Introduction

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Introduction

Welcome and thank you for taking an interest in this book and the topics within. We are going to walk you through numerous tools, techniques, procedures, and case studies where these tactics and methods worked! You have opened this book with an awareness of cyber threats to enterprise networks, and want to learn how to proactively combat threats and adversaries.

First, you need to understand what the term advanced persistent threat means. It is a highly skilled and funded entity poised and directed specifically at your enterprise. The term has been in use for several years, but became truly infamous during Operation Aurora, an incident reported by Google in early 2010. In this book, we will discuss countermeasures for advanced persistent threats, persistent threats, and opportunistic threats. All of these can target sensitive information within your enterprise, but each has a different end goal.

Within these pages, you will learn more about the tools and tactics of various malicious software groups typically referred to as crimeware, and also how to use in-depth counterintelligence tactics against them. By implementing our suggested best practices, you will be able to minimize threats to your enterprise and increase security posture and preparedness. You do not want your adversaries to gain the upper hand. And in some cases, they already have your network, so you need to push the adversaries out of your enterprise.

Exploits and Vulnerabilities

Threats can range from simple opportunistic malware infection campaigns to highly advanced targeted malicious code that isn’t detected by host- or network-based security tools. Consider the sheer volume of vulnerabilities that are discovered in all sorts of computing platforms. Table 1 shows some figures for 2010’s exploits borrowed from the Exploit Database (http://www.exploit-db.com). Although these figures include exploits that date back as far as 2003, they still reflect the volume of exploits that occurred. These exploits are operating system-specific and are not counted as third-party applications or services (such as PHP or SQL).

Table 1 Operating System-Specific Exploits

These exploits used both publicly disclosed and nonpublicly disclosed vulnerabilities. Now think about all of the exploit code developed for these discovered vulnerabilities. Then add all of the automated tools and crimeware that, once combined with the exploits, can be easily turned into an advanced persistent threat. Finally, consider how widely all of these platforms are connected and interacting across your enterprise network—whether in an enclosed network or in an enterprise that relies on cloud computing services.

You need to understand that for every vulnerability disclosed, not everyone has an exploit released publicly, but most have had some level of development on a private or classified level. Stuxnet is a great example—old and new vulnerabilities that never had exploits developed for them in the wild, yet there they appeared when the story broke.

The massively high volume of threat combinations floating around—based on statistical probability alone—is enough to make you want a little something extra in your coffee before work in the morning. Table 2 shows the public vulnerabilities disclosed between 2009 and the first quarter of 2011 according to the National Vulnerability Database and the United States Computer Emergency Readiness Team (US-CERT). These exploits were counted via the Exploit Database, where you can find most publicly available exploits. And keep in mind that for every ten publicly available exploits, there may be one sitting in someone’s possession waiting to be sold on the underground market to the highest bidder.

Table 2 Vulnerabilities Disclosed vs. Exploits Developed

As you can see, the public disclosure of exploits overshadows by far the public disclosure of vulnerabilities. Now let’s talk about some trains of thought to accompany that special cup o’joe.

Fighting Threats

You are more than likely interested in how to take the observable information a threat leaves in its wake and use it against the threat. Observables are logical fingerprints or noticeable specifics of an attacker’s behaviors and patterns that are collected and logged by various sensors, which are network and security devices across your enterprise that enable you to re-create the events that occurred. Observables are discussed in detail in Chapter 3 of this book. For now, you just need to understand that observables are various components of data that, put together, can support attribution of a specific threat or adversary. If this information is handled, analyzed, and used properly, it can be used against your threat. The results will almost always vary in degree based on a few factors: the skill and resources of your attacker, your ability to identify and analyze each threat, and what degree of effort you put into operating against the most critical threats.

Identifying the best Course of Action (COA—numerous acronyms in this book have military etymology) for each threat will be a challenge, as no two threats are exactly alike. Some threats can be working toward nefarious goals, such as severe impact, physical damage, or loss of life goals (enterprise disruption, intellectual property damage, and so on). In our world of networked knowledge, billions of individuals around the world interact with systems and devices every day. And all these systems contain, at some level, information about that individual, group, company, organization, or agency’s past, present, and plans for the future. This information is valued in different way by different criminal groups.

