Reverse Deception: Organized Cyber Threat Counter-Exploitation (31 page)

Classification and Dissemination Rules

Every government and private organization has methods and guidelines for controlling information. Some items are only for the executive staff; other information might be suitable for public release. It is essential to know these rules, and it is the responsibility of the counterintelligence practitioner to disseminate responsibly and correctly. Sometimes there is a question regarding the protection level of a piece of information. When faced with this dilemma, the counterintelligence professional must always choose to side with caution and conservatism. If needed, more information can be released, but you can never put the genie back in the bottle.

Applying Counterintelligence to the Cyber Realm

Now that we have covered some of the most critical aspects of the traditional tradecraft of counterintelligence in times of
cyber espionage
, or
cyber warfare
, we need to get you thinking about how various aspects of the preceding information work in the realm of cyberspace.

First, throw everything you’ve learned out the window when it comes to traditional security. Most organizations simply look to take a compromised host offline and then put it back online with a new image of the workstation, hoping they have completely cleaned the host of a malicious infection, while in fact, there is still someone on the other end of the wire watching, waiting, and biding his time.

Almost every action in the cyber realm can be recorded, detected, identified, analyzed, replayed, tracked, and identified. The only thing necessary is for you to know where to look first. You need to be aware of the innate ability to recognize usable intelligence in any form, as everything is observed and can be used against your attacker, adversary, or threat (whatever vernacular you prefer). Every network all too often has its holes and gaps, but you
can
observe every ground truth and nuance that has occurred by leveraging the various data sources within your enterprise. Without the ability to analyze all of the data points within your enterprise, an intelligence analyst cannot identify efficient or concise taxonomies using link analysis.

Sizing Up Advanced and Persistent Threats

So we’ve talked about the ability to detect, monitor, track, and interact with an active threat, whether it’s persistent or advanced. I already know what you’re thinking: “You’re mad or neurotic.” Alas, I am a little of both, and that is what makes for the perfect security professional.

In
Chapter 1
, we briefly covered the nine points of observables. In the rest of this chapter, we will drill down into each of these points to enable you to look at the data from the perspective of a cyber counterintelligence specialist. Along with knowing about the nine points of observables, it is important that you also understand the importance of being able to measure your threat or adversary properly, while also measuring your success or shortcomings effectively. This is not a trivial task, but is more a continuous (living) document you use in order to measure each threat and incident. From these documents, you can build up an encompassing security program that incorporates all of your lessons learned: risks, vulnerabilities, and threats.

By performing due diligence each and every time, and taking the time to fill out an evaluation form (which is highly lacking in a reactive security model—a postmortem, or after-the-fact, response to an incident), you will actually begin to learn more about your threats and adversaries, and even get to a point where you will be able to move to a proactive level. At this level, you will be able to identify where your adversaries have been, where they are, where they are heading, and finally, their true objectives. You can do this with a little disinformation, deception, and counterintelligence.

The following table lists the nine observables that we will use for each of the advanced persistent threats and persistent threats covered in this book. The following sections include a rough ranking for examples of each these observables, in the order of 1 to 10, representing escalating threat levels, with 1 being poor and 10 being highly skilled or effective.

NOTE

There will be times when one or more of these points of observables will not be discernible, and will need to be left blank or based on some of the other observables. You can use qualitative measurement based on what is observed and/or known about each threat
.

This ranking approach demonstrates that you need to be able to have some level of metrics when weighing each and every threat. If you are able to assign some level of measurement to each instance of a threat, you will be better equipped to handle the most dangerous threats first. In any military or physical security organization, you are trained to shoot down the closest target, and then take the rest down as they draw closer. With observable information collected and used in the appropriate fashion, you can learn a lot about a threat. Especially with control of your own network, you can deploy, insert, combine, and redirect your threat using your own enterprise resources, if you are watching. Well, what if you are capable of drawing threats closer to you (through control or deceptive trust by the focus) and shutting them down at your own time of choosing? Let’s talk about the observables, and then we’ll dig into choosing your ground of battle in
Chapters 7
,
8
, and
9
.

Attack Origination Points

One of the most important components of dissecting a threat is knowing that you have a threat within your enterprise, how the adversaries were able to enter your enterprise, and where the attacks originated from. The dependence our world has on information technology has convoluted and mixed many of the traditional intelligence collection methods. With evolution comes additional lessons, threats, vulnerabilities, and adversaries, who can now walk into your organization without needing to be physically present, and get in and out without being seen. This is why understanding the origination of an attack is so important to being able to identify your weaknesses.

The table at the end of this section provides examples as a guide to weigh the overall origination points according to their threat level (from the lowest severity of 1 to the highest severity of 10). Each of these examples is a means of asking yourself how much effort went into the penetration of your organization’s infrastructure. Was it a random act by a random attacker, or was this a highly personalized and tailored attack against the highest ranking stakeholders or officials within your organization?

One higher-level threat is the insider-implemented infection, which may relate to the constant presence of some level of disgust or antipathy for what your organization is doing. As an example, consider the events that led an enlisted military intelligence analyst to leak numerous sensitive documents based on his personal beliefs.

When someone opens a known infected file inadvertently in an environment that is not protected from these types of threats, this is a lower-level threat. For example, a forensic investigator might accidentally execute malware on her system, and not within a sandbox. So when weighing this threat’s sophistication, it receives a low rating, as the threat was known and the execution was accidental.

Another example is whaling, which personally targets the heads of an organization or someone in a critical position with access to numerous components of an enterprise. This type of attack takes some actual research, tailoring, and work on the end of the attacker, so you can infer it is directed specifically at your organization. This is a very serious threat.

Between the accidental and directed threats, we have the professional, organized criminals who want as much access to as many networks as possible for monetary gain. This type of threat is the mother of all fear, uncertainty, and doubt (FUD), because money corrupts absolutely, and any intelligent criminal will know when he has acquired something (system, network, or enterprise) of value that can be sold to a third party.

Numbers Involved in the Attack

In our modern age of technology, cyber criminals can automate millions of computers to perform multiple attacks against a single enterprise, while a coupling of computers performs separate missions or tasks. This is an observable component that is highly difficult to measure, as the numbers involved in any attack can be for different purposes. Attackers may want to steal information from just a specific person or from an entire organization, and the system involved in the attack will always vary. The target may be you, your employer, or quite possibly information from your organization, such as what is being developed or worked on. The level of information that is being searched for could be on one system or spread across the globe, stored in various systems or even across multiple organizations. However, using victimology with the numbers involved in an attack will give you a deeper understanding of the sophistication, motive, and intent of an adversary or threat.