Purely Commercial Espionage – The Advanced Persistent Threat Targets Businesses

Advanced persistent threats (APT) and targeted threats are a hot topic these days, but most speak about such attacks in the context of the military and national security.  Last week, Rep. Mike Rogers, the Chairman of the House Permanent Select Committee on Intelligence, went on CNN (video here) to provide a picture of how targeted threats are affecting businesses in the U.S. and abroad.

Rep. Rogers is pushing for greater visibility into what he calls “purely commercial espionage” by China.  Specifically the use of deliberate and targeted attacks to exfiltrate intellectual property and sensitive information from U.S. companies to be used to create an unfair competitive advantage and undermine the performance of those companies.  The ultimate aggregate affect of this industrial espionage would be to weaken the U.S. economy through lost jobs and lost corporate revenues.

Certainly, commercial organizations need to very quickly get their heads and hands around the problem of targeted attacks and their inability to shield themselves from these attacks.  Rep. Rogers sums up the situation by saying: “There are two types of companies.  Those who know they have been attacked, and those who don’t.”

For those of you on the commercial side that don’t get the subtlety of that remark, Rep. Rogers is saying you have been attacked.  You just might not know it because your prevention tools have failed and will not detect such attacks as described by the post “Making the Case for Rapid Detection and Response”.

The deliberate, persistent, and targeted threats from enemy nation-states are not a matter for the military and the intelligence community.  Every business and enterprise is a target.  And the stakes are not small.  Rep. Rogers tells the story of  a company that had research stolen that represented an investment of $1B  dollars to that organization.  Imagine investing for years on a product only to have it show up on the market before you launch it.

Luckily this problem is not new (at least to many of us) so there are products designed to detect the attacks that evade your defenses.  You can become one of those companies that know they have been attacked, and have the actionable information needed to do something about it.

The first step is simple: recognize that you have the problem.  Don’t get stuck thinking that you already have the tools in place to detect these attacks because you don’t.  And that is not you fault, nor does it mean that your investments in IT security were wasted.  It just means that the world has changed and the threat has evolved and now you must take the appropriate steps to counter that threat.   You must look beyond the traditional shields and embrace the notion of rapid detection and response.  You need a Plan “B” for security.

And the sooner the better.

The Advanced Persistent Threat Means We Need a Third Bucket

Gartner has always taken a simplistic approach to dividing their analysts in the consulting practice:  keep the bad guys out (defense) and let the good guys in (access).  I have no quarrel with these two buckets and they have made sense for some time, but I respectfully believe it is time the industry accepts a broader reality and adds a third bucket that addresses when the adversary has thwarted the first two buckets, which is happening with alarming frequency.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.

A Condensed Guide to the Security Fails of 2009

The past several weeks I have been posting a series I called the Security Fails of 2009.  It was designed to be a look at stories that illustrated the challenges faced in IT security as well as some of the broader issues shaping the industry. 

For your convenience, here is a recap with links:

12/10 – The Marine One Breach – illustrates the threats created by unauthorized applications.

12/14 – The Strange Case of the Missing Cyber Czar – a look at the seven months that had passed since the announcement of the position in May.  Obviously the position has been subsequently filled.  Coincidence?

12/16 – Conficker Becomes a Media Darling.

12/18 – Adobe Takes the Exploit Crown from Microsoft.

12/21 – The Heartland Payment Systems Breach – Lessons learned form the largest breach of customer data to-date.

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Security Fails of 2009 – The Strange Case of the Missing Cyber Czar

Today is the second in the series on the Security Fails of 2009.  As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security.  While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009. 

2009 began with the inauguration of a new President who had made the need for improved cyber security a prominent part of his campaign agenda.  Once in office, President Obama asked Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils (fit that on a business card) Melissa Hathaway to assess the state of cyber security and create recommendations for going forward.  It was widely believed that the recommendations would include the creation of a National Cyber Advisor or “Cyber Czar” position that would oversee and coordinate cyber security efforts in the federal government and influence private enterprise. 

In late May on the Friday before the Memorial Day weekend, a press conference was held to announce the release of the final version of the study called the White House Cybersecurity Policy Review.  As predicted, the study recommended the creation of the cyber czar position which was reiterated at the podium at the press conference.   The WHite House had numerous industry luminaries aligned to sing the praises of the announcement, but many like our CEO, John Prisco, were underwhelmed.

And then…silence.

Nearly seven months later and there has been no further word on a candidate for the position.  I pointed out that the timing of the announcement was odd – a Friday before a holiday – which smacked of an administration looking to slip by a story with as little notice and coverage as possible.  Since then there have been rumors of candidates but these rumors quickly fade back into…silence. 

Theories abound as to the lack of progress.  Is the position so poorly defined that it is doomed for failure and potential candidates are too savvy to take on such a role? Is it because a candidate would have to have a working knowledge of security, the security industry, and be adroit at navigating the federal landscape, making the population of qualified candidates too small?  Or was the administration simply looking to check off a box from the campaign agenda by addressing the problem superficially and hoping the attention would wane so no further action was needed?

What is clear is that the excitement about the position and its ability to affect cyber security policy and progress has passed as has valuable time.  Without a visible front person to keep the ideas presented in the Policy Review document in the public view, the hard work behind the document has been essentially wasted.  It seems that pressing matters like getting the Olympics for Chicago have taken precedent.