Sean Arries, a subject matter expert on penetration testing and exploit analysis, once said, “If it is a monetary-based threat, the source is generally Eastern Europe. If it’s an information/intelligence-based threat, the source is generally based out of Asia. If it comes from the Americas, it could be either.” Based on historical information and analysis performed by the United States Secret Service and Verizon in their 2010 Data Breach Investigations Report, there is a consensus that most monetary-based crimes come out of impoverished countries in Eastern Europe. As far as Sean’s quote goes, we completely concur, except the government employees who cannot confirm nor deny the events, with his expertise based on our own professional experiences.

Data and identities such as names, addresses, financial information, and corporate secrets can be bought and sold on the underground black market for all sorts of illegal purposes. Over the past few decades, the ability to detect identity theft has improved, but identify theft still happens today, as it did a century ago. Why? When an identity is stolen, there is a period of time in which the identity can be used for malicious purposes. This is generally until the victim of the identity theft discovers the information has been stolen and is being used, or the victim’s employer finds out credentials have been stolen (which can be a matter of hours to weeks). Thieves may use stolen identities to purchase items illegally, as a means to travel illegally, or to pose as that individual. Even worse, they might be able to gain access to sensitive or protected knowledge using someone’s stolen credentials. There is a broad spectrum of networked knowledge that may be targeted, ranging from personal financial information to government secrets.

All About Knowledge

Networked knowledge is a term coined by retired US Army Colonel Hunt, one of the brainchildren behind the concept of NetForce Maneuver, a Department of Defense (DoD) Information Operations strategy that discusses tools and tactics that can be used against an active threat operating within your network. Colonel Hunt was also an early commanding officer of Sean Bodmer, who architected the DoD’s honeygrid (an advanced globally distributed honeynet that is undetectable and evolves with attackers’ movements). Networked knowledge is the premise of a combined knowledge of multiple organizations across their enterprises working together to share data about specific adversaries/attackers to gain attribution of specific operators and their motives and objectives.

For the purposes of this book, we emphasize the importance of a combination of knowledge and experience to better understand your attackers/adversaries and their objectives and motives. Knowledge is both your most powerful weapon and your enemy at the same time, as some of your knowledge (such as logs, records, and files) can be altered and lead you astray.

You know what you know, but when it comes to working across an enterprise or from home, there are unpredictable variables (proverbial monkey wrenches) thrown into the mix, such as the following:

The knowledge levels (expertise) of the developers behind the scenes, who all have varying levels of experiences and nuances of their own when they develop software; some of their levels of experience (or lack thereof) can be reflected in their coding

The knowledge levels of personnel responsible for providing your service

The knowledge levels of other users, friends, family, and peers

The knowledge levels of your contractors or staff

The knowledge of your chain of command or leadership

The knowledge and motivation of your adversaries

An adversary/threat catalog is similar to an initial personal inventory of your adversaries and threats, which can later be used when building an actionable response plan of possible countermeasures and strategies. It is important for any security program to incorporate a cyber assessment and/or counterintelligence framework that is easily repeatable for each event or threat. Although no two events are the same, there are always patterns in behavior, as the individuals or groups on the other end of the keyboard are human and have their own patterns and behaviors, which are generally passed over into their methodologies.

This book is designed to inform you about tools, tactics, and procedures (TTP—another military acronym) that can add value to your current security program and improve your knowledge and awareness of threats and adversaries. You’ll learn about the ranges of threat severity and how to deal with each threat accordingly. Everyone—from home users to technicians, security enthusiasts, and executives—needs to better understand the adversaries and threats. Again, knowledge is your weapon and foe bound into one scope of information and actionable possibilities.

The following are important questions to continually ask yourself while you read this book:

Who are my adversaries? Knowing and being able to identify an adversary is a critical task.

What do my adversaries know about me? What do I know about them?

Where are my exploitable vulnerabilities? These can be physical or technology based.

When are my most vulnerable periods (related to the time of day, schedule, or routines)? These can also be physical or technology based.

