That Shady Rat Was Only a Security Peer

Sunday, August 07, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

After reading about the re-hashed Advanced Persistent Asian Threat that is now being called "Shady Rat" [1,2,3,4] I could not help but shrug my shoulders and say, "so what."

It is not that I don't care about the current state of security, it is simply my frustration at the lack of security competent individuals, companies and frameworks.

Seriously, why are ten year old attacks and tools still a problem for companies?

My answer is simple, cutting, honest and to the point: "many companies and their staff are either under-qualified, incompetent, uneducated, all of the above, or even simpler, just don't care about security and the threat enough."  

Under-qualified: I can go back to countless arguments where one reads a book, passes a test, slaps on a certification in their title and calls themselves an evangelist slash expert, however, that would do no good, it is old news already.

I can also point out the "cover your ass" route companies take by ONLY hiring certified individuals. What happens afterwards is often the company is left scratching their heads after a compromise has occurred. Pointing out some of these reasons make no difference at the end of the day as companies are likely to continue their (in)security paths.

Incompetent: Harsh word to throw into this writing but it is an honest term and has its shock value: "How dare he!" or "He doesn't understand the threat" and other similar comments along those can be imagined. It is what is it, certification does not always translate into competency.

Uneducated: Sure, the end user is likely to be uneducated but so seem to be some of the security professionals tasked to maintain, deploy and or addresses security in some of those 71 companies mentioned in the Shady Rat report. "It is what it is" said Captain Obvious. Reliance on say CPEs is not a real gauge of competency.

Seriously, I hate dishing out reality so late in the week, but just because someone signed up and streamed a vendor video does not translate into them 1) watching the video and 2) understanding what was said.

Nevertheless the issuance of CPEs for many peers is overrated for one, and useless most times. Yet I know of many who continue to earn CPEs, possess nifty certifications all without even understanding much about security. It is sickening to call them a peer.

Much to the dismay and tolerance of many security peers, it is best to call it what it is. "Security failures to the Nth degree". None of the frameworks, baselines and or mandates seem to have been followed. After skimming through the Shady Rat write-up, I can see all sorts of NIST SP failures, HIPAA, SOX, D(ITS/A)CAP failures. Not to mention failures from the TOGAF/CoBIT/ISO/PickYourFrameworkAndInsertItHere writings as well. Now I don't believe the frameworks are the failures, nor the technologies, I believe that the people are the failure.

Where were the so called security evangelists in these companies? Why weren't they holding their ground and doing their jobs? Why aren't those individuals on the unemployment line along with their managers at this point. Harsh words indeed, in fact I will likely have less friends after this article but enough is enough. How many CISAs, CISMs, CISSPs, C|EHs, SANS certified people work at Booz, L3, etc? I am not singling those companies out, I am just pointing out the obvious.

Getting away from the scathing indictment of some "security peers", HTran and similar programs mentioned in almost all of these "APTs" could have been detected with simple tools such as host based intrusion detection, strong monitoring and so forth. That doesn't even get into GPOs which should have disallowed installation of these programs and or alerting to when someone is overstepping their bounds. Sure I know of the client side attack, surely Tripwire would have sent off enough alarms to counter those who would argue "client side."

Now AV and malware experts would say otherwise, but even simple log monitoring would have detected the anomalies. Far too many times it has been mentioned: "Extrusion Prevention and Monitoring!" This would have been nipped in the bud long before it became "security" epidemic.

Not to mention, proper network based ACLs would have minimized exposure. Why are machines allowed to connect to geographic ranges at certain times? Why are machines allowed to connect to known-to-be-shady networks is another story. Nevertheless every time I read "APT" it usually bores me.

HTRAN1

HTRAN2 

File format exploits and client side attacks: Seriously? Using 10 year old exploits? Exploiting and leaving 10 year old RATs? [5] This to me indicates that policies were not followed via way of updates and patching, this includes operating systems, antivirus and so on. I am not even getting into frequent virus and malware scanning.

Indeed the whole "Shady Rat" fiasco reeks of companies relying on under-qualified, incompetent and uneducated security professionals, policies, oversight and management. There is no "but..." - it is what it is: "under-qualified, incompetent, uneducated" *people* - not technology - that are to blame. However, as Sophocles once said "What people believe prevails over the truth."

