About Advanced Persistent Threats, a new frontier of cybercrime

Summary: While America marvels at the festival of trivia and miscellany that was Campaign 2016, we had the breakout year for cybercrime. It gets headlines, mostly about delusional stories which the media credulously accept (e.g., the March 2014 OPM hack was “a decisive instrument of warfare.”). Here is another in a series about this new form of crime and conflict, for those who wish to learn about this force shaping the 21st century.

Advanced persistent threats (APT) give an unauthorized user access to a system, often for an extended period of time, without being detected. This gives hackers access to sensitive data.

Are APT Reports Still Valuable or Have They Become Marketing Fluff?

By Emilio Iasiello.
From LookingGlass Cyber Solutions, transforming the art of threat intelligence.
19 December 2016. Posted with their gracious permission.

Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information.

As a result, the cybersecurity community appears to be at an almost breakneck speed in producing APT reports. Certainly, the research that is offered to the public under the auspices of information sharing provides some proficient technical analysis and indicators of compromise that can help organizations detect if similar activity is occurring against their networks. But what is the real benefit of revealing to the world what is known? Does it capitalize on the business marketplace?

One security vendor intimated that there appears to be a direct correlation in the decline of suspected nation state hacking and private company earnings. This was perceived to be the case when a particular company’s decline in stock performance occurred at the same time a certain nation state was hacking less frequently. Then three months later, the same company noted a spike in stock value when another nation state’s alleged hacking efforts surfaced and became prominent in the news. While based on very limited evidence, the bottom line message appears to be clear: many of these reports seem to serve as more of a marketing resource – if not more – than information sharing.

According to a security researcher, one of the driving factors behind the growth in reporting is the inherent marketing value (they provide sound bites and quotes for computer security-related, cable, and even network news, particularly when they name “who” was behind such activities), which translates to sales. (“Do APT reports hurt more than they help?“)

The more we focus on such nation state activities, the more we’ll see vendor reports pointing attribution in a particular government’s direction. However, there is evidence that the volume of such reports being produced by so many vendors is saturating the marketplace, and may not be achieving the intended purpose. The same researcher concludes that with several vendors competing to release intelligence reports exposing suspected APT actors at work, the marketing value has dropped significantly while the self-inflicted harm has only increased.

To be fair, the media shares some responsibility in all of this, as it sensationalizes alleged nation state hack often times without validating the information. Recent media activity around Russia’s suspected involvement in hacking the U.S. election illustrates this point. While one intelligence agency seems convinced of Russian culpability to influence election results, several others including the Office of the Director of National Intelligence have differing opinions as to the intent of such activity. (“Why Are the Media Taking the CIA’s Hacking Claims at Face Value?“) Most major news headlines promote the former’s conclusion, not the latter’s.

The October 2016 distributed denial-of-service (DDoS) attack against Dyn, a cloud-based Internet performance management company, is further indicative of the media breaking stories without substantiating information. Initially, many news outlets incorrectly reported who was responsible, while most of the security community did not share that view. Ultimately, the security community was correct. Such claims are not reserved just for stories about hacking. President Obama made such intimations toward the press at a journalism award dinner in 2016, admonishing the press for “irresponsible election coverage.” (“Obama rails against vulgar politics in speech at Syracuse University event.”)

Furthermore, there is some question as to the benefit of publishing such APT reports in the first place. In early 2016 at a prominent cyber threat intelligence conference, the question about whether or not publishing APT reports for wide public consumption (rather than just within an info-sharing community of professionals) was the right course of action. One presenter at the conference provided several compelling cases of APT actors shifting their TTPs shortly after the release of reports detailing their operations, thereby reducing their usability for network defenders. (“Do APT reports hurt more than they help?“)

Another salient point raised was the fact that often these vendor APT reports lacked enough substance to be effective for the public writ large at all. In the haste of trying to “break the story,” these reports sacrificed utility for instant notoriety, again calling into question the real intention of such reporting. A 2015 presentation by two security researchers found that with the advancement of defensive security and the constant release of research papers into their toolsets, advanced threat actors have had to adapt with new operational security practices, as well as with new technology. (“APT Reports and OPSEC Evolution.“) In effect, by publicizing what is known about their activities, these actors can change up how they do things, either a little, perhaps to suggest a “false flag” operation, or a lot. Either way, the same result is clear: we are helping the bad guys.

As we start a new year, there needs to be a concerted effort to get back on track to work collaboratively to perform better information sharing in order to enable better decision making, or else we risk ending 2017 in the same position we are now.

————————————————–

About the Author

Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as a private sector companies. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in peer-reviewed journals. He is a senior cyber threat researcher at LookingGlass Cyber Solutions.

See his other articles on the Dark Matters website. He now posts at Dead Drop of the LookingGlass Cyber Threat Intelligence Group.