Once again I find myself pointing to tweets by Richard Bejtlich. This time it was actually a retweet of Hogfly who runs the Forensic Incident Response blog. Hogfly recently pointed out an article in Aviation Week titled “China’s Role In JSF’s Spiraling Costs“. This article demonstrates the actual cost for a specific project associated with industrial espionage, nation state infiltration of critical infrastructures, and general criminal activity. A blog post by Richard Stiennon, titled “The first thing we do, is hack all the lawyers“, also showed how these same threat agents are leveraging third-party relationships to impact specific projects. I like these articles because they provide specific numbers relating to cost of impact. “…$40 billion…” “…costs at tens of billions of dollars…”
These two examples show both ends of the information technology (IT) spectrum. The defense contractors responsible for the Joint Strike Fighter (JSF) should have had decent security in place to include security testing and monitoring. The majority of law offices will not have security practices that met these standards. In most cases the IT security considerations employed by law offices will actually fall at the other end of the spectrum: operating without significant information security considerations. But, in the end the result of both cases was the same.
I believe that it is pretty safe to conclude that the threat agents responsible for these and similar breaches did not just attach to the networks and start exfiltrating data. Rather, these successful attacks very likely required the use of a combination of known and discovered exploits to gain access, persistent, and propagate within these networks. It is also logical to conclude that their activities generated system and network-based artifacts that outlined their activity, even if that activity mimicked normal and authorized operational activity. Understanding these system and network-based artifacts is an important step to preventing and detecting attempts to infiltrate a network. Another key component is detecting exploitable vulnerabilities before they can be leveraged against the resources in a network.
Early detection is why security professionals encourage network mapping, vulnerability scanning, penetration testing, research and development, and monitoring. Security teams that provide penetration testing services should have an understanding of the techniques applied by current and past threat agents. They should also have a keen eye for leveraging the resources and services to their advantage to demonstrate the ingenuity attackers will implement after the initial compromise of a network. Tom Liston of InGuardians has a plethora of stories that demonstrate how he circumvented good security implementations using common sense and experience with a wide variety of technologies. The result of such penetration testing will generate system and network-based artifacts that can be leveraged to train a organization’s security and information technology administrators to detect and identify similar activity.
Research into technologies deployed in test networks and off-line implementations provide valuable information without impacting an organization’s business assets. It also reduces the cost of effort by providing beneficial information to all businesses employing a technology rather than a single instance where the organization hordes the information to prevent distribution to threat agents. When the results of research are presented to security professionals, IT administrators, IT management, and corporate executives all of these parties benefit from the knowledge and are able to leverage the information to assess and use it to improve their security and effectiveness of their business assets.
While writing this Richard tweeted (if you are not following him then you should stop reading and take care of it right now) to additional insights that are relative to my point. “Exploits aren’t as important as some think. I worked cases where not even active intruders on a corp network inspired appropriate concern!” and “Tech people should consider that IT and sec are one of many factors that mgt weighs. I fear it’s underweighted, but it’s not tech’s call.” Both of these are very true and have played a significant role in the persistence of many breaches including those pointed out at the beginning of this post. I too have experienced active intrusions with manual (rather than automated) system interactions, supported by specific system and network-based artifacts, that were downplayed and eventually treated as a malware infestation. Even the experiences of multiple incident response professionals was not enough to change the opinions of the administrations, IT managers, and executives of these organizations. This attitude was born out of inexperience in the types of activities associated with a network’s initial compromise, persistence of the compromise, propagation to additional resources, and exfiltration of data. Experience that might have been achieved by monitoring the data produced by penetration testing. Of course, it also requires a mind that is not specifically limited by business restrictions and is open to new possibilities that are born out of sublime and criminal research into information technologies.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.