APT, State Sponsorship, IP

Theft, FUD, what these buzz

words mean to you.

Fear, Uncertainty, and Doubt

As conventionally defined,FUD is amarketing technique
that amarket-dominating firm employs to blunt a
competitors first-to-market advantage.
Typically,aFUDcampaign employsavariety
oftechniques,includingwarnings to customers concerning
the risks of moving to an unproven newproduct,a barrage
of press releases designed to confuse customers concerning
themerits ofthe newproduct,and benchmarktests
generallyrigged in the market-dominating firms favorthat
raise questions about the newproducts performance.

Interactive Session 1
Who here is afraid of The APT
Who here thinks they have APT
taken care of
Who here thinks APT doesnt apply to
them
What is APT?
o Malware set?

(From Lenny Zeltzers blog

Interactive 2

What is IP Theft?
Do you have IP worth protecting?
Is there IP you dont care about?
What do you have that is being targeted?

Interactive 3

What
What
What
What

is state sponsorship?
does it look like
does it look like in other countries
does it look like in our country?

So what is Intelligence?
According to the CIAs Center for the Study of
Intelligence:
Intelligence is secret state or group activity
to understand or influence foreign or
domestic entities.
Intelligence analysis is the application of
individual and collective cognitive methods
to weigh data and test hypotheses within a
secret socio-cultural context

A brief primer to Intel Analysis according to this guy.

(remember its not polite to leave even if Im boring)

Fundamental goal to Intelligence Analysis

o Provide information to your customers that allow them to take action

So we must do the following:

o Know your customer
o Know the threat
o Suggest Action

What Intelligence is not

Criminal Investigation
Reports for the sake of reports
A random guess
Magic
o Heuers Psychology of Intelligence Analysis
o A Tradecraft Primer: Structured Analytic Techniq
ues for Improving Intelligence Analysis
o Intelligence Community Directive 203 Analytic
Standards

Anatomy of an Attack by
Mike Cloppert
Read the Lockheed Martin Kill Chain Paper!!
Move to the left of the hack
The more you understand the quicker you can get
to the root of the problem.
What is the root of the problem?

Anatomy of an Attack (Sun

Tzu)
All war is deception. Sun Tzu
The supreme art of war is to subdue the enemy
without fighting. Sun Tzu
Victorious warriors win first and then go to war,
while defeated warriors go to war first and then
seek to win. Sun Tzu

Anatomy of an Attack
(Intelligence)

What
When
Where
Why
Who

(Simple isnt it? Well there is a lot more coming on this

in the future)

What is APT

Advancedmeans the adversary can operate in the full spectrum of computer intrusion.
They can use the most pedestrian publicly available exploit against a well-known
vulnerability, or they can elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target's posture.

Persistentmeans the adversary is formally tasked to accomplish a mission. They are not
opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy
their masters. Persistent does not necessarily mean they need to constantly execute
malicious code on victim computers. Rather, they maintain the level of interaction needed
to execute their objectives.

Threatmeans the adversary is not a piece of mindless code. This point is crucial. Some
people throw around the term "threat" with reference to malware. If malware had no human
attached to it (someone to control the victim, read the stolen data, etc.), then most
malware would be of little worry (as long as it didn't degrade or deny data). Rather, the
adversary here is a threat because it is organized and funded and motivated. Some people
speak of multiple "groups" consisting of dedicated "crews" with various missions.
(All courtesy of Richard Beijtlich)
http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html

What is APT? ==
State Sponsored Hacking
Not necessarily one person, small group, or even
the same group.
Institutionalized: Education Facilities, Companies,
Military, Intelligence Agencies, Individuals for
National pride and honor.
It is tasked, not random but can be opportunistic
(though some groups are cut loose, there are
ways to tell them what is desired.)
Patient
Persistent
Well Funded

The greatest trick the APT ever pulled was

convincing the world that it did not exist

Second rule: When they know you

are attacking them, play stupid
Deny everything
o We arent hacking you, you are hacking us!

Point at the other guy

o After you train them

Talking heads, and having the solution

o Creation of security research companies and uploading samples

Simple rule:
o Minimum required force

FUD as a weapon
Chinese doctrine, parallels other countries
o Timothy L Thomas and Chinese Warfare
o See Sun Tzu above

Hit them where it hurts

o Namely in a place they shouldnt be. Example Army Field Manuals

Involve the lawyers

o Inquiries into computer security. (Not just China)

Then steal from the Lawyers

IP Theft
What they take
o Short answer: everything
Contact lists
Publicly available documents
Content of targeted folders
Who you are doing business with
Anyone you trust

What they want

o
o
o
o

Political advantage
Economic advantage
Military Advantage
Technological Advantage

Now why you are at risk

You are either a target, the vector, or the premise
Do you know which?
Lets look at a hack (well the overview content is
edited to keep everyone happy)

Timeline of an attack
Date

Event

Late 2010

Change made to Chinese policy on specific energy production goals

Early 2011

Foreign Investment Guide changed to reflect new policy and incentives added

Early 2011

Specific information relating to key technologies posted on govt websites

April 2011

Spear phishing attacks conducted in key industry

April 2011

SOE approaches target company about possible JV in energy space

May 2011

Govt regulating body hacked, but attackers appear unsure of what is relevant

June 2011

Govt agency is targeted again and specific law firm information is exfiltrated

Aug 2011

3rd party contractor of target company is compromised

Aug 2011

Apparently unrelated attack is conducted on small energy company, but specific searches
are done for names related to target company

Aug 2011

Legal firm is compromised tied to target company

Sep 2011

Govt agency is hit again but moves outside our observable window

Sep 2011

Small energy company is acquired by target company

Nov 2011

Govt approval process is filed and begins

Early 2012

Target company is notified of compromise, investigation shows compromise more than

400 days dwell time

Questions?

Sources

http://
virginia.academia.edu/BryanPfaffenberger/Papers/154215/The_Rhetoric_of_Dread_Fear_Uncertainty
_and_Doubt_FUD_in_Information_Technology_Marketing
http://computer-forensics.sans.org/blog/2010/06/21/security-intelligence-knowing-enemy/
http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
http://www.goodreads.com/quotes/108-the-greatest-trick-the-devil-ever-played-was-convincing-the
http://
www.firstpost.com/world/china-is-the-voldemort-of-hacking-it-that-must-not-be-named-53539.html
http://www.carlisle.army.mil/USAWC/parameters/Articles/2010summer/Thomas.pdf
http://www.fanpop.com/spots/warner-brothers-animation/images/30975958/title/elmer-fudd-photo
http://www.scmagazine.com/the-not-so-advanced-persistent-threat/article/224530/

Intelligence Resources:

https://
www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tra
decraft%20Primer-apr09.pdf

https://
www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tra
decraft%20Primer-apr09.pdf

http://www.fas.org/irp/dni/icd/icd-203.pdf