Does my adversary have the capabilities to exploit my vulnerabilities? Capabilities are either technically or physically based.

What do I know about my adversary’s capabilities and intentions?

Why would an adversary pick me out specifically? This can range from monetary reasons all the way up to a nation’s secrets. Personal agenda can also play a part, such as hacktivism.

How am I being manipulated by my adversaries? How can I manipulate my adversaries?

Knowledge is stored in minds, on workstations and servers, and within all sorts of digital devices around the world. All of these minds, systems, and devices are interconnected in some way and have software programs (applications) that enable them to coexist in a symbiosis that also includes phases in evolution, such as new users, equipment, patches, upgrades, versions, releases, intercompatibility, and the knowledge of the user. All of these variables open up possible avenues for your adversaries to exploit, attack, compromise, identify, exfiltrate (export stolen information from your network to a remote destination), and leverage your money or information. On the other side, there is the security team who has the joy of detection, mitigation, remediation—rinse and repeat. The bad guys have all of the advantages, as they don’t need to abide by rules, regulations, or laws. Most individuals reading this book working in a legitimate field must abide by one or more sets of rules or regulations.

If your hands are tied to an extent, continue reading, and you will gain knowledge from some of the best subject matter experts in various areas and facets of cyber counterintelligence, but all combined provide an in-depth look at how to identify and counter highly motivated and well-funded persistent threats (which are typically well-funded organized crime rings or state-sponsored cyber threats). The purposes behind each course of events will be different, but all will occur through observable patterns. Humans are creatures of habit, and our adversaries are also human and develop motivations and objectives based on other human emotions. Chapter 4 covers the behaviors of cyber criminals in depth.

The advancement of threats and vulnerabilities developed by your adversary stems from motivations and objectives. You might ask yourself, “How do I know if I have any adversaries?” Well, anyone connected to the Internet is a desired target, either for direct exploitation and use as a pivot point (being a beginning point of infiltration that leads to deeper infection of your enterprise) or as a part of an end goal. The overall issue with modern computing is the ease in which criminal activity can grow from a single infection to a full-blown advanced persistent threat. The generally used method is client-side-exploitation or social engineering, the latter being the most effective, especially with well-funded and highly skilled adversaries.

We mentioned that all adversaries are human. Well, humans have emotional routines and behaviors that translate to programming functions and procedures similar to computers, and they can exert their human nature in their methods and techniques. Humans develop tools, tactics, and techniques that are easily repeatable for their own successful motivations and objectives. So why wouldn’t we be able to observe patterns in physical or cyber-related effects and behaviors of an adversary? This is not a trivial process in any sense of the task, but can be attained through thorough analysis and due diligence of the security team or end users.

In a world of enterprise networks like little galaxies across our Internet universe, common and unique events occur across billions of galaxies every second. These events range in severity and uniqueness between galaxies. Some of these events occur daily, and some happen rarely. Now when we get down to it, the events we are concerned with are generated by humans, and they have patterns, techniques, and observable details that can be used to your advantage. That’s how you can approach incidents and intrusions without feeling overwhelmed. Each of these events is unique in some way, and can be made discernable and attributable to a returning adversary or an event that has nothing to do with a critical threat that has occurred in the past, present, or future. As a defender, you can never tell which individual incident or event is associated with one another, or can you?

Throughout the book, we will refer to our adversaries. This will be used as a common vernacular to describe any form of individual or group posing a threat against your enterprise network. We will discuss various categories of adversaries and attribution that will empower you to better identify which threat is related to which adversary. This will be important as we go through the subject matter of this book and inform you of what information you can collect against your adversaries in order to manipulate them into performing actions that improve your security posture. Another topic of the book is the ability to discern which incidents or intrusions are associated with specific adversaries.

This book crosses and blends the lines of age-old techniques and cyber-related tools and techniques that have been in use by professionals throughout several fields of study. In this book, these defenses will be applied together for various aspects and roles of information systems security engineering and cyber counterintelligence. Some of the TTPs may be familiar, and some may not. You’ll learn about the methods and techniques suggested as best practices for combating cyber criminal activity, ranging from just a curious cyber criminal to advanced persistent threats that you need to understand to actively detect and combat.

