CHAPTER
11
The Value of APTs
image
 
In the previous chapters, you have read about the varying levels of threats to your enterprise, ranging from the curious novice to the SSCT. In this chapter, we will dive into the actual threats from the perspective of an attacker. We will explain the nature, motives, and preamble of advanced and organized persistent threats, and how they operate at a level that is understandable to you and your immediate chain of management.
Most of us (possibly even you) have poked around networks or systems at some point in our life, usually for personal or professional education purposes, with one tool or another. However, when trying to understand an advanced or organized persistent threat, you need to weigh all of the observables to understand the level of effort required to push the threat either into an area where you can track and engage the threat or simply identify what is needed to expunge the threat out of your enterprise. The bottom line is that when dealing with a threat, you always want to gain the upper hand and operate from a perspective of power.
Espionage
Spying goes back centuries, as information is considered more valuable than currency and can be used to advance attackers’ initiatives or against the victims. Espionage is generally a term reserved for world governments, but it is also applicable to the private sector, where it is called “industrial espionage.”
The most effective way to execute espionage in a cyber environment is to exploit, infiltrate, and embed yourself into your target’s network undetected for as long as possible. This enables remote control and listening points for the attacker’s objectives.
Along with direct exploitation of an enterprise via a targeted e-mail or client-based exploit, there is also the human factor. A threat could identify someone within your organization who is unhappy with his role, work, rank, or pay, or dissatisfied for any number of reasons. This employee could be exploited by an adversary and be used as the injection point into your enterprise. One of the most recent examples of this is Bradley Manning, who did not agree with some of the US policies and decided to leak classified information to the ever-so-popular WikiLeaks. This isn’t direct state-sponsored espionage, but rather an example of how humans can exploit their own access to systems and use it against their own organization.
By infiltrating an organization’s enterprise network, you are able to monitor and record traffic, extract sensitive or proprietary information, modify system settings, and perform many other actions if you have control of one or more systems. The other actions can be summed up as D5, for degrade, deny, disrupt, deceive, and destroy, which is an extension of the traditional D3 (degrade, deny, and disrupt), an old term that has been used for years in military-based organizations. In the cyber realm, infiltration is much easier to achieve for a number of reasons than in traditional kinetic military actions. This is one of the primary reasons the abuse of the Internet and services has evolved over the past two decades for purposes of espionage (both state-sponsored and industrial).
The core objective of any government is the acquisition of intelligence (information) about or from any country that is considered a competitive government—economically, technologically, or militarily. Almost every person with some level of access to the Internet is aware of all of the news articles surrounding purported SSCTs and industrial espionage between rival or competitive nations. Some of the more prominent examples are articles accusing a handful of powerful nations of exacting cyber espionage against each other for competitive advantages.
Costs of Cyber Espionage
Cisco Systems, Inc., reported that in the second quarter of 2011, targeted attacks were five times as expensive to pull off, but would yield as much as ten times the profit. Cisco also reported that large-scale campaigns helped cyber criminals rake in more than $1 billion in 2010 and $500 million by June 2011. Consider that massive attacks across any single organization, or multiple organizations at the same time, can include subscribers of an ISP. Such massive intrusions can cost billions of dollars, and often they do (www.cisco.com/en/US/prod/collateral/vpndevc/cisco_global_threat_report_2q2011.pdf).
Targeted attacks can cost even more. An example is what happened in March 2011 to RSA Corp, which lost an unknown volume of customer and corporate data. The company needed to reissue hundreds of thousands of SecurIDs (keychain-like devices that, based on a specific algorithm, encryption seed, and time-based combination, provide two-factor authentication for remote users’ secure access to corporate networks). RSA also stated an interesting measurement for remediation after an intrusion. The cost for every dollar lost by the victim organization also cost RSA dearly in remediation (the cleanup effort, investigations, forensics, and mitigation) and reputation repair. The cost to EMC (RSA’s parent corporation) exceeded $66M with RSA offering to reissue new tokens to the 1/3 of their customers and the remaining customers were offered additional monitoring services (www.informationweek.com/news/security/attacks/231002833).
