A View from the Bunker.....

The few survivors from the front line have reported in.  We stand on the edge, starring into the abyss, a tangled mess of bodies behind us. We are the poor souls who have chased the demon , descending into the pit and climbed up the other side. What we have seen is not pretty at all. The collective corporate filesystem is a parking lot for castaway software barely able to run on a modern OS. Squeezing the last bit of life out of burned out win32 DLL’s (Dynamic Link Libraries) and rogue .exes . There are piles of unwashed garbage downloaded by employees that were passing by, never deleted, never cleaned. The strangest mutated crap has been swept tightly into temporary directory corners that have since calcified and become permanent artifacts.
 

These software programs are a biohazard. Some are just plain broken, wheezing out juice from a hooked windows message chain just long enough to cough up and die, only to be resurrected by the swift kick of a boot-time registry key the next time the machine reboots. Some have pretty little labels of well-known companies – clearly so you won’t look twice at them and notice how they are exfiltrating personal browsing statistics and other data to some cloud server – really like malware but allowed by the EULA that you didn’t read. 

Everything looks bad. So, it’s no wonder that attackers can just drop something new in and nobody notices. As long as it doesn’t infect five million residential banking customers then nobody is going to give a crap..

That is the unfortunate reality of hacking these days, and it has nothing to do with advanced persistent threats (APTs) . It has to do with the enterprise and the complete LACK of visibility and control you have over the endpoint (i.e. where all the action is)... When security is limited to the network perimeter only, you are not in control, Period......

Oh, and what a "breath of fresh air" the mobile device is.  A new pile of mobile software, mostly social media, that is directly connected to thousands of strangers that are not your employees, communicating in real-time with processes running within your defenses. In effect, you now have thousands of potential multi-homed routers to 3G-space (4G if your lucky..) from your network that don’t belong to you. 

OK, so lets review some basic security facts:

• Today, malware is a tool for persistent adversaries
• Adversaries are financially and/or politically motivated
• Intrusions involve a real person (or group) that targets your organization directly 
• Attackers are motivated to steal something from your network

Lets review the primary threat actors and groups we face today:

Criminal Enterprises – these are the guys who make more money than drug cartels and the reason a malware economy has emerged over the last few years. This is what mere mortals mean when they talk about malware, and the reason people get malware and hackers mixed up all the time.

Rogues – these are the hacking groups you can enumerate on any given day. Hundreds, if not thousands worldwide. These guys are all capable but normally aren’t fueled by cash.  These guys deface, DDOS, and partake in ‘mostly harmless’ hackery.  But, a small subset have always been deeply malicious. Others pick up a cause and act like cyber terrorists. And still others really are cyber terrorists.

Rogues meet cash - these hired mercenaries are the ones who write malware, sell 0-day, and get caught up in the vortex of organized crime. These guys are very, very dangerous.

All the membranes have been breached - the threat is blended. We live in a time where a state interest can simply buy access to adversary networks from criminals who are selling their botnets. Where state sponsored attacks can be vectored through private hacking groups. Where private hacking groups can fund their operations from cybercrime, while targeting corporations and governments with methodology indistinguishable from APT. There is no tidy bucket to place the threat, all the wires are now crossed. The only thing that is consistent here is that hacking is hacking, and it always looks and smells the same when you see it. 

The Smell of Blood in the Water.....

Its been a while since my last post so I wanted to give a very brief summary of the current state of affairs (this is by no means exhaustive…) Lets just say that 2011 will go down in history as the year that our perceived security was stripped away.

EMC’s RSA division was breached and soon afterward so were some of its customers.

The world’s largest anti-virus companies have been taken to task for selling snake oil (also known as anti-virus software). Local police departments all over were unable to protect their own officers’ personal and confidential information

The FBI’s Infraguard program was repeatedly hacked. DARPA and NSA have recently both agreed that after many years of trying they’ve failed to come up with a security model that works in light of recent infiltrations...

We are entering 2012 more vulnerable than ever before because our security relied upon the "perception” that those charged with our security, both public and private, could do the job. Well, reality has stripped that misconception away which gives rise to opportunity.

Conversely, over 28 nations and counting are developing offensive cyber capabilities, and the really malicious actors of the world like drug cartels and extremist groups (both domestic and foreign) are rapidly learning what’s possible vis-a-vie attacks through cyberspace. In other words, those with the means to act are growing quickly.
 
Finally, the anger and frustration of the expanding "Occupy movement" combined with the onset of hate-fueled politics that accompanies a Presidential election year - especially against this President - will engender widespread motivation for people to take action. With means, motive, and opportunity solidly represented,  I expect 2012 will produce more cyber attacks against U.S. targets which will result in serious harm if not loss of life. Once there's blood in the water, you can expect more will quickly follow.

The very worst part of this prediction is that its inevitable.  CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has challenges to do what’s necessary to protect our nation’s critical infrastructure because it's 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice.

In the words of Upton Sinclair and the movie based upon his book Oil! - "there will be blood". It's just a matter of time.