Given the timing of the announcement and the lack of subsequent activity, the administration has sent a clear signal that this topic is not viewed as critical.  I don’t believe that a new Cyber Czar will have a dramatic influence on cyber policy – it is the lack of attantion given to it by the administration that causes me concern.  And that is why I am including the cyber czar misadventure as a security fail for 2009.

Luckily there are others working to fill the void.  I had the opportunity to speak at the NIST Security Automation Conference in October and was encouraged by the progress I see being made by NIST, the NSA, and others.  As a resident of the Washington D.C. area you learn quickly that there are those who do and those who step into spotlights and they are rarely the same person.  Given the progress of others and the time that has passed since the announcement, I wonder if this ship has sailed and that anyone named to the position now would simply be too neutered to be successful.  I also wonder if such a person would now hold back those who are making progress behind the scenes.  

And finally, I wonder if all of this was orchestrated by the same PR genius at the White House that talked the President into posing with Tiger Woods on the cover of Golf Digest.  It would explain a lot.

Soot Over Cyber – Hanlons’ Razor and the Brazilian Blackout

I was skimming several security related sites yesterday and came across a post in Wired that spoke to the 2007 blackout in Brazil and the recent claims in a 60 Minutes segment that the blackout was caused by hackers.  The blackout was in fact caused by “negligent maintenance of high voltage insulators on two transmission lines” which triggered a cascading sequence of failures.

Hackers have claimed responsibility but no one has produced any evidence to support the claim.  And one official notes that the command and control for the system is not connected to the internet. 

After reading this the first thing that came to mind was this is a great case for Hanlon’s Razor, a corollary to Murphy’s Law that reads as follows:

“Never attribute to malice that which can be adequately explained by ignorance or incompetence, but don’t rule out malice.”

I used Hanlon’s Razor in a post called “Stopping Stupid” regarding the role in continuous security configuration management in stopping the risk caused by people doing stupid – but not necessarily malicious – acts. 

In this case, it seems that soot, not the sinister work of cyber criminals was to blame.  I don’t discount the depth and breadth of the cyber threat that exists today, but it is always good to hear a reminder that every time we see smoke there may not actually be a fire.

Triumfant to be Speaking at the 5th Annual NIST Security Automation Conference

I have the great privilege to have been asked to speak tomorrow at the NIST Security Automation Conference.  My presentation will address how the unique approach and technology behind our offering helps drive three critical shifts in the thinking behind endpoint security:

The move from manual to automated processes.   Triumfant represents a significant step forward in automating the detect-analyze-act cycle. Most if not all tools automated the detect activities, but as you move through analysis and ultimately action in the form of remediation, manual intervention by specialized security personnel is required.  Triumfant uses our Adaptive Reference Model to analyze events in the context of the broader endpoint population and group changes into broader events.  Most tools only see events on the context of the affected machine, and further analysis becomes a manual process.  Remediations are performed manually and require some form of script to be written by either a vendor or in-house security staff.   Triumfant builds a comprehensive remediation that fixes the malicious code and all the collateral damage of the attack.  This remediation is written automatically, and is applied to the affected machine without interaction from the user, without the need for rebooting, and without the need to re-image.   Only Triumfant can demonstrate the complete automation of the detect-analyze-act cycle.  And we haven’t even begun to discuss the ramifications in regards to costs saved by automating the remediation process.

The move from periodic to continuous activities.  Triumfant continuously scans and remediates, creating a state of what we call persistent security readiness.   The automated processes continuously enforce policies and configurations by monitoring the machines, using changes at the granular level to trigger analysis and determining the ultimate affect of those changes on each machine.  Triumfant then builds a remediation to return the machine to compliance.  The result is every machine, every day readiness.  We also use the SCAP vulnerability database to scan each machine for vulnerabilities and detail the patches required to eliminate those vulnerabilities. 

The move from global to contextual requirements.  As stated, most endpoint protection tools view events in the context of the affected machine.   And they only see the malicious code and have no way to know the collateral damage from the attack.  They may address the malicious code, but leave all forms of collateral damage such as altered configuration settings, open ports and secondary payloads to name a few.  Only Triumfant provides the contextual information needed to fully remediate a machine under attack.  By monitoring over 200,000 elemental attributes for every machine, only Triumfant sees all of the damage to the machine and can build a remediation that is in complete context with the attack and the specific needs of the attacked machine.  Other tools may have pre-written remediations, but this is a one-size-fits-all approach that can leave a machine vulnerable.  And of course, this approach assumes prior knowledge of the attack while Triumfant requires no such knowledge. 

Because we fully automate the detect-analyze-act cycle, Triumfant addresses malicious attacks in less than five minutes from infection to remediation.  This includes targeted attacks and attacks for which there is no prior knowledge.  But we also continuously maintain the endpoints in a state of persistent security readiness, thereby reducing the attacks surface for those machines and ensuring that all of the protections, not just Triumfant, are in place, properly configured and fully operational. 

Needless to say I am excited about the opportunity to tell our story to such a group focused on automating security processes.  It is an exciting topic, and I have had the opportunity to speak to the really smart people at NIST and NSA that are driving some very progressive thinking on the subject.  Best of all, it is exciting to know that many of the capabilities thought to be critical by these smart people in regards to securing the endpoint already exist in our product today. 

If you are at the show, please stop by our booth (312) and we will be happy to show you a demonstration of how all of this works and talk about how we can put these capabilities to work for your organization.