Cisco reported that targeted attacks worldwide alone cost an average of more than $1.2 billion. This is simply from large-scale crimeware campaigns by organized and unorganized (perhaps solo) cyber criminals whose simple desire is to make money. This is what keeps most organizations in reactive mode and prevents security professionals from going into the details of an intrusion and also from engaging active threats. The overall costs have not afforded executive and financial officers much financial wiggle room to enable the security team to move past reactive mode into proactive mode. Setting up the infrastructure to run a large-scale campaign on a targeted attack requires additional skills and resources. According to the Cisco report, the estimated cost for a large-scale campaign averages $2,000, and a targeted campaign averages about $10,000 (www.cisco.com/en/US/prod/collateral/vpndevc/cisco_global_threat_report_2q2011.pdf).
Value Network Analysis
Value networks are “any set of roles, interactions, and relationships that generate specific types of business, economic, and social value” (“Verna Allee describes Value Networks,” YouTube). This definition implies a conceptual framework where two or more actors (people, social groups, and formal organizations) engage in exchanges (intangible as well as material).
Value Network Analysis (VNA) extends this conceptual framework through a formal discipline. The value network is represented using a link-node graph, where the directional and labeled links represent value exchanges between the nodes, and each node carries a dynamic score that represents the total value to the node of the exchanges in which it participates (“Value Networks,” Internet Time Blog, Jay Cross, January 2010).
The general increasing trend of technology and social integration increases the number of value exchanges using Internet technologies. Additionally, new types of value and value exchanges have emerged in the intertwining technical and social changes of global, standardized computer networking. New types of value include wholly digital services and “assets” like lucrative DNS names (for example, movies.com) and wholly digital goods such as virtual land in Second Life or virtual currencies like Bitcoin. New types of value exchanges include the act of “following” someone on Twitter, “liking” a Facebook post, and content sharing by uploading a self-produced video to YouTube.
In traditional economic theory, social cues such as trust and popularity are considered intangibles. While general VNA recognizes the contribution and importance of incorporating intangibles into the collective value of a network, Internet-enabled social media has shifted these exchanges clearly into the tangible realm, especially from a business perspective.
Advertisers can now access with predictive reliability the cash value of influence, derived from metrics of both trust and popularity calculated across social networks and interactions that are facilitated and quantified by software. User-generated content (UGC) has become a direct generator of revenue (typically via advertising). In particular, creative, innovative, and otherwise popular content acts as a generative “meme,” with original but derivative follow-on content acting along Long Tail principles (which are that statistically, a larger share of the population rests within the tail of a probability distribution than seen under Gaussian distribution).
There are many stated reasons for computer exploitation; none of them are mutually exclusive, and all of them reinforce each other. Some hack for personal pride, others want to prove themselves to their peer groups, and quite a few (such as Anonymous and LulzSec) appear to act primarily out of spite. Hacktivists form a powerful group. Collectively, they wreak havoc on their victims with every engagement, and in many cases, the mere threat of action sends chills down the spine of potential victims. But the most common and prevalent of all reasons is financial gain. As a result, we believe that to effectively understand, predict, and interdict computer exploitation, a framework such as VNA (that includes intangibles on equal footing with tangible financial rewards) is a requirement.
As with any conflict between unethical criminals and the rest of society, innovations on both sides ensure that adversaries are always creating new ways to take something of value for their own profit. Even if they are unsuccessful, the consequences of (and responses to) financially driven computer-enabled crime decrease the value of the Internet for everyone.
Hacking, economic espionage, exploitation—it is all big business, and has a business culture similar to that of the legitimate corporate world. Within the elicit world of computer crime, there are ethics, rules, and tort guidelines. Just as the corporate world strives to achieve a profit, even more so does the hacker world, without much consideration for human life. State-sponsored hackers are looking forward to a payday, just like the hackers employed by organized crime. And just like the traditional economy, the hacking economy has benefited from adopting a free market approach.