Too many companies are also relying too often on other companies and never giving their own networks a security peek. This is the oft-mentioned "herding-instinct" and "confirmation bias:" (via Wikipedia)

In psychology and cognitive science, confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which contradict prior beliefs. It is a type of cognitive bias and represents an error of inductive inference, or as a form of selection bias toward confirmation of the hypothesis under study or disconfirmation of an alternative hypothesis. [Confirmation Bias]

It has become far simpler and cost effective to rely on say an AV vendor or AntiMalware vendor or some other security cartel to perform the crossing of the Ts and dotting of the Is. This is what the security industry has become and what a sickly industry it will continue to be until "real" security practitioners stand their ground and do something about it.

You should not rely on another company to dictate what should or should not be relevant in your architecture. Security should always be tailored to ones own needs, not that of another company as all companies differ. Stop following the herd, stop listening to the Jones' so much, start making quality judgements based off of real world applicable needs to your own environment. Who the heck am I kidding, most security peers probably stopped reading after the griping about incompetence.

We cannot have security where there is compromising for the mere sake of convenience. Have we not learned our lessons throughout the years? Has anyone been oblivious to the names of the companies that have publicly announced "they got served?" Security managers need to start doing a better job of standing their ground when requesting monies for not only technologies, but for the proper and adequate training of how to use, deploy and maximize those technologies.

I challenge any security peer in the industry to tell me that these "Shady Rat" attacks would not have been detected with HIPS, SIEM and proper policies and ACLs in place. Honestly, one would have to be uneducated, incompetent and under-qualified to make that argument. It is not the technologies that are failing, it is us as a security industry that are failing.

In the science community, lets say pharmaceutical, researchers often collaborate with one another. Sure companies compete, but companies know that in order to survive, there needs to be collaboration. Were we to take the same approach in the security arena, there would be a greater chance to minimize threats such as Shady Rat. Where are the companies sharing their incidents?

Most of the times, if not all, we see, read and hear about: "Company X compromised by Advanced Persistent Recurring Threat" yet that is all we hear about the situation. From the security and network engineering perspective, we are never told "how" someone got their foot in the door or "what they did while there" and this definitely hinders any kind of defensive progress we could hope to make. The argument for not disclosing the compromise is the same old: "national security, non-disclosure" or just a company trying to "save face" by not reporting anything. Compromise data CAN BE and SHOULD BE sanitized and shared.

Imagine for a moment a repository of sorts similar to say DatalossDB [6] where collectively, threats can be analyzed, successes and failures shared amongst security peers. "Threats in the wild" analyzed and reverse by peers for the sake of defending one another. A database where vetted companies and individuals can cross reference rogue applications, rogue destinations, file checksums, files sent and so on.

It is not that difficult and certainly would be of great benefit for companies, researchers, academia and the like. When is this security Utopia coming? As I would tweet - never! The first response would likely be: "National security", followed by: "We can't disclose we were compromised" and anything in between. Anyway, there was nothing new about Shady Rat other than me realizing that the Shady Rat was one of my peers.

[1] http://www.informationweek.com/news/security/cybercrime/231300193
[2] http://www.zdnet.co.uk/news/security-threats/2011/08/04/gchq-calls-for-better-defences-against-shady-rat-40093615/
[3] http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
[4] http://gizmodo.com/5827187/operation-rat-is-the-largest-cyber-attack-ever-uncovered
[5] http://www.net-security.org/secworld.php?id=11393
[6] http://datalossdb.org/

Possibly Related Articles:
20032
Network->General
Information Security
Data Loss malware Attacks Advanced Persistent Threats Network Security National Security Shady Rat
Post Rating I Like this!
Default-avatar
Lucian Andrei I have the following note attached to my monitor:

" There are, in effect, two things, to know and to believe one knows; to know is science; to believe one knows is ignorance." — Hippocrates "

At least once a week I am looking at it: either to keep me on track and not to believe some BS others are trying to sell me, or it confirms me why some managers are taking erroneous actions on the recommendations of some big name consulting companies.