Advanced persistent threats and simple persistent threats are posed through the use of physical control of your network, deception, disinformation, behavioral analysis, legal perspectives, political analysis, and counterintelligence. Having physical control of your enterprise is the focal point most single security professionals and executives regularly forget about. If you can control the boundaries of a fight or battle, why can’t you win? This is the most basic principle, but when dealing with giant enterprise networks that span the globe, things can get trickier (by using traditional deception and counterdeception techniques). However, that is what security teams and security policies were created for: providing a safe, operationally viable network that has high confidentiality, integrity, and availability. When dealing with enterprise networks, you can easily get lost in policies and laws, and may feel unable to be understood by your leadership.

For the purpose of this book, we are going to put all of the politics aside and concentrate on the possible and effective. You need to absorb these concepts and best practices, and begin working out how you can integrate these TTP into your daily workflow, team roles, and budget.

If you read this book thoroughly, you will walk away with the knowledge only a few of us exercise daily. However, you do need a good understanding of all the pieces and players. We all face threats working in our modern world overloaded with technology, and only a few of these technologies actually help us detect and thwart adversaries attempting to access and operate within our networks for personal or professional gains.

All host-based antivirus platforms and threat-prevention systems provide a level of security geared toward the average threats and are always playing catch-up. An antivirus firm needs a sample of malware prior to generating a signature to detect that variant or family of malware, and that could take days to weeks. By that time, your threat or adversary has already come, gone, and installed a new backdoor. Almost every traditional network security appliance can be bypassed by advanced and persistent threats. Only a handful of network security platforms have attempted to actually integrate persistent threat detection and early warning into an actionable model. We will introduce methods and procedures for integrating specific systems and tools in a fashion that can be used to turn our practices into repeatable processes. Our goal is also to demonstrate how to update and educate stakeholders of enterprise networks in order to better defend themselves with a little passive aggression.

What This Book Covers

Do you fret over the integrity of your network? Read this book if you are interested in not only defense, but also engagement and counter exploitation of active threats in your network. Those seeking knowledge and wisdom surrounding the domains of network security, cyber law, threat mitigation, and proactive security, and most important, those working in or a part of the cyber world, should read this book. It has been written to cater to all audiences, ranging from managers to technicians.

Our book is meant to inform, advise, and provide a train of thought to follow when your network is under threat and is assumed under the control of a remote entity. This book will walk you through the ecosystem of targeted and opportunistic criminals, where they commune, and how to engage them from inside the legal boundary of your own network. You’ll learn which tools and techniques are available to interact or game them using the principles of counterintelligence and operational deception. We also provide you with several accepted techniques for analyzing and characterizing (profiling) cyber threats operating against your network. And we cover one of the most ignored aspects of countering cyber threats: operationally vetted legal guidance from a cyber lawyer.

This book is meant to be a tome of best practices and wisdom of tools, tactics, and techniques that have and are being used to actively counter opportunistic and targeted cyber threats. Please treat this book as if one of us were in the room discussing with you the options available when you are faced with an intrusion.

This comprehensive guide is designed for the IT security professional, but the information is communicated in clear language so that laymen can understand the examples presented. The book will enable you to identify, detect, diagnose, and react with appropriate prioritized actions. It explains how IT security professionals can identify these new, “invisible” threats, categorize them according to risk level, and prioritize their actions accordingly by applying expert, field-tested, private-sector and government-sector methods. Some of the tactics will include deception, counterdeception, behavioral profiling, and popular security concepts within the realm of security that focus on countering advanced and persistent threats.

The intent is to provide readers with a fresh, new perspective on understanding and countering current persistent threats, as well as advanced threats likely to emerge in the near future. You can read the book in its entirety or focus on specific areas that most interest you or your fields of study. This book is useful to everyone who works in or whose work is influenced by the world of information technology and cyber security.

Please remember that our primary goal here is to empower you with experience and knowledge of multiple professionals who combined have more than 100 years of experience encompassing every section of this guide, ranging from information operations managers, counterintelligence specialists, behavioral analysts, intelligence analysts, and reformed hackers of the 1990s. With the subject matter experts gathered, we are in a position to publish a book to help increase the understanding of cyber counterintelligence.

