About Advanced Persistent Threats, a new frontier of cybercrime

Summary: While America marvels at the festival of trivia and miscellany that was Campaign 2016, we had the breakout year for cybercrime. It gets headlines, mostly about delusional stories which the media credulously accept (e.g., the March 2014 OPM hack was “a decisive instrument of warfare.”). Here is another in a series about this new form of crime and conflict, for those who wish to learn about this force shaping the 21st century.

Advanced persistent threats (APT) give an unauthorized user access to a system, often for an extended period of time, without being detected. This gives hackers access to sensitive data.

Shutterstock: cybersecurity

Are APT Reports Still Valuable or Have They Become Marketing Fluff?

By Emilio Iasiello.
From LookingGlass Cyber Solutions, transforming the art of threat intelligence.
19 December 2016. Posted with their gracious permission.

Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information.

As a result, the cybersecurity community appears to be at an almost breakneck speed in producing APT reports. Certainly, the research that is offered to the public under the auspices of information sharing provides some proficient technical analysis and indicators of compromise that can help organizations detect if similar activity is occurring against their networks. But what is the real benefit of revealing to the world what is known? Does it capitalize on the business marketplace?

One security vendor intimated that there appears to be a direct correlation in the decline of suspected nation state hacking and private company earnings. This was perceived to be the case when a particular company’s decline in stock performance occurred at the same time a certain nation state was hacking less frequently. Then three months later, the same company noted a spike in stock value when another nation state’s alleged hacking efforts surfaced and became prominent in the news. While based on very limited evidence, the bottom line message appears to be clear: many of these reports seem to serve as more of a marketing resource – if not more – than information sharing.

According to a security researcher, one of the driving factors behind the growth in reporting is the inherent marketing value (they provide sound bites and quotes for computer security-related, cable, and even network news, particularly when they name “who” was behind such activities), which translates to sales. (“Do APT reports hurt more than they help?“)

Read more


Stratfor looks back at 2016, the breakout year for cybercrime

Summary:The media and military experts thrill to news about the A-10 and the latest nuclear submarine. Meanwhile new tools for cybercrime and cyberwar reshape the world. The FM website has covered these stories, puncturing the myths that fit them into a useful narrative for governments. Here Stratfor summarizes the events of 2016, the breakout year for cybercrime.


The Year in Cybercrime: Exploiting the Weakest Link.
By Threat Lens of Stratfor, 30 November 2016.


  • Hackers will continue to rely on social engineering tactics to exploit their victims.
  • State and state-sponsored actors will turn increasingly to cybercrime to advance their national interests.
  • Technological improvements to counter cybercrime will not protect against human vulnerability.


The rise of the internet and related technologies has transformed the world, revolutionizing nearly all aspects of everyday life, including crime. In September, the Global Cyber Security Leaders summit in Berlin highlighted the cyberattack tactics that pose the greatest concern to security professionals. Many of these coincide with the threats that we have covered over the past year on Threat Lens, Stratfor’s new security portal. Some transcend criminal activity and involve state or state-sponsored actors using tricks of the cybercriminal trade to advance their countries’ agendas.

Though the weapons used to conduct cyberattacks are relatively new — and rapidly evolving — the tactics have been around for centuries. Over the past year, several major crimes have combined the new platforms and greater access that the information age affords with the age-old art of social engineering. The tactics described below are by no means the most sophisticated of their kind, but they have proved to be some of the most successful and enduring.

Read more

The Internet of Things attacks. If we don’t do better, we will get hurt.

Summary: While America chattered about the soundbites and lies, one of the largest cyberattacks in history took place. Cybersecurity expert Emilio Iasiello discusses what happened and what it means. As so often happens, the big stories often get lost amidst the flotsam and jetsam of the news.

Watch the evolution of a historic attack on the United States…

DDOS attack - By Andrew Liszewski
DDOS attack – From iO9, by Andrew Liszewski.

The Internet of Things attacks. When Will We Learn?

By Emilio Iasiello.
Posted at Cyber DB, the Cyber Research Databank.
7 November 2016. Posted with his gracious permission.