APTs and Value Networks
Our security products have always protected against advanced threats, and all threats are persistent, which is why we continue to push LOVELETTER virus definitions to our clients’ desktops. By including the buzzword “APT” in our marketing materials and webcasts, we are now able to educate our clients on why they should give us more money for the same products we’ve been selling them for years. In 2011, we will continue to enhance our customers’ experiences by adding an APT Gauge to all our product dashboards, for a minimal price increase.
—Joe Smith, President, CEO, and CMO of BigFictionSecurity
In legal and illicit businesses alike, the quest for profits guides their respective markets. That implies that not all APTs are created equal. Those entities with more investment capital and resources are typically in a better position to appropriate higher quality tools. As an example, consider LOVELETTER. Although it is true that LOVELETTER is still out there and functions, it is in a substantially different category than a “designer tool” like an APT. LOVELETTER is an Internet worm that has been around for quite a while. It is coded in VBScript, so it is dependent on Windows Script Host.
Once activated, LOVELETTER mapped the afflicted systems and attempted to download a password-cracking file named WIN-BUGSFIX.exe. After that, it packaged up the login information and shipped that data back to the adversary. Although a multifunctional tool, it was not very specialized.
LOVELETTER took advantage of a common vulnerability at that time, and attempted to propagate to as many boxes as possible. It did not have a vetted target list of specific targets based on the relationships and sensitive information. This is like a mugger who attempts to steal from everyone walking down a sidewalk.
The more advanced APTs are selective. An APT is like a thief who breaks into a high-end automobile with the goal of using the garage door opener to later break into the car owner’s mansion. APTs target systems because of their relationship with other potential targets or the target contains sensitive information that is of genuine value.
An APT is just a fancy way of categorizing a long-term threat that is activated at a date and time known only to God and the adversary. Adversaries may choose to lie in wait for a long time for a trigger, or they may choose to act immediately if the situation is favorable. The posture for network defenders is not favorable. It is entirely up to the adversaries to decide when they will execute the exploitation or attack, so the playing field is definitely not level.
Businesses have struggled to keep the upper hand in the cyber realm for years, but find themselves in the precarious position of being caught with their proverbial knickers around their ankles on more than one occasion (as a matter of fact, it is more the norm than the exception). Resources are limited, and qualified, knowledgeable people are scarce and expensive. With high-quality resources so limited, business leaders must innovate to secure their data and remain competitive in their industry.
Who can blame the adversary? If you were attempting to extract data from a network, wouldn’t you develop or acquire tools that support your desired objectives—the crown jewels of a company with its hands in hundreds of other companies and countless governments around the world? How would you do it?
Would you limit your options or increase your options? Increasing options and not closing any doors of opportunity is an obvious choice. Additionally, you would want to keep access as long as possible. Who knows when you might want to pop back in and see what new technologies are available or what new information can be used to influence your adversary?
Now we will look at some examples of major breaches that were in the news, focusing on the values involved.
The RSA Case
RSA recently posted a letter on its website stating that it had been the target of an attack. In that attack, proprietary data was stolen that compromised the security of RSA’s SecurID tokens. The adversary now has the ability to create the string to successfully authenticate without the need for a user ID and PIN. The RSA attack is an example of a stealthy maneuver that requires the adversary’s utmost patience and importunate focus. APT attacks are performed by skillful adversaries with sufficient funds to stay the course. RSA recognized that the attack was an APT (www.rsa.com/node.aspx?id=3872).
APTs are often associated with a vulnerability being exploited via social engineering efforts and social networking sites. Often, people use the term “APT” to describe a state-sponsored act of espionage. However, it is not the identification of a particular sponsor, but the tools and techniques used in executing the action. The SecurID theft was performed in a professional manner, and the worst can be expected. What of RSA’s two-factor authentication? It is the preferred method to improve security over a username and password alone.
RSA is known throughout the industry as the standard in the computer security market. It has held this position for years, so can we assume that RSA uses its own products to defend its enclave? It would be quite a statement if RSA didn’t use its own products, but the fact that the security products that RSA is pushing out to industry were not good enough to protect the company from an attack is even more of a statement. How can that be? Why would the company continue to push products that did not work for its systems?