Apropo of these companies. Imagine a big project like DLP, or SIEM, or any other big implementation being lead by a consultant that never did it. Because his company has a big name, they won the contract, and they send the least qualified person the other company will accept. :(

Too bad that you are right!
1312813004
B451da363bb08b9a81ceadbadb5133ef
Alexander Rothacker Great post. I especially like the part about sharing forensic information. I've been talking about this for a while, a clearing house for anonymized forensic information would be a great asset for helping protect from future attacks. Granted that companies would need competent professionals to help them understand how that data applies to them.
1312817588
Default-avatar
Troy Tate I'm thinking this analysis could be a little harsh on infosec professionals as the issue may be that they are not getting the support & acknowledgement to do the things that rightfully should be done to detect/eliminate these threats. I think too many organizations are still in the "it won't happen to us" mindset and will not invest in the protections necessary to reduce the risk. In the mind of these organizations the risk is low and therefore not worth investment & support.
1312823868
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Hey Troy, while I won't disagree the assessment is harsh, it is also realistic. I can't imagine how many times security professionals have mentioned issues to higher ups where the gripes were ignored. I also know that many don't stand their ground when addressing concerns.

I meant to write it aiming squarely at the "yes sir" type of infosec professionals who offer little value not only to their companies, but to the security industry as a whole. For example, I share compromise honeypot data from a wide variety of sources (VoIP Abuse Project) so that others may see the attacks. The information is fully sanitized to prevent a victim from being re-attacked. Where is the same kind of information from some of these other companies?

All we see, hear or read about is (*drum roll*) China. APT + China, China + APT, APT + APT = China. We are never given anything other than: "Trust us it was APT" nonsense never given any kind of applications attackers used, sources they attacked from and so on. Creating a collaborative DB would help so many people yet all we still hear/read/see are the same run of the mill stories from 10 years ago.

While I understand the difficulties in an enterprise to outright replace legacy systems, updates, etc., I also see the paradox of passing audits claiming a "All is well in security land" followed by news someone "pwnd" the enterprise with exploits older than some of our kids. That is shameful.

Many security "professionals" that I have met in the last 5 years are also still following the herd and their outdated methodologies of "threat modeling" and understanding what is/isn't a threat. E.g., "we'll build a bigger firewall and this time even add IDS!" The approaches are long flawed.

Let's be honest here for anyone reading this comment... Anyone care to bet lunch that 99.99999% of those attacked were ALL attacked using client side attacks? (pdf's, doc's, xls', etc) versus trying to get in through the front door? Yet many-a-security-body will still recommend due diligence in "propping up the door." Attackers are coming from the inside out and have been. Stop wasting so much money and time on this and invert the assessment already. (Pentest from the inside out period)

Anyhow, wish I could expand on this a little more but work calls ;)
1312824851
Default-avatar
Troy Tate I didn't say it was not realistic - it just doesn't reflect the frustration of those infosec pros that are a "lone voice in the wilderness" in their organizations - which in some cases reduces credibility across the whole infosec world - because then the organization may get compromised (as already warned and aware) and say "oh we had a certified infosec professional" The story becomes worse at that point.
1312828944
Default-avatar
John Langston I would lay things at management's feet as they likely don't care. I used to work with an individual who did not have a home security system when his home was burglarized. The next day he had a home security system installed. I believe too many believe "It won't happen to me".
1312830029
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Maybe the answer lies in a real world SOX like audit where when found in violation, the companies would face daily fines. Then again... PCI-DSS is no better.
1312831246
Default-avatar
Lucian Andrei Couple of weeks ago I have met a recruiter, young smart guy in late 20’s. He had a bachelor in economics, and he is doing a MBA. He asked me if I want to become a DR specialist.
I explained him that this kind of position doesn’t interest me much, and that it is not an easy job to do, even for someone with a lot of IT experience.
He told me that he wanted to get a job as a DR consultant, because one of his classmates from university got a job like this very easy. He was trained for few months and now he is working as a BC/DR consultant/specialist. In his opinion, the guy is well paid, and the job is secure. None of them have even the most basic IT knowledge (A+, Net+…).
Maybe the guy will go and sit for the CISA (which is not technical at all) and he will be certified. He (the consultant) even thinks to open his own shop now ??!!
I was speechless. Either I don’t understand what DR is, or the world is full of charlatans.
1312854488
0a8cae998f9c51e3b3c0ccbaddf521aa
Rafal Los Way to hail the point ... sadly those InfoSec professionals that toil in their businesses day in and day out are not getting the right support ...but I would turn your idea on its head and lay the blame (equally) back on the InfoSec practitioners.

