Advanced Persistent Monkey See Monkey Do

Monday, August 29, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

"I hope you're not serious about that post containing anything valid. The picture is funny though" said the expert [1] in regards to "Shady Rats and Poison Ivy - Chinese APT or Russian RBN?" [2] And so goes the herding instinct [3] over and over.

Cattle following other cattle now becoming the "hundredth monkey effect." [4]

Let's go back to some facts from the initial article. There was nothing irrelevant in the initial article [1] in fact, the post contained information that can be validated from multiple sources.

The article wasn't a "you can trust me I'm an expert" post. It wasn't a "you need to take it from me, I can't show you the evidence, you just have to trust me on it" write-up. Referencing was is known about the RSA attack, the initial attacker from a known RBN network.

That host was a known RBN host at the time and up until now continues to be a "known RBN host." [5] There isn't any "speculation" on this. No hype, nada. However, I find it rather amusing that whenever there is something contradictory to what the herd [3,4] state, many experts [1,6] are quick to brush it off and try to throw out the same buzzwords? "China, APT!" Mind you, not one of those experts are presenting anything outside of their own projections. More of the same chest thumping and fist pumping: "Trust me, its China."

We often forget that not too long ago that the boogeyman was Russia. That threat came during the arms race (Cold War) [7] and it was business as usual then too. Many companies profited heftily during this period and I am sure many companies stand to profit handsomely from a Cyber Arms Race.

This is nothing more than history being repetitive however, the platform has changed to a computing based battleground. Based on "evidence" smack dab in front of our faces and under our noses, what else do we see or know of in regards to experts' explanation of APT? Not much. We have these experts consistently relying on word of mouth of each other and of IP addressing.

Completely ignoring the fact that IP is a horrible identifier. Every security professional knows that IP addressing is not an identifier rather well, yet many are quick to fist pump and shout: "APT, China!!! Look at that IP" even though FACTUAL evidence proves otherwise.

Arguments surrounding APT will remain a battle of expert versus expert - ad nauseam - but how about we use some common sense for a moment? If YOU were an attacker, so advanced and sophisticated, why would you bother attacking from your own fixed location? It would certainly make more sense to attack from another country simply for deflection purposes alone.

This is a key indicator that many experts [1,6] are overlooking. Think about that outside of an emotional - "you don't know jack I am the expert here" response. Whenever I see the same old hype (APT/China) my response is usually more of the same. Really? RSA? China compromised a known RBN block to make this happen? A "known RBN block" that is still being used by the RBN? Sounds like news to me.

One of the strangest thing that I have noticed about some of these "experts" is, is that many of use criss-cross many a security lists. Many a networking list, many a forensics list. I also know that many "experts" don't even understand enough about certain elements outside of their respective functions in the security industry to make statements regarding hacking or compromises.

For example, many of these experts making comments about APT are known forensics experts and while they are likely the best in the "forensics" arena, doesn't mean the know enough about hacking to make such brash statements: "They Came From Outer Space." The forensics arena is not indicative of the security arena as a whole. Many of these guys couldn't hack their way out of a wet paper bag.

Many have never developed "hacking" tools, many have never developed any "0day" attacks on their own. Many do not understand the nature of pivoting through covert channels outside of the textbook definition. Yet many of those same experts will convince you (or at least try to convince you) that their word is the gospel. "It was China and their Advanced Persistent Hacking." Nonsense.

So getting back to the FACTS I posted in my initial article [2], ask yourself as an expert: "China has been using Gh0st Rat, HTran and has been so successful for months (years even), now why the hell would they go backwards and use Poison Ivy, a RAT tool with signatures known by many antivirus vendors for years now. And why do so from a RBN tainted host?"

Certainly as an expert [1,6] that should make you do a double take. Perhaps there is more to the issue at hand that one realizes. Sure China is, and will be a threat and I am sure that as of right now, there are thousands of "cyberthreats" looking for a way into our infrastructure from China as I type.

Does this mean we should forget about the other threats in this world? If you think for a moment that another country (Russia) would not collude with say the RBN in an effort to compromise the United States' infrastructure for military secrets, then you'd be wrong. In either event, this whole APT/China theme is rather boring. Always has been.

You say APT, I say REO [9] life goes on. You're an expert, I'm an expert, everyone is in this industry nowadays. Perhaps companies can rename some of our titles: "Advanced Persistent Expert" then again, I don't think I want to be an APE. Monkey see monkey do is not my forte.

Ending this, I need to apologize way beforehand as egos get bruised rather easily in this industry. This was not meant to be an attack on any expert. Honestly. It was meant as more of an eye opener. For far too long too many individuals in this industry remind of a puppy chasing its own tail. Always following one another never questioning anything.

Eight Main Symptoms of Group Think Janis, I. L. & Mann, L. (1977). Decision making: A psychological analysis of conflict, choice, and commitment. New York: Free Press.)

1. Illusion of Invulnerability: Members ignore obvious danger, take extreme risk, and are overly optimistic.
2. Collective Rationalization: Members discredit and explain away warning contrary to group thinking.
3. Illusion of Morality: Members believe their decisions are morally correct, ignoring the ethical consequences of their decisions.
4. Excessive Stereotyping:The group constructs negative sterotypes of rivals outside the group.
5. Pressure for Conformity: Members pressure any in the group who express arguments against the group's stereotypes, illusions, or commitments, viewing such opposition as disloyalty.
6. Self-Censorship: Members withhold their dissenting views and counter-arguments.
7. Illusion of Unanimity: Members perceive falsely that everyone agrees with the group's decision; silence is seen as consent.
8. Mindguards: Some members appoint themselves to the role of protecting the group from adverse information that might threaten group complacency.