RSA recently admitted in an open letter to customers that the compromise in its SecurID tokens led to the security breach at Lockheed Martin, but that did “not reflect a new threat or vulnerability in RSA SecurID technology.” That admission adds to the question, “Is RSA the target of the adversary, or is it something bigger?” The compromise at Lockheed Martin has far-reaching implications because Lockheed is a global security company that depends on research and development to bolster its bargaining position to gain contracts (www.rsa.com/node.aspx?id=3872).
On June 21, 2011—just days after Lockheed’s compromise announcement—someone claiming to represent the hacking group LulzSec posted an announcement claiming the group had successfully hacked and acquired the UK 2011 Census data. For two days, this claim received significant media attention, in part because Lockheed Martin was rumored to be the prime contractor for the UK Census information systems, leading to the suspicion that the hackers had used their earlier access to Lockheed to obtain the data.
On June 23, the UK Office of National Statistics confirmed that the data had not been stolen (“Census data attack claim was hoax, says government,” David Meyer, ZDNet UK, June 2011). To make the matter even more interesting, LulzSec notified the press that the hoax did not originate with LulzSec, and reminded them that only notices posted on the LulzSec Twitter feed were “official.”
At a basic level of analysis, this case raises questions with disturbing implications. Are the Lockheed research programs secure? What is secure? How do we measure it? How can the IT security staff at Lockheed really be sure? Lockheed services dozens and dozens of sensitive government research and development programs, so what does a compromise mean there? What about General Dynamics or any number of other big contracting companies around the globe? What does that mean to a country’s national security? And here’s a better question: What does that mean to international security? As we have seen over and over again, all it takes is a thumb drive to go from one enclave to another to compromise security. Once security is compromised in the event of an APT, it is dubious that the adversary is ever really expunged from the infected systems.
Through the lens of VNA, however, this case opens up even more disturbing implications. What is the impact to the loss of trust in organizations who are clients of both RSA and Lockheed? How many UK citizens heard the original story of the Census data breach but didn’t hear that it was a hoax? And the most ironic question of all: What are the potential threats to the value of public trust if even the hackers themselves lack effective security to protect against attacks of “public relations”?
It appears that these types of attacks and the resulting nonobvious and multidimensional value network effects might be just the tip of the iceberg. The adversary now has the ability to circumvent the security. RSA seems to be the launching point from which the intruders have improved their access to many systems and programs that use the RSA SecurID authentication. Art Coviello additionally stated in his open letter, “RSA’s technologies, including RSA SecurID authentication, help protect much of the world’s most critical information and infrastructure” (www.rsa.com/node.aspx?id=3872).
The RSA breach is exceptionally disturbing for many reasons. An adversary with the skill to bypass all network security for an IT security giant and the patience to wait for the right opportunity with the tools that enabled the activity are worrisome. However, the most disturbing part is that with the stolen two-factor authentication keys, the adversary now has the ability to access any network secured by RSA SecurID as a trusted user. Even with RSA accelerating the process of replacing the SecurID hardware tokens for all clients, this is an expensive process that requires months, not hours, to complete.
As a result of violating secure authentication mechanisms at the source, it will be very difficult (nearly impossible) for industry-standard hardware and software to identify these sessions as actual exploitations unless they have specifically been configured to request or look for additional authentication parameters and/or suspicious behavior. Automated scripts and tools are useless for restricting access, because there is no way to distinguish between a legitimate and malicious login.
With this type of access, there might be no way of knowing who, where, or how the exploit is being conducted if the computer defense and insider threat disciplines do not have an open line of communication. The adversaries know an organization’s operational limitations and procedures as well as best business practices. This knowledge allows them to use it against the corporate organization.
The Operation Aurora Case
In January 2010, Google made public an exploit that emerged in mid-2009, which involved a well-funded and sophisticated activity that was consistent with an APT. Google claimed that the Gmail accounts of Chinese dissidents were accessed. That was the just surface level. Additionally, there were several well-known businesses targeted with this exploit. All the victims may never be known, but among them were the likes of Morgan Stanley, Symantec, Juniper, Adobe, Dow Chemical, Rackspace, and Northrop Grumman.
