Correlating and Escalating Cyber

Tuesday, October 02, 2012

Don Eijndhoven


On September 20th, CNet reported on a new wave of malware called ´Mirage´, embedded in PDF´s that were distributed through spear-phishing attacks against a multitude of targets, such as a Philippine oil company, a Taiwanese military organization and a Canadian energy firm.

The attackers´ target set also included firms in Brazil, Israel, Egypt and Nigeria. Their report was based on the findings of Silas Cutler, a security researcher at Dell CTU.

The researchers declined to comment on the origins of this new malware, but as we´ve seen before the characteristics of this digital crimewave are a dead match to the likes we´ve encountered during Night Dragon, Operation Aurora and pretty much everything we´ve seen coming out of China the last decade.

Call me old-fashioned, but when I read attack characteristics such as these, I feel confident that a talk with the PRC is warranted:

  • Widespread – broad targeting of an entire industry, aiming for commercially sensitive data;
  • Not extremely sophisticated, just adequate to get in;
  • Supporting command and control network is highly active;
  • Attacks seem well-prepared and highly organized;
  • Some of the malware is made by the Honker Union (a well-known Chinese hacker group);
  • Command and control IP address belonging to China, as did three others that have been used in the Sin Digoo affair earlier;

Looking at this pretty much confirms that those talks US Secretary of Defense Leon Panetta had with the Chinese recently about exactly these kinds of cyber-attacks, had little effect. Considering how much American debt is held by the Chinese, you would have to ask yourself just how hard a line the US can draw against such practices, but other countries would probably do well to start talking more sternly through the diplomatic channel with China. Make no mistake: the economic damages of these attacks are so high that involvement is definitely required at the state level.

Getting out of Dodge first

So here we have a rather clear-cut case of attacker correlation which, as ever, is done pretty much after the fact by an international firm who investigated the malware. My question is: How do you deal with this as a nation, as it happens?

This one question breaks down into a number of smaller issues. First off, you´d have to establish at least somewhat formally who defends what network. And let’s be fair: if you´re a democracy, it’s unlikely to be just one entity.

The second issue you have to tackle is detecting the actual attack as it happens. Some network administrators will be able to, others won´t. To be of any use on a national level, defenses on all networks should probably be somewhat similar. At least quality-wise, you´d need them to be similar otherwise you wouldn´t be able to determine the whole scope of each outbreak, even after the fact. 

This begs the question as to how wise or desirable it would be to regulate information security measures in some way. In many companies, information security is still seen only as an expense and not as a requirement, even though we can cite countless examples of companies being severely damaged by successful cyber-attacks.

So let’s assume we know who defends every network, and assuming they can all detect a new wave of malware as they happen. Then what? This information is usually kept a secret (or ignored, but that’s another matter entirely) and no signals are exiting these defending parties. When is the last time you called your government after a major cyber-attack hit your company? If you can answer that question, you´re really in a minority and most likely operating in a heavily regulated industry such as Finance or Healthcare. The rest is pretty much left to fend for itself. Attacked entities need a local place to send information about these attacks. I would argue that for governments to be able to correlate various cyber-attacks, it must first have a central authority to which each entity can report attacks on their networks and systems. I haven´t heard of any country having this, but a while back a couple of my friends here in the Netherlands started talking about the lack of such an authority. This was thought up during a brainstorming session at the Dutch MoD and initially dubbed a Security Operation Center (SOC). Even though I feel this name is somewhat ambiguous, let’s keep it for now. Given its national scope, we should probably stick to the CERT naming convention and call it GOVSOC.

Alright, then what?

At the risk of becoming repetitive, let’s assume for now that such a GOVSOC is formed and operational. You´d then need to devise thresholds and escalation paths, along with policies to deal with all eventualities. You´d also need some pretty good agreements with law enforcement, the military and civil government. All three of these parties need some kind of mandate to be able to act on information. It would also need to be covered how each of these parties will act on given information. In case of an actual cyber-attack wave being detected, it would first need to be established on whether there is nation-state involvement or if it´s cybercrime. In case of nation-state involvement, what would you want your government to do? Even when you´re certain who did what, what are thresholds to acting on it? How big must the damage be before diplomatic relations deteriorate? Is this affected by how much you engage in these activities yourself?