Avoiding Group Think

1. The group should be made aware of the causes and consequences of group think.
2. The leader should be neutral when assigning a decision-making task to a group, initially witholding all preferences and expectations. This practice will be especially effective if the leaders consistently encourages an atmosphere of open inquiry.
3. The leader should give high priority to airing objections and doubts, and be accepting of criticism.
4. Groups should always consider unpopular alternatives, assigning the role of devil's advocate to several strong members of the group.
5. Sometimes it is useful to divide the group into two separate deliberative bodies as feasibilities are evaluated.
6. Spend a sizable amount of time surveying all warning signals from rival group and organizations.
7. After reaching a preliminary consensus on a decision, all residual doubts should be expressed and the matter reconsidered.
8. Outside experts should be included in vital decision making.
9. Tentative decisions should be discussed with trusted colleagues not in the decision-making group.
10. The organization should routinely follow the administrative practice of establishing several independent decision-making groups to work on the same critical issue or policy.


[1] http://forensicir.blogspot.com/
[2] http://www.infiltrated.net/index.php?option=com_content&view=article&id=42&Itemid=48
[3] http://en.wikipedia.org/wiki/Herd_behavior#Everyday_decision-making
[4] http://en.wikipedia.org/wiki/Hundredth_monkey_effect
[5] http://blog.threatstop.com/2011/04/03/the-rsa-spearphish-attack-and-ip-reputation/
[6] http://taosecurity.blogspot.com/
[7] http://en.wikipedia.org/wiki/Cold_War
[8] http://en.wikipedia.org/wiki/Ad_nauseam
[9] https://www.infosecisland.com/blogview/12788-Advanced-Persistent-Threats-Blame-It-On-REO.html

Cross-posted from Infiltrated

Possibly Related Articles:
12023
Network->General
Information Security
China Attacks Advanced Persistent Threats Network Security IP Address Cyber Warfare Attribution
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia J,
Which post are you speaking of at the top? Or this an amalgamation of them all you are responding to? I also think the idea of group think is important as many who haven't a clue buy into it because of social norms within peer groups. However, there has been much evidence not just by IP address that leads investigators to believe that many of the attacks (those unclass as well as (S)) have been perpetrated by the Chinese. Sure, everyone is jumping on the band wagon but I have always also pointed out (even in my last post here) that there are many other countries at play as well and they too could be actors using the same techniques. The key to it all is the trouble with attribution.

In other cases, I can tell you that activity that could not be definitely identified with any specific country was later born out to be the actions of China when the data is found in their possession by other means (i.e. espionage efforts) or in one case I was privy to, the diagrams for a network found exfiltrated to a Chinese asset by another government investigative branch working on another case.

So, on the gross scale of things yes, monkey see, monkey throw poo. However, where there is smoke, there usually is some sort of combustion going on.
K.
1314710698
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Post starts from a tweet I received where the poster (I will now call some aptfanboys) quickly brushed off the facts (RBN links in the RSA attack).

I always make it clear, in no shape form or fashion do I NOT believe China is involved heavily in espionage. However, I think that many in the industry are so fixated on China that they may be missing a bigger picture here.

Everything I can dig out about the source of the RSA attack points far away from China period. I have asked almost everyone I know in this industry that is privy to pcaps, network related info, taps, etc., about this ASN used, the hosts used, the attack vector used and 0% points to China on this one.

This again is not to say China is absolved, this is merely to say "wait a minute, we need to look at the bigger picture for a moment."

When it comes to the RBN and their methods, tactics and tools, they seem to really lock down their hosts so that no other crime organizations take over their C&Cs. This is factual, anyone who has been analyzing malware will attest to this. Yet here we have a dilemma, a C&C used by the RBN was used to launch this attack. One of a few possible outcomes:

1) RBN was behind the attack
2) RBN colluded with APT actors
3) APT compromised RBN actors

Take a pick. In #2 wouldn't make sense as RBN tends to "take the money and run" so to think they would do something sitting around waiting for money would be insane because APT could double cross them.

#3 makes even less sense since APT would merely use RBN as a pivot and send forth the standard gh0st and or HTRAN

Remember, Poison Ivy was here. That RAT has the markings of RBN all over it from my little scope.

Rather than brush things off, I wish security professionals would take a 50ft view first, then take a step back rather than doing away with relevant information often to shift the mode back to the same old: "APT! Chinese IP"
1314711738
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Heh, just to let you know, Jihadi's also have been known to use poisonivy.. No one can be ruled out....
1314712369
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo Indeed. What would be cool would be a Wikileaks style repository where compromise data can be shared with the victim fully sanitizing the data before an upload.

It could include the tools/droppings/etc from the attacks. Users would be/could be vetted to ensure that data uploaded/shared was not tainted. This way we could have a collective analysis by more than one individual or group.
1314713009
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Attribution will always be the fly in the ointment I think. This is where the real espionage activities as well as law enforcement (good old detective work) is key. It may be, due to the nature of the technologies and their implementations (poor ones especially security wise) that this whole discussion as well as response scenarios (i.e. hacking back or kinetic attacks as the military recently posited) are greatly flawed to start. I really fear the idea that the military will be able to strike physical targets over digital data that they feel is pointing the finger anywhere.

I suggest this; how about we first educate the masses, fix the un-secured systems and processes around security, THEN we talk about the other things like attribution and digital or physical responses?

I know.. I am a dreamer.
1314713924
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia As to the Wikileaks style sharing of data, I would say at least there is DIB... But.. You know silo's and secrets...

1314713963
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.