At first glance, this group of victims appears to be random. It is true that all the aforementioned companies have an international presence, but what else makes this group so desirable to adversaries that they invest resources to ensure they gain access and exploit these companies? By mapping the value networks in which these companies participate, some interesting facts emerge. All these companies invest an extraordinary amount of intellectual property into their products, which support and run processes inside dozens and dozens of customers’ systems.
From an adversary perspective, it’s as if they were following a typical business plan, which we will go through step by step.
Step 1: Obtain a Financial Stream (Victim: Morgan Stanley)
Morgan Stanley is a huge financial company that focuses on investment banking. With assets totaling nearly $800 billion, Morgan Stanley is a wildly successful and very popular corporation. Great name recognition translates into billions of dollars in transactions each year.
Why would the adversaries use their own resources to develop these APTs and recruit the right people to get the job done? Continued access into a major financial firm would allow skimming and could lead to huge financial theft, which could possibly fund many more APT operations.
Additionally, manipulation of transactions and other exchanges could give the perspective of impropriety in numerous forms. Manipulation of activity could cause distrust in a large fund manager, other influential person, or system—like the Dow Jones itself! Such manipulation was seen in the suspicious number of stock trades immediately before 9/11 that “shorted” the airline industry.
Few things can unnerve a society as much as a collapse in its financial institutions. How bad will it be when the next financial crisis occurs not because of structural issues (like the subprime mortgage crisis), but simply an activated APT that cascades destructively across the value network? The APT activity in Morgan Stanley may have ceased, but is the threat really gone?
Step 2: Customer Lock-in for Recurring Revenue (Victim: Symantec)
This is not the first time Symantec has been targeted, and because of what the company does, it won’t be the last. Symantec and the other big antivirus companies are the perfect targets to ensure an APT remains a viable APT. Breaking the code at Symantec could lead to a modification and omission in the signature database that is designed to detect the APT, thereby ensuring safe passage to all Symantec customers.
With consistent and frequent updates and well-known protocols and ports for its antivirus software, Symantec has a steep hill to climb to break free from APT activity and remain in the clear. It is probable that APTs will be developed in the future to specifically target companies that rely on the public trust for services. History shows that Symantec and companies like it are sure to remain at the top of the target list for sophisticated adversaries and organizations with a vested interest. Of course, nefarious actors recruited by various sponsors will be empowered and resourced to achieve specific goals and will be in a better posture than the network defenders who don’t know what is coming their way.
Step 3: Expand into New Markets (Victim: Juniper Networks)
Juniper Networks is next on the list of victims. Juniper is a perfect organization to embed an APT. Its innovative approach to solving legacy networking issues has put it at the forefront and made it one of the most sought-after companies in network routing technology. Juniper is a diverse company that has network components and solutions in companies throughout the world. According to the Juniper website, “Our customers include the top 130 global service providers, 96 of the Global Fortune 100, as well as hundreds of federal, state and local government agencies and higher education organizations throughout the world” (www.juniper.net/us/en/company/careers/sales-careers/).
What’s a better target than the core/backbone of the infrastructure? With an APT infecting the infrastructure in Juniper, there is ample opportunity to stage other attacks or pick and choose which intellectual property is most inviting. Having access into Juniper could very well put an adversary in a position to gain access to information on closed networks or other government-sensitive networks.
Access to a local government’s information and networks could cripple a town or complicate activities with computer systems. These local government systems may be designed to control the overflow gates at a reservoir, control the traffic lights in town, or manage the environmental controls of historical documents. Even worse, threats can be introduced into the network of a local hospital that manages the critical-care unit!
Step 4: Diversify Commercial Offerings (Victim: Canadian Dow Chemical)
Dow Chemical is an international powerhouse with worldwide sales of more than $57 billion. Its products are manufactured in 35 countries, and it has customers in over 160 countries. Dow Chemical’s intellectual property is immense, as is its corporate knowledge of its customers. An APT inside Dow could yield information of a broad spectrum that would be of interest to nefarious characters. More deviant individuals would probably have targeted Dow’s formulas—turning stable compounds into deadly ones. You can see why a nation-state or terrorist organization might attempt to gain access to a company like this. APT access could also mean that, at some point in the future, Dow should expect a resurgence of issues.