I wrote a similar post to yours except that I think I blame the security industry more... it's our own fault. We don't know how to talk to a business, we don't speak their language, or understand their needs or how a business works yet we expect them to listen to us. Won't happen.
1312910119
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven Once again an excellent and factually correct post. I agree in that you probably won't make many friends, but the brutally honest rarely do.

The IT sector in general and InfoSec specifically allows for a whole lot more charlatans than other professions. Its hard to be precise about why this is, but I think it has a lot to do with hiring managers being unversed in IT up and down the chain.

Call me a fuddy-duddy, but I believe that *every* manager in IT should be well-versed in IT. I know, its a shocker! You wouldn't believe how often I've heard people preach otherwise! Please tell me how a manager is supposed to know when he's being played if he doesn't know his business?

If we want to admit it or not, the IT business is made (and broken) by those who are allowed to hire personnel. Due diligence with regards to actual skills start there. A lot of the problems you (rightly) mention wouldn't even exist if this were the case.
1312958782
6d117b57d55f63febe392e40a478011f
Anthony M. Freed @Raf - That's exactly what drew me to infosec in the first place - assisting the translation from the kind of risks security types are speaking of into language understood by the CxO, who have a completely different understanding of the term.

The business class think of it in a risk/reward scenario - they weight the possible outcomes resulting from various options in which to commit their capital - it's an educated gamble with the anticipation of reward.

On the other hand, security does not produce any revenue for anyone but security vendors and service providers. Security is just a cost center to the CxO.

Security has the added burden of having to prove a negative, in that it is hard to argue a for budget if you are so capable as to have successfully protected your company's systems, data, and greater interests.

We need to be able to make the case that security is a log term strategic investment with immediate impact, and the endless breach machine that is 2011 seems like a good time to do it.

Security is good about making the case for the possible consequences of inadequate security, but we are failing to make the case as far as impact, and that is what the CxO listens to.

Enlisting the allegiance of the CFO as an IT security partner is essential to being able to make that translation from IT risks to the language of the boardroom, that of enterprise risk.
1312958866
Default-avatar
John McGratton And then there is such a thing as supply and demand. Other than going to Defcon, like some three letter agencies, try and find these eltie InfoSec professionals that you speak of my friend.

I agree with many of your points, but I question some of your points as well. Many security companies give a false sense of security as the slidedeck amazes all attendess with their miraculous abilities. They boast how great their products are as malware or an "APT" exfiltrates data through an encypted tunnel as their costly sensors look on blindly. Oh wait that very expensive technology is sigtaure based, oh that's typically bullet proof. But wait we can detect 0 day with our amazing anamoly detection! Really...
1313107913
8845ac2b3647d7e9dbad5e7dd7474281
Phil Agcaoili .
No quitting Infosec.

Set the bar high and achieve the higher standard.

Infosec Leaders:
Do not forgive. Do not forget. Expect the higher standard.

There I said it.
1313113511
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven Phil, you should probably start writing out the thoughts you have in between typing those lines of text, cuz I have absolulely no clue what you are driving at.
1313129397
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Three words: Dunning Kruger Effect http://tinyurl.com/3cdbf8f
1313422080
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia I challenge any security peer in the industry to tell me that these "Shady Rat" attacks would not have been detected with HIPS, SIEM and proper policies and ACLs in place. Honestly, one would have to be uneducated, incompetent and under-qualified to make that argument. It is not the technologies that are failing, it is us as a security industry that are failing.

Hmmm... depends on a lot of factors here J.

1) Are the HIPS SIEM configured and monitored correctly?

2) Policies and ACL's in place.. Sure, but, depending on the vector of attack and your 'adversary' du jour

Etc etc...

Even with those in place and working effectively, there is still the potential to evade them with attacks and exfiltration schemes that are cleverly created and implemented. Now, with Shady RAT you are absolutely right. Old tech and a healthy dose of "Those Americans are fat and lazy" applies. I have been saying all along that there is nothing new to APT. It's been going on for a long time, its just now that the mass media has caught on after we have been exceptionally spanked by them that its become a zeitgeist.

I guess what I am saying is it isn't just our 'industry' at fault, its human nature that we need to overcome here.

1313422574
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven Agreed. Also, im loving that Dunning Kruger effect. Wish I'd come up with that :)
1313422694
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.