In late September and late October 2016 two massive distributed denial-of-service (DDoS) attacks successfully targeted and impacted the operations of their targets. In the October DDoS against Dyn, a cloud-based Internet Performance Management company, several high profile organizational websites (Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, to name a few ) for a substantial part of the day {details here}. While Dyn was ultimately able to mitigate the three-wave attack, it did impact users’ abilities to access these sites.

In both instances, attackers took advantage of generally insecure Internet of Things (IoT) devices and harnessed the volume to create large botnets able to launch substantial DDoS attacks. These are not the only two instances in which enterprising criminals sought to leverage IoT in fulfillment of their activities. Both in September and June 2016, IoT devices such as home routers and closed circuit television cameras were used to proliferate the attacks. This is very disconcerting given the fact that IoT as an industry is becoming a foregone conclusion and that more and more of these devices are being produced, marketed, and injected into our daily existences. Unsurprisingly, this is a market expected to continue to grow and is frequently cited as a top trend according to some sources.

Read more

Stratfor: it’s the breakout year for cybercrime! How do we fight it?

Summary: 2016 is the breakout year for cybercrime. Ransomware went global, the third major theft using the global banking SWIFT system, and a multi-million attack on Japan’s ATM’s network. Here Stratfor looks at the mechanics of crime-fighting against cyberthevies.


To Catch a Cyber Thief
Stratfor, 3 June 2016


  • South Africa’s Standard Bank, so far the only institution to come forward as a victim of fraudulent withdrawals by an organized network, will not be able to recoup all of its $12.7 million in losses.
  • Arresting the street criminals associated with unlimited operations will do little to stop future strikes, which will continue until the hackers behind the heist are found and detained.
  • Nevertheless, authorities will likely apprehend the hackers behind the latest unlimited operation in Japan, though it may take years.

Read more

How would Sun Tzu defend computer systems? Poorly. A new era needs new thinking.

Summary:  The theft of the Federal government’s personnel data has brought information security back to the front pages. Along with the usual cries of “off with their heads” for the guilty and promises of Total Information Security in the future, as the signal to noise ratio in the media drops towards zero. To help restore our sense of proportion, here’s an article from the past by two well-known experts discussing the difficulty of e-defense in the 21st century.

This is a follow-up to About the theft of the Federal government’s personnel records: sorting fact from fiction, another in a series about a new age of conflict in which the old ways no longer work.  {1st of 2 posts today.}

“As we shall show, defense is a stronger form of fighting than attack. … I am convinced that the superiority of the defensive (if rightly understood) is very great, far greater than appears at first sight.”
— Clausewitz, On War, Book 1, Chapter 1

The Art of War
Available at Amazon.


InfoSec, Sun Tzu
& the Art of Whore

By Steve Tornio and Brian Martin.
At Attrition, 2 July 2010.

Posted with the authors’ permission.


Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security?

In The Art of War, Sun Tzu’s writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren’t terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu’s work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote.

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”  { The Art of War}

This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don’t need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don’t see a particular need to upgrade or improve those areas.

Information security is not warfare (leaving aside actual warfare, of course). The bulk of security practitioners are working to protect private and public networks and do not strike back against any enemy.

Read more

Cybercrime: Now More Profitable Than The Drug Trade

Summary: Today we have a report from the front lines of the cyberwars. It’s an axiom of 4th generation war that crime and war increasingly use the same methods, and even merge at higher intensities (as seen in Mexico’s fight with its drug cartels). Today we hear about companies fight against cybercrime, still growing and already more profitable than drugs.  {2nd of 2 posts today.}

37% of respondents said they were not confident in their company’s ability even to detect a breach. … Only 45% were confident about the security of their Point of Sale devices.

Tripwire Online Survey , March 2015.


Cybercrime: Now More Profitable Than The Drug Trade

By Irfahn Khimji and David Bisson
From tripwire, 30 March 2015.
Posted here with their generous permission.


Tripwire recently hosted a webcast entitled, “PCI Breach Scenarios and the Cyber Threat Landscape with Brian Honan: Real World Cyber Attacks and Protecting Credit Card Data.” For our presentation we discussed the importance of the new Payment Card Industry Data Security Standard 3.0. Together, we also provided some insight into how companies can leverage this new compliance standard to protect themselves against a security breach.

