Reverse Deception: Organized Cyber Threat Counter-Exploitation

Wednesday, August 15, 2012

Matthijs R. Koot

C4363f41d25c216c53c8d71a1ac44a90

Reading Notes: "Reverse Deception: Organized Cyber Threat Counter-Exploitation" (Bodmer, Kilger, Carpenter and Jones, 2012)

Reverse Deception: Organized Cyber Threat Counter-Exploitation (July 2012) was written by Sean Bodmer (@spydurw3b), Max Kilger (@digitalprofiler), Gregory Carpenter and Jade Jones.

All authors either are or have been associated with the U.S. DoD and have knowledge & experience from (varying) military contexts. Below are the notes I took while reading this book. Unless mentioned otherwise, hyperlinks are mine.

I was happy to see that the authors start off by referencing Joint Publication 3-13.4 Military Deception (.pdf, 2006) and Fundamental Elements of the Counterintelligence Discipline (.pdf, 2006), the latter being a study by (or on behalf of) the U.S. Office of the National Counterintelligence Executive (NCIX).

The book at times follows a structure in the form of: "cite from military/CI literature, then explain how it applies to the cyber realm". Although not every item from non-cyber literature can be mapped to cyber in an obvious way, this text structure inspires readers to dream up possible mappings themselves. The authors reference a lot of stuff from military context that I was previously unaware of, such as the Soviet concept of Reflexive Control (.pdf, 6MB) by Vladimir and Victorina Lefebvre.

Deception is explained by and large in terms of manipulating the behavior of another to the benefit of oneself without the permission of the other. It is stated that the intent of deception is "to get the adversary to act confidently and predictably".

Below are my notes for each chapter:

CHAPTER 1: STATE OF THE ADVANCED CYBER THREAT

On p.4, a list of criteria is provided that "should be identified as quickly as possible in order to discern between a Persistent Threat and an Advanced Persistent Threat" (these criteria are referenced throughout the book):

  • Objectives
  • Timeliness
  • Resources
  • Risk tolerance (by the adversary)
  • Skills and methods
  • Actions
  • Attack origination points
  • Numbers involved in the attack
  • Knowledge source

Next, the authors map these criteria onto Moonlight Maze, Stakkato, Titan Rain, Stormworm, GhostNet, Byzantine Hades aka Foothold aka Candor aka Raptor, Operation Aurora, StuxnetRBN, "next generation of botnets and operators" (weird item in this list) and Operation Payback.

CHAPTER 2: WHAT IS DECEPTION

On p.25, the six principles of (military) deception are cited from JP 3-13.4:

  1. Focus: The deception must target the adversary decision maker capable of taking the desired action(s);
  2. Objective: The deception must cause an adversary to take (or not to take) specific actions, not just believe certain things;
  3. Centralized planning: MILDEC operations should be centrally planned and directed in order to achieve unity of effort;
  4. Security: Friendly forces must deny knowledge of a force's intent to deceive and the execution of that intent to adversaries;
  5. Timeliness: A deception operation requires careful timing and action;
  6. Integration: Fully integrate each military deception with the operation that it is supporting.

These principles are then explained in detail.

From p.40, the authors list and explain ten deception maxims that are used by the military:

  1. Magruder's Principle (exploitation of adversary's perception or bias)
  2. Limitations to Human Information Processing
  3. Multiple Forms of Surprise; following the SALUTE maxim from reconnaissance reporting:
    1. Size
    2. Activity 
    3. Location
    4. Unit/Uniform
    5. Time
    6. Equipment
  4. Jones' Dilemma (i.e.: deception becomes more difficult as the number of channels of information available to the target increases. However, within limits, the greater the number of controlled channels the greater the likelihood the deception will be believed)
  5. Choice of Types of Deception
  6. Husbanding of Deception Assets
  7. Sequencing Rule (i.e., deception activities should be sequenced so as to maximize the portrayal of the deception story for as long as possible)
  8. Importance of Feedback
  9. Beware of Possible Unwanted Reactions
  10. Care in the Design of Planned Placement of Deceptive Material

CHAPTER 3: CYBER COUNTERINTELLIGENCE

This chapter begins by explaining the 19 items that aforementioned study by NCIX on counterintelligence (CI) identified as skills every CI-professional should have:

