsing
.

—Angelo Bencivenga, Chief of the Army Research Lab Computer Incident Response Team

Over the past few decades, as society strives to push the bar ever higher for connectivity and accessibility, computers and other components of information technology are further interconnected into a global network we call cyberspace. In doing so, computers are able to reach and access more information in more corners of the world than was thought possible a generation ago. Someone from Berlin can research and discover the lives of the Betsilego (indigenous peoples of Madagascar), just as easily as they can walk to the kitchen to get a drink of water. Our vast digital world has much to offer the casual participant, but it is also a playground for those who have other nefarious designs. The magnitude of threats from random attacks is eye-opening; the threat from targeted attacks is alarming. To counter the known and unknown threats, many different technologies and concepts have been employed, with billions spent each year by private companies and governments around the world.

Everyone should and must have an identification, or internet passport … The Internet was designed not for public use, but for American scientists and the US military. Then it was introduced to the public and it was wrong … to introduce it in the same way
.

—Yevgeniy Valentinovich Kasperskiy (Eugene Kaspersky),
The Register
article (October 2009)

Inherently, the overall design of how hardware and software are integrated is flawed because of the origins of the Internet. The intent was never to bring it to the public. It was designed for government use to facilitate collaboration among scientists. The designers of the ARPANET could not have foreseen how it would evolve over 40 years later into what it has become today. When the first message was sent in 1969, security was not a discernable blip on the radar. How things have changed so drastically over the years.

The bottom line is that the playing field is not level. Computers and the Internet operate in such a way that they are easily exploited. Everything from the configuration of a desktop CPU to the connections that link our computers with those in Pakistan or Brazil fosters an environment that is uncontrollable. Is that not obvious? Tracking someone who has infiltrated your home computer is akin to putting on a blindfold and chasing someone in the snow when its 95 degrees outside. Let’s face it: unless we think differently, network defenders will keep reading the newspaper articles and blogs in which smart people pontificate, opine, and admire the adversary. They are amazed at the adversary’s exploits and stand in awe of what has been accomplished, imagining what will come next with a haughty, strange, disgusted, doomsday-ish astonishment. Network defenders ogle at the techniques, and discuss, analyze, and digest the components of an attack as if they were living vicariously through the adversary. Why is this? Why don’t we unleash hell on our aggressors and do to them what they are doing to us?