As reported by the 2013 Europol Serious & Organized Threat Assessment, the “Total Global Impact of CyberCrime [has risen to] US $3 Trillion, making it more profitable than the global trade in marijuana, cocaine and heroin combined.”

Read more

The FBI told their story about North Korea attacking Sony. Before we retaliate, read what they didn’t tell you.

Summary: The government blames North Korea of the Axis of Evil for the attack on Sony, a claim quite like the bogus claims of the past we so credulously believed. No matter how often they lie to us, Americans believe what the government tells us. They lie, we believe, their lies are exposed — rinse, repeat. It makes us easy to govern, incapable of self-government, and quite different than our skeptical unruly forebearers. We can do better. This is a great day to begin. Read this and decide for yourself.

This is the most complete collection of information I’ve found on this story.  I’ll update as new articles appear. Second post in this series; see links to the others at the end.

New North Korean flag -- cyber-pirate


  1. Articles questioning the FBI’s story
  2. About the attack
  3. Dissenting voices to the official story
  4. Remember this before you believe
  5. Major media see the story
  6. For More Information

(1)  Articles questioning the FBI’s story

While most journalists report official government statements, and cite only approving voices, there are a few who quote dissenters. We should pay attention to these few, considering the long list of government lies attributing evil deeds to designated foes. Learning from experience is the beginning of strength.

  1. Sony Pictures hackers say they want ‘equality,’ worked with staff to break in“, Jacob Kastrenakes and Russell Brandom, The Verge, 25 November 2014 — An interview with the hackers. Ignored by journalists; blockbuster news if true.
  2. Sony Hack: Studio Security Points to Inside Job“, The Hollywood Report, 3 December 2014
  3. North Korea Almost Certainly Did Not Hack Sony“, Kim Zetter, Wired, 17 December 2014
  4. Reaction to the Sony Hack Is ‘Beyond the Realm of Stupid’“, Jason Koebler, Motherboard, 17 December 2014
  5. Why You Should Demand Proof Before Believing The U.S. Government On North Korea and Sony“, Jeffrey Carr (cybersecurity expert, CEO of Taia Global, Wikipedia bio), Digital Dao, 17 December 2014 — Excellent background on the cyber-intel agencies and their vendors, and the dubious past of cyber-attack attribution.
  6. Why the Sony hack is unlikely to be the work of North Korea“, Marc Rogers (of web-traffic optimizer CloudFlare), 18 December 2014 — 1st of 2.
  7. US reportedly blaming North Korea for Sony Pictures hack. But why?“, Graham Cluley, 18 December 2014 — Repeats points made elsewhere.
  8. Sony, the DPRK, and the Thailand – Pyongyang Connection“, Jeffrey Carr, Digital Dao, 19 December 2014  — The story becomes more complex.
  9. North Korea Hacked Sony? Don’t Believe It, Experts Say“, Paul Wagenseil, Tom’s Guide, 19 December 2014
  10. Sony hack was the work of SPECTRE“, By Robert Graham (CEO), Errata Security, 19 December 2014 — A logical alternative analysis shows the weakness of the FBI’s case.
  11. How the FBI says it connected North Korea to the Sony hack — and why some experts are still skeptical“, Christina Warren, Mashable, 20 December 2014
  12. Lets blame our perennial adversary!“, the grugq (bio here; his website), undated — The attacker has strong media skills.
  13. Update: “Fauxtribution ?” at Krypt3ia (pseudonomeous hacker), 20 December 2014
  14. Update: Comment by Marcus Ranum, e-security expert (bio here) & on the FM website’s team of authors, posted at Free Thought Blogs, 21 December 2014
  15. Update: “Why I *still* dont think it’s likely that North Korea hacked Sony.“, Marc Rogers (of web-traffic optimizer CloudFlare), 21 December 2014 — 2nd of 2, with more detail.
  16. Update: “Sony hacker language“, Language Log, 21 December 2014 — Linguistic analysis of the hackers’ writing.

I sifted through these articles, each linking to other sources, and assembled the this summary. I believe it shreds the FBI story; at the very least it destroys the certainty about the attackers’ identity. Read and decide for yourself.

(2)  About the attack

Read more