Dow Chemical is an interesting company, offering solutions in many diverse markets and economic systems. Dow has diversified over the years, which has made the company an international giant. From the adversaries’ perspective though, it makes Dow the perfect target, considering it provides services and goods in to the following markets (per Dow Chemical’s webpage at www.dow.com/products/food_and_related/landing.page?industry=1000414):
imageAgriculture and food
imageBuilding and construction
imageElectronics and entertainment
imageHealth care and medical
imageHousehold goods and personal care
imageIndustrial
imageOil and gas
imagePackaging, paper, and publishing
imagePlastics
imageTransportation
imageUtilities
imageWater and process solutions
Step 5: Reduce Infrastructure Costs (Victim: Rackspace)
More than 100,000 customers around the world use Rackspace’s web-hosting services in the cloud. Its client base includes over half of the Fortune 100 companies. Wow, what a great asset to control! Even if this were the only company that was exploited by the APT, it would be a gold mine.
More and more companies are looking to the cloud for storage and computing services, as it is an economical solution. As companies migrate to using the cloud and other creative solutions, the business of compromising those solutions becomes more lucrative to the adversary.
The Rackspace exploit is an interesting study in that, as with other service organizations, this penetration gives unrecognized access to all of the company’s clients because there is no differentiation between malicious and legitimate access. Long-term penetration in a company like Rackspace could be used as a launching point for future exploitations throughout an industry of the adversary’s choosing.
Step 6: Repeat Steps 3–5 (Victims: Adobe and Northrop Grumman)
The exploit has also victimized Adobe and Northrop Grumman. Much like Rackspace and the others, these two companies touch hundreds and hundreds of customers worldwide.
Interestingly enough, all the victims listed have published active services running on different ports for various reasons. It is like the road map to exploitation is given to the adversary in the same way as it is given to the network defenders, but for the exact opposite purposes. This information can either be used to help program and license validation or as an inherent vulnerability to assist the APT owner maintain access.
One thing is for sure: a major change in how we do things must take place if there is going to be any marked increase in computer security. And we must broaden our perspective of what we are willing to consider as imperative to computer security.
APT Investments
Business leaders must understand that APTs are threats that are designed to defeat an organizational pattern; in other words, they are tailored for a specific purpose. Tools and techniques to defeat APTs cannot be single-focus, and they are not enough to secure a corporation. Defense-in-depth is considered a good start in an increased information assurance and computer network defense posture designed to prevent APTs. If there were a barometer that indicated how the APT battle were going, consider that in many cases the resources required to muster a formidable response to an APT are equal to or greater than the initial investment by the adversary. The numbers are definitely against businesses, and the trend is not a favorable one.
Although APTs require a more substantive investment, their payoff is more lucrative and therefore makes good business sense. If you invest $100 and your return is 5,000 percent, that’s an incredible investment. With an ATP, we could consider a return of well over 10,000 percent or higher. Any accountant worth her weight in salt would see that the cost-benefit analysis of investing in ATPs is a moneymaker. Also, because ATPs are made for specific targets, the adversary is not plagued with gigabytes of potentially useless data. Oh sure, there is benefit in all that data somewhere, just like spending every day in the sun on the beach mining a few pennies here or there. How much better to get trained and master investing in the stock market, and then relax on your beach vacation while you watch others scrap for the pennies in the sand?
APTs and the Internet Value Chain
Quietly sipping a latte and sitting in the shade of the tall trees that line the river Styx, where the butterfly of reality meets the dragon of fate, there’s hell to pay.
—Anonymous
The Internet value chain is unique in that it closes the gap between tangible and intangible value. This can be observed by the increasing blur between traditional and virtual economies.
It’s All Good(s)
The issues surrounding virtual “property” have increasingly been in the forefront of civil and criminal law, taxation, and even human rights (“Chinese Prisoners Forced to Play World of Warcraft, Detainee Says,” FoxNews.com, May 2011). Originally framed as a copyright issue as traditionally analog media (music, photographs, and video) was digitized, current discussions include ownership of UGC, probate law on digital accounts and data, and virtual economies.
