2011-12-01
Abstract
‘Attribution is one of the things in the IT security industry that is dropped on the floor.' Anon
Copyright © 2011 Virus Bulletin
Attackers read – we pay attention. The recent US DoD Cyberspace Policy Report scoped out a number of challenges in defending critical assets and infrastructure. In it were things we have known about for a long time that apply to the private realm, but they hold true even for the best-funded power structure in the world: attribution is a pain – hiding behind the veil of anonymity on the net is powerful, and attackers have the advantage.
We agree. The report not only admitted that attribution is a major difficulty even for the government’s well-funded structure, but that addressing it properly will require years of R&D investment. It is a problem that is not going to go away any time soon. We already know that well-rehearsed attackers have an advantage over defenders. Looking at what pass as ‘Advanced’ attack tools nowadays, one would know that the advantage is generally not in the complexity of our technology. Instead, the advantage is in our coordination and craft – information collected from social networks, current events, conferences, meetings, travel, your friends and colleagues. This is a game of finding the weakest link and pounding it.
We thrive in the shadows. Attribution is one of the things in the IT security industry that is dropped on the floor. The data is accessible. The techniques to root us out are (for the most part) available, or could be. ISPs often choose not to cooperate with the security community, partly because it’s easier to abide by particular sections of their contractual obligations, partly because they don’t have the resources or understand the impact of the problems, and partly because some are making money on our side. Even legitimate ISPs and DNS registrars maintain odd boundaries. On the one hand, you’ve got ISPs testing ‘deep packet manipulation’ on unknowing users, and on the other, you’ve got researchers investigating contract breaches, clearly abused IP and domain resources, and the ISPs refusing to provide details until they are subpoenaed by under-resourced law enforcement contacts. We like that.
And then there are the myriad law enforcement problems across international boundaries. But now, the FBI, DHS, and other countries are cooperating further with researchers and local LE around the world – take, for example, the almost half-decade effort that culminated in Operation Ghost Click. But we’ll see if the extraditions complete.
It takes years of evidence gathering to build an overwhelming case against cybercriminals and nation state actors, and only those cases that have certain, demonstrably concrete value can be taken on – this is good for us. We dread organization, cooperation and transparency on the part of the security industry and we dislike research efforts like the Kelihos botnet takeover, agreements like strong data breach laws, the Budapest convention and the recent ITU-Impact work. And the mistakes we make.
We continue to loot as we always have done: PII, CC, intellectual property, direct transfers of hard-earned cash, the results of research and investment and years of negotiations. For us it is catastrophic that these incidents are no longer hidden away under NDAs, because an informed public can be a powerful public. Damn you Google and your Aurora disclosure, RSA disclosure, and SEC disclosure guidance! Damn you, the possibility of federal breach notification law for private and public organizations! Our darkest corners are being lit.
Looking to the future, the possibilities for us to exploit big data stores are limitless. Berico recently highlighted architectural security concerns for Hadoop and big data implementations at federal data centres. It pleases us to know that data encryption carries with it many challenges, even today. And the possibilities to exploit mobile and ‘smart’ technologies are growing. While Android malware is on the increase, for the most part, the malware itself is immature – much like the adware markets of 2005. Our adware groups morphed into crimeware efforts, and even as Windows, Java, Adobe Reader and Flash are further hardened, we have continued to build our profits attacking these platforms with darker crimeware.
We are cybercrime and cyber espionage. And we make mistakes.