  1. Knowledge of National CI Structure and Agency Missions
  2. Knowledge of Interagency Memoranda of Understanding and Procedure
  3. Knowledge of Foreign Intelligence Service or Terrorist Group Culture and Tradecraft (which the authors chose to explain by merely including the know-your-enemy quote from Sun Tzu)
  4. 4. Basic Investigative and Operational Techniques and Tools (authors reference the US-DoJ report Investigative Uses of Technology: Devices, Tools, and Techniques (.pdf, Oct 2007)
  5. Asset Development and Handling (Including Difference Between Liaison and Clandestine Sources)
  6. Asset Validation
  7. Liaison
  8. Interviewing and Debriefing Techniques
  9. Surveillance and Countersurveillance
  10. Principles of Collection and Analysis
  11. Research and Technology Protection
  12. Operational Cycle for Double Agent Operations (who, what, when, where, why, how)
  13. OPSEC
    • Identification of critical information
    • Analysis of threats (Insider threats, Extremists, Foreign Intelligence Services, Terrorist groups foreign/domestic, Hackers/crackers, Organized crime groups, Criminals)
    • Analysis of Vulnerabilities
    • Assessment of Risk
    • Application of OPSEC measures
  14. Legal Aspects of Investigations, Including Executive Order 12333, the Attorney General Guidelines, and the Foreign Intelligence Surveillance Act
  15. Joint and Interagency Operations
  16. Listening, Communication, and Writing Skills
  17. Knowledge of CI Terminology
  18. Reporting Procedures and Methods
  19. Classification and Dissemination Rules

The authors proceed by elaborating on the nine criteria for distinguishing between PT and APT. For every criterion except "Resources" and "Knowledge source", the authors propose that it can be assigned an escalating threat level between 1 and 10.

Examples are provided of how/what event to map to which threat level. I'm not confident that such mappings will work in practice, and the provided mappings are not very convincing -- but I'm willing to try. Imperfect (and probably rather subjective) quantification may help "sizing up" a threat. For the "Resources" and "Knowledge source" criteria, the authors suggest qualitative explanations.

Interesting reference in the conclusion: http://www.cyberlawclinic.org/casestudy.asp

CHAPTER 4: PROFILING FUNDAMENTALS

This chapter refers to research done on the profiling of cyber adversaries, notably:

  • Kilger, Stutzman and Arkin, (2004) "Profiling." In The Honeynet Project Know Your Enemy. Addison Wesley Professional (pp. 505-556)

Profiling is then dissected into Retrospective vs Prospective Profiling, and Inductive vs Deductive profiling.

The following Information Vectors are discussed: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections. The latter is illustrated w/a social network plot of Russian hacking gangs.

The chapter contains an excellent list of references at the end.

CHAPTER 5: ACTIONABLE LEGAL KNOWLEDGE FOR THE SECURITY PROFESSIONAL

Short (15 page) chapter that references various online sources for court cases (Fastcase.com, FindLaw.com, Justia.com, Google Scholar, Nolo.com), explains a few legal concepts (Annotated codes, Bill, Bill number, Chapter, Chaptered, Citation, Code, Engrossed, Enrolled, Legislative history, Session Laws, Statutory scheme, and Title) and provides concise information on how to interprete a statute (law) and how to communicate w/lawyers.

CHAPTER 6: THREAT (ATTACKER) TRADECRAFT

Interesting collection of very recent (May 2012) information pertaining to cybercrime, including screenshots taken from underground fora and exploit kit control panels, list of recent exploit kits. list of vulnerabilities observed in recent exploit kits. Also contains a proper level of detail on the underground economy (leasing/subleasing models for pwned access, prices, etc).

CHAPTER 7: OPERATIONAL DECEPTION

Four detective-style "tall tales" about operational deception that the authors state to have taken from real life (pseudonomized), each compelling (to me anyway) and containing a proper level of detail (also but not primarily technical).

CHAPTER 8: TOOLS AND TACTICS

Good discussions on honeypots/nets/walls, including sme (101--level) honeynet architecture (centralized, distributed, federated, confederated). Also contains concise overview of tools such as Metasploit, IDA Pro, Encase, THC Hydra, FOCA and Backtrack. (Obviously, if you are seeking to learn how to -use- these tools, you want to RTFM. This book has a different focus.)

CHAPTER 9: ATTACK CHARACTERIZATION TECHNIQUES

Comprehensive analysis of (only) SpyEye (Zeus-like) trojan w/many screenshots, statistics and graphs (SpyEye by country, # of SpyEye hosts by ASN. List of ASN names + country codes of ASNs highest in use by botnet operators.