Maybe I’m wrong, and I sure hope I am, but I haven´t heard of any country getting to this point yet. Many have been debating these and similar questions, but how about some action? For instance, in the Netherlands the National Cyber Security Center (NCSC) seems like a great candidate to embed that GOVSOC function in. Its government, but it’s a public-private collaboration. If you know of any such developments in your country, please share it with me.


About the author:Don Eijndhoven has a Bachelors’ degree in Computer Science (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA in Business & IT at Nyenrode Business University. Among a long list of professional certifications he holds are the titles CISSP, C|EH, MCITPro and MCSE 2003: Security. He has over a decade of professional experience in designing and securing IT infrastructures.

He is the Founder and CEO of Argent Consulting, a Dutch firm that offers full spectrum consulting and educational services in Cyber Security, Intelligence and Warfare. Heregularly speaks at security conferences on Cyber-related subjects, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.

Follow Don Eijndhoven on Twitter:@argentconsultin

Cross-posted from

Possibly Related Articles:
Information Security
malware Incident Response Attacks Attribution Mirage
Post Rating I Like this!
Doug DePeppe Don,
My blog on InfosecIsland Monday made similar points. To me, it comes down to a few things: 1) we need situational awareness across the public-private landscape, 2) the public-private partnership concept needs to be explored, matured, and implemented in a robust way.

Situational Awareness: we may not stop the initial attack, but all others in the partnership can configure their defenses upon receiving notice of an attack. Also, as this increased awareness matures, the hygiene level elevates in the aggregate, which makes attacks more difficult to pull off.

Public-Private Partnership: government and industry (in a capitalist society) are distinct bodies, and they do not effectively work together in a dynamic way (dynamic enough to respond to an on-going cyber attack). The model of collaboration and integration needs to change. They cannot be distinct spheres if situational awareness and readiness is the goal.

I may differ with you on the structure. I don't believe government and industry can directly work together, in many countries (for legal reasons). A broker between the two may need to be fashioned.

I agree that these partnerships need to be fashioned across society.
Don Eijndhoven Hello Doug,

We do seem to be in line for the most part, I agree. I don't have a dog in this fight though, and don't quite mind where these necessary partnerships take place. They may be different alliances in different countries. As long as there is some kind of signalling going on, I would be happy. At least more happy than I am now ;)

Kind regards,
Don Eijndhoven
Marc Quibell Good thoughts Doug.
Don - Also good thoughts. One organization in mind: InfraGard

Yeah, gov/private coop is not an easy thing, but InfraGard was one organization that arose mostly from the 9/11 ashes. These days however, after so many years, it seems at least in our local chapter, membership and interest has declined.

The problem with gov/private coops is, well, one side gets paid and that is their job (FBI and the other departments), and the private side is all volunteers.

Many in the public do not like the idea of FBI/Private-Sector partnerships. Jesse Ventura and his conspiracy friends think it's a plot to take over...something. Others call InfraGard members snitches...some rather nasty things are said about InfraGard, all of which I have never experienced (having been a former InfraGard and board member).

Back to the malware, where's there a gov target, the FBI or whoever will be involved. Where there is a private sector target, the target will be involved. Seems to work the best these days and it doesn't arose anyone in the process. I'm not sure a GOVSEC is a good idea for America, especially the GOV part, considering how ineffective they tend to be...
Doug DePeppe Marc,
Look for a blog on the subject in a day or so from me (here). I believe there is a very important strategic dimension to a public-private model for Western countries.

I also agree, the GOVSEC model will be somewhat successful in the US, but not the ultimate answer.

You're spot on with InfraGard; however, a law enforcement 'home' is also not ideal for this in the cyber domain.
Rick Gamache Don, Excellent article. Reading the responses compelled me to write. This is a near and dear topic for me.

I recently attended an InfraGard meeting in the D.C. area and I was surprised at how small of a crowd there was and how much older the participants were than myself and I'm in my mid 40's. Marc's assessment is spot on.

It is pretty clear that the Public-Private sector partnerships are not working as intended. No one wants to expose their privacy to the risk of the government stepping in. There simply isn't a lot of trust in those ventures.

