Reverse Deception: Organized Cyber Threat Counter-Exploitation (64 page)

It seems all the luck had gone from SOUP to NUTS, and that proposal was going to be made after all. Bob was going to get a good talking to about information security, but it was to be a happy day in the Peach State.

Postmortem

Security is not a single facet of protection. When implementing a security plan for a corporation, due diligence must go into vetting people (personnel security), IT systems (computer security), and all the data (information security). Of course, every aspect of how a company operates, including program management (operations security) must be scrutinized. Too often, leadership and management do not realize that all it takes is a single person—perhaps a contracted cleaning person or maintenance person—to introduce media like a thumb drive to do keylogging in a very simple way. Something like this can bring down a company. Vetting of individuals is an ongoing process and cannot be taken lightly. NUTS security team members might have done all they could, but everyone needs to be involved. Bob should have been more aware and not ignored security details. There is a reason why they are in place.

The computer security community is a curious lot of folks. Corporations are even more curious. Companies go to great lengths to protect their proprietary information. They identify critical information and scrutinize the security posture used to protect it even further and in more depth. It is completely logical to take extraordinary measures to do that, since the loss of this information would be fatal to certain programs and could end any hopes of being competitive in that market.

Private industry and governments alike spend billions each year on security—not just on computer security, but also on the much bigger picture. It is all about their information. Information is power. Information is key. Information drives everything. Economic espionage is a great example of one entity pursuing another’s information. Technology theft is only information that is sought by the adversary, which is actualized, tested, and sometimes tied to an operational test program.

Security comes in many forms. Not only is computer security important, but physical security is also critical to successfully protecting information. Guard forces, gates, and locks add levels of protection that complement things like computer security. Alone, each is good; together, they are better. Does that mean if all disciplines of security are implemented that a panacea has been created and information will be secure? Absolutely not. There are several reasons that prove this line of reasoning is flawed. The primary one is that there is no such thing as perfect security. Only true utopians could ignore the vulnerabilities and threats inherent to their programs and systems. To attempt to truly secure information, an organization must face reality and focus efforts on situational awareness.

A second reason information can never be totally secure is that things change. What was secure yesterday may not be secure today, due to updates, patches, fixes, and so on. The guard might have become susceptible to a bribe because he has bills to pay and the economic downturn has hit his family. Computer software could be outdated, or even worse, be up to date but not installed correctly (or not installed at all).

The most frightening aspect of all this consistently eludes all but the shrewdest of security professionals. Many computer security professionals regurgitate the party line: antivirus programs, firewalls, intrusion detection systems (IDSs), spyware, and so on. A security professional does not operate within the existing paradigm, nor does he shift a paradigm. An honest-to-god security professional makes a paradigm materialize from chaos and large volumes of data into something tangible and identifiable. There is intuitive thought and creative expression put to paper, with functional results appropriate for the given conditions. The bottom line is that this is not business as usual. How can a defender expect to parlay an adversary if the professional does not know where the adversary is coming from, what the adversary is looking for, or what the adversary’s intentions are? How can a defender expect to have any impact if he has just given away the keys to the castle?

Network defenders are at a deficit even before their computers are loaded with software and hooked up to the network. Imagine building a house from the ground up. You take great care in selecting the best land, strongest equipment, and finest resources. A crew is chosen who has the best reputation and is the most trustworthy. The architect and crew even guarantee that they will safeguard the blueprints and layout for the home to ensure security is optimized for you and your family. That sounds like a great situation—you have taken care of every aspect of security for your family home. You are confident beyond any doubt that things will be fine.

Just as construction commences, you arrive with a small group of well-known thieves. You allow them great latitude in examining the grounds as well as the blueprints. You even provide them a copy of the blueprints. Leaving no stone unturned (literally), you give them a full set of keys to the house, along with the security codes for the new, top-of-the-line alarm system. The
coup de grace
is delivered in the form of a complete list of your family’s personal information, including Social Security numbers, credit card information, and all of your banking information. Even allowing access to your most critical systems and the information stored within is an example of giving up the keys by not protecting your critical assets to the best of your ability.

That’s how we do it in the network defense business. We give away the farm before we set up our networks. We give everything away before we establish a defined architecture. Do you think your adversary knows you have Symantec antivirus software? Perhaps he is aware that you’re running VMware or using cloud computing. Do you think he knows you are running Microsoft Office? How about hardware—does he know whether you have a Dell or HP box? Do you think the adversary knows you are running Juniper routers?

So when does that new paradigm appear? What does it take for us to break the mold and think differently? Does your company still post its information about new programs or structures on the Internet? Does it post information about the staff on the Internet, perhaps in booklets? How much information do employees publish about the company, their processes, their programs, and their proprietary information?

So, you have done your due diligence. You have telegraphed all the hardware and software you are using for your corporation, and in case that wasn’t enough, you have published nearly everything about your company on the Internet and solidified it in paperback. Then, strangely enough, corporate security officers are surprised when something happens on their networks. It is not a matter of
if
something is going to become compromised; it is a matter of
when
.

Organizations use the conventional approach. They structure their networks the way they are told, with the software and hardware they are advised to use. So why do they have problems? The answer is simple: the adversaries have everything you do. Surprise! They have the hardware, software, and network diagram, and even understand and know how and when you will do patching. They know what you are doing and how you are doing it, and then they sit back, waiting for the right time to strike.