CHAPTER 10: ATTACK ATTRIBUTION

Excellent chapter on profiling. Mentions research on "sentiment-identification engines" (e.g. Saplo Sentiment Analysis, Alchemy Sentiment Analysis) and "WarmTouch" (anyone know a URL for that?) to assess the level of threat posed by a specific insider (Shaw and Stroz,2004), and that "the automation of the analysis of socially meaningful objects is still in its very early stages".

The subchapter "Profiling Vectors" elaborates upon the vectors discussed earlier in chapter 4. It slightly overlaps / repeats statements from chapter 4 and uses slightly different words to refer to the same concepts:

  • Chapter 4: time, geolocation, skill, motivation, weapons and tactics, and finally socially meaningful communications and connections
  • Chapter 10: time, motivations (MEECES: Money, Ego, Entrance to Social Group, Cause, Entertainment, Status), Social Networks, Skill Level

Next, strategic applications of profiling are discussed.

The final part of the chapter focuses on "the civilian cyber warrior", "an emerging archetype that appears to have the potential to become a very serious threat withn the cyber threat matrix".

The authors state that the power relation between the nation-state and the individual is changing to the benefit of the latter; it is pointed out that this might also hold for Chinese criminal hacking gangs vs the Chinese govt. (Be reminded that not every Chinese hacker is in cahoots w/the Chinese govt.)

This chapter has another good list of references at the end.

CHAPTER 11: THE VALUE OF APTs

This chapter discusses the economic value of APTs. It refers to Value Network Analysis (VNA). Such analysis is then (informally) applied to the RSA hack of 2011 and to Operation Aurora. For the latter, it is suggested that from the perspective of the adversary, "it's as if they were following a typical business plan":

  • Step 1: Obtain a Financial Stream (Victim: Morgen Stanley)
  • Step 2: Customer Lock-in for Recurring Revenue (Victim: Symantec)
  • Step 3: Expand into New Markets (Victim: Juniper Networks)
  • Step 4: Diversify Commercial Offerings (Victim: Canadian Dow Chemical)
  • Step 5: Reduce Infrastructure Costs (Victim: Rackspace)
  • Step 6: Repeat Steps 3-5 (Victims: Adobe and Northrop Grumman)

The final part of the chapter discusses the topic of stealing Bitcoins, using a fictional scenario of an application used by migrant workers to "easily send money to their family or anyone else in their social network".

CHAPTER 12: WHEN AND WHEN NOT TO ACT

Common sense suggestions for deciding whether, once a threat has been identified, to block or to monitor it, and how to communicate within your organization and w/law enforcement.

CHAPTER 13: IMPLEMENTATION AND VALIDATION

Deming-style management cycle explained: Observe-Orient-Decide-Act. Discusses how to 'vet' deceptions, perceptual consistency and engagements.

SpyEye trojan is extensively revisited w/many additional screenshots and explanations of features.

At the end it is mentioned that "[t]o date, honeypots have been widely distributed only by a handful of private organizations and vendors. There are small groups within international governments, like the United States, United Kingdom,China, and the United Arab Emirates, who have a national-level based honeygrid (...)."

(MY) CONCLUSION

If you want to learn / be inspired to think about deception/MILDEC as means of counterintelligence (CI) in cyberspace. I recommend this book. If you already work in CI, you may find it useful to evaluate your existing beliefs.

This book will not provide a ready-to-implement deception strategy, but -does- provide plenty (and good) information and references that will get you started up. As always, RTFM - in this case re: Joint Publications and the original research that is referenced.

And because I don't like happy endings, let me finish this post with a series of complaints. The pie chart on p.5 needs better explanation (what am I looking at?). On p.11 it is stated: "The method is in use today, and has been defined as phishing, spear phishing, and whaling"; the "NOTE"-box on that page then only defines "spear phishing" and leaves out "whaling", while the latter is a far less well-known term.

The book contains annoyingly repetitive quotes (Sun Tzu ad nauseam) and, as if the authors ran out of serious sources for quotes, a quote from Men in Black and one from Ghostbusters. On p.64, a little bit of text was written from the "I"-perspective, but it is not clear which of the four authors wrote that text and hence unclear who "I" refers to.

These are, however, nitty gritty unimportant details that are -completely- trumped by the overall merits of the book. (And having recently finished a PhD-thesis, I'm very aware how surprisingly difficult it is to end up with something perfect. Despite my obsessive-compulsive attempt to achieve flawless spelling, my printed thesis contains a few typos.)

Possibly Related Articles:
7086
Network->General
Information Security
Incident Response Advanced Persistent Threats Threats Book Review Attribution Counter-Intelligence Offensive Security Deception MILDEC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.