First, we will cover concepts and methods for applying traditional military deception and counterintelligence techniques into the shadow of cyberspace. The goal of this book is to illustrate why the use of deception and counterintelligence is imperative and important across every organization that relies on an IT infrastructure and explains why your information will be attacked through that IT infrastructure. This will help you to learn the motives and intent of the attackers. You will gain a better understanding of the causes of and motivations for malicious online behavior so that you may better understand the nature of the threat.

The book will also include strategies and techniques to entice and lure your adversary out into the open and play “cat and mouse” with them. Techniques can include ways to counter adversaries who are actively attacking or already within your network into revealing their presence, motives, and intent. You will learn the characteristics of advanced persistent threats. We’ll describe some of the ways these organizations attain access, maintain access, and regain access, which ensures they can control computers and even whole networks. We will then link the military community doctrine to the cyber domain with the intelligence benefit and operational techniques of the advanced persistent threat. The ability to penetrate and maintain stealthy access and collect information on a target is advanced persistence access, and is the bread-and-butter of premier intelligence agencies around the world.

This book focuses on intelligence analysis, cyber counterintelligence, and operational implementations of how to objectively analyze the details of an intrusion in order to generate highly accurate assessments (profiles) of your adversaries, which can help IT security professionals and/or authorities with attribution and/or apprehension of the criminal. The book includes information about the current legal and ethical ramifications of implementing deception techniques against cyber criminals. Legal components include an overview of the rule of law, preservation of evidence, and chain of custody, which could assist law enforcement officials in a criminal case. However, this coverage is not a replacement for legal representation.

We believe that after reading our book, you will understand the concept of utilizing deception and maximizing attribution, and will be equipped with tools you can implement to better protect networks and make life exponentially harder for the bad guys (black hats and state-sponsored hackers) who are hacking private and commercial assets for political, economical, and personal leverage.

The book has three parts. Part I introduces some basic concepts:

The history of deception and how it applies in the cyber realm

The age of modern cyber warfare and counterintelligence, and how it affects every enterprise, company, organization, university, and government

Why the tactics and techniques of counterintelligence are such an important tool for every stakeholder involved with securing your enterprise

A basic legal explanation of capabilities and limitations of prosecutable versus nonprosecutable investigations, and where and when it is worthwhile to implement criminal profiling, deception, and disinformation

Part II discusses techniques and approaches to defending against threats, intended to empower administrators and security personnel to act, but more important, to be proactive in their efforts:

How to analyze and react to advanced intrusions and intruders at a much deeper level than is typically done today

How to implement deception and disinformation against advanced threats in order to drive/push them in directions you desire

Functional methods and tactics that can be used to attack the minds and morale of persistent threats while operating within your own network

The nature of different motivations for online malicious/criminal behavior

Part III finishes up with the following topics:

Case studies of prior experiences of the authors where deception and disinformation was used against advanced threats in order to perform attribution

Concepts and methods for validating whether your counterintelligence operations are working on your threat or adversary

As you read through this book, think of it as an operational manual of successful best practices. All of the contributors understand our areas of specialty and each other’s accordingly. We fully believe this book contains successful strategies for regaining control of your enterprise from as many persistent and advanced threats that are targeting you, with as little mitigated harm to your operations, and as much desired damage to the morale of your threats and adversaries as possible.

This guide has plenty of fear, uncertainty, and doom (FUD), since today everyone is a target—whether you are a stakeholder of an enterprise, a professional, or a member of the family of a professional. In today’s world, everyone is a desired target, and the threats range from the casual, curious hacker all the way up to the highly skilled state-sponsored hacker.

Finally, keep in mind that some of the acronyms used in this book have connections to military or government vernacular or terminology, as most of us come from a Department of Defense, Department of Justice, or intelligence community background.

Why should you read this book? Because you have a computer connected to the Internet, and there’s valuable information, honor, and money at stake (did we mention there will be a lot of FUD in this book?).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Introduction

Create new playlist

Sign In

Sign Up

Table of Contents for
Introduction