Tall Tale 2

As Bill milled through log after log, he was thinking that it was about time for a break. After all, he deserved one—he was doing a great job. He was never a night person, but since he took the job reviewing net flow (the base network information IP, port, protocol, and volume of data sent) from the corporate sensors, he was getting used to it. Still, it was probably time for a cup of coffee. As he walked to the break room, he thought it was a rather robust defense the IT staff had established at Fundamentals Unlimited (FU). The CIO was big on securing the enclave at the headquarters, and he had just implemented a huge initiative to lock down all the out stations—all 14 of them. Bill was happy to do his part in what he thought was a minimal way.

As he took a cup, he thought of being the team chief. Bill put cream and sugar in his coffee. His dream expanded, and he was not the section manager anymore. By the time he was pouring his coffee, he was fully entrenched in the CIO position. What would he do? How would he lock down the network? As he walked back to his desk, he envisioned a corporate environment where only a few select machines would even be connected to the Internet. He would have most of the company on an internal network—a stand-alone network.

Heck, that’s how they got in trouble in the first place, and the CEO was none too happy. Most of the staff had already opened the e-mail first thing in the morning, and the damage was done. The spear phishing was successful and took FU offline for almost two days. Who didn’t want to read about the boss’s plan to take everyone for an off-site meeting on a four-day cruise? The Caribbean was a great choice, and the perfect place to have a serious off-site working weekend. Who cared that it didn’t sound like something the CEO would do? They all believed it and wanted it to be true. It sounded great, and looked like the boss had sent the e-mail. The CEO was still fuming about that—not the cruise part, but the fact that they all thought he was that benevolent, and he never did understand how it was that the e-mail had come from his account in the first place.

Bill’s thoughts drifted back to running the IT shop, and he imagined creating a quick reaction triage and mitigation team. He would create a team that could digitally maneuver as needed to defend the network. The team would take direction from him and the CEO, and be a special cyber force. The cyber force would move quickly and stealthfully. It would be a highly trained unit, with freedom of movement throughout the company networks. This cyber force could move through the networks and set up defenses at will, and perhaps confuse adversaries. It was not a perfect answer, but something to help. Four years of school and all the professional literature implored IT professionals to use defense-in-depth strategies. There were no guarantees, but it was considered a best business practice. Bill thought that there had to be more he could do. As he sat back at his desk, he started running through the logs again, and his dreams of being CIO faded as he encountered some strange traffic he had never seen before.

Bill started to sink deeper and deeper into an impenetrable pensive state. He studied the screen more closely as the sound of the CD player faded into nothingness. He did not even hear his coworker clumsily approach, spilling his coffee as he stumbled into his seat. Sunil had been with FU for 12 years. Sunil spoke, but his words were lost to Bill, who was so deeply protected inside his wall, no noise would reach him. Sunil reached out and grabbed Bill’s shoulder, saying “I said, are you all right?” Bill faded back in. Sunil continued, “Christ, I’ve been talking to you for five minutes. You’d think I could get something out of you—even a grunt would be good. Stay in a job too long and everyone takes you for granted. I should have left years ago and taken that CIO job with Technology, Inc. Yep, just ignore the old-timer.” Bill was silent, and Sunil went on for a few more minutes, until he looked up and straight at Bill. The confusion on Bill’s face told Sunil a different story. Sunil and Bill had never had a situation where they could not talk. They had worked together for quite a while. Sunil was proud of the fact that he could get along with anyone, so Bill’s silence unnerved Sunil something terrible.

Again, Sunil asked Bill what was going on, but Bill just returned a blank stare and turned to the screen again. After a moment, Bill spoke. He showed Sunil some strange traffic on a very high port that he couldn’t explain. He thought that they had everything locked down. Sunil studied the screen, as he also became entranced. Never before had he seen such strange traffic. He turned to check all his sources for anything that matched the signature of the traffic they were witnessing, but nothing matched. He would never admit it, but every time something strange was going on in the network, it was because he had forgotten to apply the updates from the patch server. Unpatched machines were FU’s biggest vulnerability, but this time, all the patches were up to date. Sunil was at wit’s end, while Bill stared in a confused cloud of admiration. Bill had never before been confronted with such a situation, and he assumed that whoever did this must be very good. In a strange way, he found himself actually impressed with what he saw.

They read on, reviewing log after log into the early hours of the morning. Nothing specifically led them to a definitive conclusion, but one thing was for sure: there was big trouble. Their team had been successful in almost every encounter with the adversary (except for that little spear phishing incident). Their track record was good, and they were thorough at finding problems on the network. Sunil and Bill did what they could, but when morning rolled around, they knew they were going to have a long meeting with their supervisor and the CIO.

As the morning shift arrived, employees were individually briefed, and many had thoughts and ideas as to how they should pursue the problem. By now, most of the IT staff was busy with analysis. The CIO directed that they were to give him hourly updates on their progress until the problem was found, and then they could institute their mitigation program. He ordered a complete review of the status of every server, router, switch, and client, starting with the headquarters. Almost all of the company’s proprietary information was stored on the servers and encrypted. The thing that bothered the CIO was that he did not know how many client boxes were compromised and in which enclaves the intruder had entrenched itself.