The original virtual economies were designed as an augmentation of multiplayer online games, and the virtual money is typically referred to as “in-game currency.” In many games, the currency, and hence the economy itself, is designed to be completely isolated within the game. This is no different than the purpose of fake money used in the original Monopoly game.
Other games, such as Second Life, actively support not only the exchange of real money for in-game currency, but also allow for a market of user-generated digital “goods.” This means that users can actually earn real-world money for their work and interaction in a virtual world. And involving real money naturally fosters crime and other human rights concerns (“Economy Second Life,” Wikipedia).
The impact of an APT on a virtual economy might seem obvious. But apart from the potential losses of the players or the game company itself, such a threat might not seem notable. The reality is that market trends and technology development are creating an emergent effect where the systems that manage our real and virtual goods, currencies, and economies are directly connected to each other (“Electronic Money,” Wikipedia).
An example of this convergence is the technical and social developments of a cyber currency called Bitcoin. Based on a document released in 2009 by someone using the name Satoshi Nakamoto, Bitcoin is a complete currency system that aims to support resiliency, privacy, and some anonymity (“Bitcoin,” Wikipedia).
At the level of technological implementation, Bitcoin includes sophisticated components to manage currency creation and internal coin exchange between users. Like any similar system, both the technical complexity and social novelty provide potential attack surfaces for an adversary (“Setbacks for Bitcoin, the Anonymized, Digitized Cash,” Nick Judd, TechPresident.com, June 2011).
One such example is the recent cyber theft at one of the largest Bitcoin currency exchanges, Mt. Gox. Like any other traditional currency exchange, Mt. Gox allows individuals to purchase and sell currency. Unlike traditional exchanges, however, Mt. Gox also incorporates multiple cyber currencies in the exchange.
A hacker used a very simple and traditional attack (SQL injection) to gain administrative access to the system. The hacker then altered the database to add fake US dollars and fake Bitcoins to the administrative account now controlled by the hacker. Then the real attack began. The hacker dumped the Bitcoins on the open exchange, prices crashed from over $17 per Bitcoin to mere pennies, and the hacker “purchased” 2,000 legitimate Bitcoins before the site was shut down (“Phony Bitcoins caused MT Gox virtual currency crash,” Finextra.com, July 2011).
Note that the only part of the Bitcoin system itself that was exploited in this attack was the anonymous nature of all Bitcoin accounts. This is an explicitly designed function that is still touted as one of the advantages of Bitcoin over traditional currencies that are controlled by nation-states and regulated financial institutions.
This attack also illustrates the key fear of the emerging interconnectivity within and across Internet value networks: without understanding the diversity of value and value exchanges in a network, we can’t create an accurate model of the network. Without a model, we can’t instrument the systems to detect penetrations, let alone understand adversary motives. Without motives, we can’t predict means. And without means, we can’t understand the second-and third-order effects of an APT.
And that is the crux of this chapter: as our global tangible and intangible value systems are increasingly interconnected at all levels of the system, we argue that the unforeseen network effects of an APT can approach the realm of an existential threat.
But how do we quantify this intuition and concern? What defines the limit of interconnectivity in a value system? Do we draw a line where the second level of abstraction is, or at the third? How far from the core of the value system do we look to identify things that positively or negatively affect that overall value system? The level of risk associated with this is now up for debate, leading to the investigative action needed to assess how we explore that in a structural fashion.
Bitcoin in the Future?
Imagine that Bitcoin continues its current trend as an ungoverned, transparent, and relatively anonymous currency system. As the adoption rate grows and matures, more and more services are available via Bitcoin. In this scenario, not every type of value or money needs to be directly exchangeable for Bitcoin. There is sufficient risk if Bitcoin is “upstream” of a key process within a value network.
So in this future scenario, Bitcoin has been adopted by the leading remittance service FilTranz (fictional), which allows migrant and nonnative workers in the developed world to send money to their families in their native country. Cross-border remittance quantities are significant and expected to grow in the future (for Filipino workers, in the first four months of 2011, this amounted to over $6 billion, per “Overseas Filipino Remittances,” published at bsp.gov.ph).