I'm the CIO for a company that has put together a strictly private portal built upon a trust relationship with our community members - mostly Fortune 100's. What we are seeing is, when given the opportunity, analysts, IT folks, etc., desperately want to share what they know in exchange for information of what others are seeing. We've also started a second portal doing the same thing for smaller govi types at the state and local level - those guys are bleeding bad and desperate for help. Giving them the opportunity to triage and share indicators, particularly for those organizations with less mature incident response teams, is a blessing for many.

The point is, collaboration can be achieved, once the trust equation is solved. It takes a lot of sweat equity and breaking through long-standing barriers. We're proving it everyday. The key is is to get people participating and talking. Once that occurs, and people are engaged, really good things happen.
Don Eijndhoven Hi Rick (and of course everyone else who responded),

Im very happy that you read my article and that you agree with its premise. I must caveat my writings with saying that I live in the Netherlands and things may be very different here. To my knowledge, we don't have anything comparable to Infragard, although I am familiar with it and support the ideas surrounding it.

What you, Rick, are seeing is the same the world over. The problem is not with the techies. The problem is with the people deciding over the material-gains segment of the equation. What also does not help is that there are people in particular management positions who feel that they lose something (face, competitive advantage, whatever) when they share. This is not generally something that starts with the technically oriented. Unfortunately it is also not something I feel can END with the technically oriented, as we've been given our chance over the last few decades and have failed to act in any meaningful (global) way.

I agree with your premise that the trust equation needs to be solved. Here in the Netherlands, I feel we have a fair shot with the Dutch National Cyber Security Center. I've personally met its management and these are techies at heart. They have passion for the business and our general best interest at heart. I would trust them with the GOVSOC concept or anything like it without any hesitation. If you feel you do not have such a collaborative effort with your government, this is a strong signal that something needs to be done. What that should be, is quite frankly beyond my intellect. I have no suggestions for that, other than passing on the notion that the Government IS the People. Vote those you TRUST into local office and try again, is the best I can come up with.

Excellent discussion guys, thank you greatly!

Doug DePeppe Good discussion gang. Let me start by saying that InfraGard has its place - no doubt. Marc offers good points about whether it's sustainable, given the lack of value proposition on the volunteer side, and the fundamental trust issue. Quick comments on both: Funding - the InfraGard (or wider govt) model needs to create financial incentives to participate (in Col Spgs, we have some of those being developed); but, Trust - a law enforcement model WILL NEVER be the central information sharing institution. It's difficult for LE guys, who do great things for public safety, to appreciate that the public will always deal with "the police" with a certain amount of trepidation. And, "Govt authority" will always have that aspect - in US that's fundamental to our Constitution, Bill of Rights, etc. Onto other points I'd like to add.

Info sharing is not just IT. Yes, the malware and "Internet modus operandi" of the attackers centrally implicates technical expertise, however, all this discussion is fundamentally a strategy dialogue. The problem-solving team needs to be inter-disciplinary, because there are more than just technical issues at stake. It's why, for the Manhattan Project, Oppenheimer and his crew developed atomic fission, but the program was run by an Army general.

And, on information sharing, integration between the public and private sectors MUST be accomplished. Indeed there are trust issue barriers. There are also fundamental legal barriers (in most western societies), for the sort of real-time or near-real-time info exchange that is needed (although stripping away the sharer's identity solves a lot - if a 3d party interface is established).

Which gets to my final point, and I just wrote about - perhaps using the Soviet analogy in my blog diffused the point: the West has a strategic vulnerability in not establishing the interface for integration between the sectors. China and totalitarian regimes can readily share info between business and government (because they own the business). The West has an Achilles heel in this regard. And, it's enabling foreign states target this gap. So, without a new national strategy (which is NOT an IT problem, but a broader problem where IT and other disciplines have to come together to problem solve), one that addresses a public-private partnership to integrate information sharing across the country, this gap will be an enabler for wealth transfer to totalitarian regimes. We're not on the winning side of this challenge until we alter strategy.

What Rick is doing in Maine, and we're doing in Colorado-New Mexico is ABSENT a national strategy. We're doing it at local levels. Hopefully, others will take notice and the grassroots will move this approach into the mainstream.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.