To build and support its business, FilTranz creates and publishes an application that ties into the various social networking sites used by migrant workers. This application allows the workers to easily send money to their family or anyone else in their social network.
Hackers looking to steal Bitcoins en masse follow a simple recipe:
imageCreate a FilTranz account.
imageCreate a fake social profile and link it to the FilTranz account.
imageShape and groom the profile to appear to be a champion of a critical migrant worker clause. Work aggressively for other migrants to follow, like, and friend this profile.
imageSend frequent UGC (speeches, video, PDF reports, and so on) out to all followers using the social media system.
imageOnce a persona and pattern of trust has been established, send an APT hidden in UGC content in an attempt to infect the computers of the “friends” of the migrant worker.
imageUsing the infected systems, gain access to the social network profile (and the FilTranz account) of the vast majority of individuals who follow the fake social profile.
imageUse these compromised systems and accounts to build out the social network and financial connections for each profile. Observe how much money is moved, when it is moved, and to whom it is moved.
imageUsing this social/financial map, use the access to compromised systems to slip APT code into the normal and otherwise completely legitimate UGC.
imageAfter building the accounts of the common sender (the worker) and the common recipients (for example, the worker’s family), it’s time to strike. Rapidly shift millions of dollars from all accessible accounts in order to maximize the conversion to other currency and goods.
The second- and third-order of effects of such an attack—an exploit of a massive, specialized market (such as foreign remittance)—would have a significant impact. The monetary loss would destabilize social and fiscal trust, and create acute, near-term crisis for the recipients of the remittance. In the specific case of the Philippines, remittances count for over 11 percent of the country’s GDP (“Economy of the Philippines,” Wikipedia) (http://en.wikipedia.org/wiki/Economy_of_the_Philippines).
As we mentioned earlier, actually determining the broader impact of a sophisticated APT in a tightly integrated and overlapping set of worldwide social, financial, and digital systems is more important for reasons of simply raising the level of caution and attention. It is also required to correctly design, resource, and execute our mitigation and monitoring strategies.
Conclusion
In examining value systems, there is an inherent vulnerability that is most often overlooked. Much emphasis should be focused on value stream mapping—in other words, identifying all the moving parts of a value system and showing the interrelationships of activities and resources that provide an output.
Without mapping the value stream, there is no true understanding of those subprocesses, abstracts, and applications that are critical to the success of optimized output (or recognition of the factors required for effective and efficient throughput). As technology, economics, and social structures become further intertwined, the risk of APTs to nontraditional value systems not only becomes greater, but also harder to predict, detect, and defend against.
We have touched on this a bit throughout the chapter and this book, but the need for full-spectrum or Lean Six Sigma-type analyses to Internet-enabled value systems is an imperative. Where appropriate, theories and applications derived from the study of complex adaptive systems must be applied to recognizing nonobvious causal relationships among the many actors, exchanges, and units of value enabled by technology.
Considering multifarious networks, their growth and abstract interrelationships continue at an exponential rate, outdistancing policy, regulations, and laws. To comprehensively posture oneself and move forward with confidence, an effort must be appropriately invested and expended to understand Internet value networks and the ever-evolving environment in which they exist. Only then can one truly gain predictive knowledge.
The devastation a single APT has unleashed historically or can unleash on an industry, niche market, economy, or other value system has far-reaching effects—most unrecognized (or unacknowledged) by organizational and business leaders worldwide. Because business leaders in many countries are not compelled to release information related to exploitation and theft of intellectual property, there is a false sense of security held onto by many unwitting customers. By keeping a close hold on incident cases, this facade is maintained to elevate a trust relationship with consumers, but it could backfire when the truth eventually is uncovered.
The bottom line at the end of the day is profit. As in all business transactions, very few will willingly offer up the true situation if the bottom line will be damaged. We come down to the million-dollar question: Will business leaders as a whole finally take this seriously, or will they continue to be more concerned about the effects of acknowledging their losses?
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset