Thursday, February 4, 2010

Understanding the APT.

When guest lecturing at colleges and giving talks on the topic at conferences, I have for some time been describing much of what goes on on the internet today as an extension, or modernization of the clandestine intelligence gathering efforts which have been taking place since people have acknowledged the value of enemy-centric intelligence. While many may accuse me of trivializing the issue, if you consider the intent of the adversary responsible, that's what it really amounts to. This is not to understate the newness of the electronic ('cyber') attack and surveillance technologies which have emerged in recent years; but to more clearly categorize them as a new, and often more efficient means to a common end.

This brings us on to the somewhat-newly defined concept of the 'APT' (Advanced, Persistent, Threat); a term coined by (as far as I am aware) Mandiant - a DC based security firm. Firstly, in all its marketingyness and misconceptions that it has lead to, I think the idea is great - it has drawn some much needed attention toward the problems which many large government, and private organizations are faced with on a daily basis.

Sticking to the theme of what we are trying to describe being a new means to a similar end - it is clear that we are in serious need of new technologies, and new processes for handling the technological aspects of the modern APT; whether those be for purposes of detection, remediation or attribution. To this end, I think firms like Mandiant and Dabala are doing a stand up job of addressing emerging needs and may the best team win.

All of this said, the APT is clearly nothing new and understanding this requires a little lateral thinking. If we think about the APT in more literal terms, it does not differ from the advanced nature of many other modern intelligence related methodologies - many of which may be used in a persistent manner. From telephone trap and trace to satellite imaging and the presence of undercover operatives behind enemy lines, the APT is clearly something which has been around for quite some time; even if it may have only been recently defined in these terms by the mass media and information security community.

So what you might ask. Well this is an issue of perception. A perception that the APT is something new, and that when we discuss the APT, we refer to a specific means to an age old ends. So when we think about the APT in the future, let's do ourselves a favor by not using it synonymously with a specific technology (whether that be a key logger, new flash 0day, or a USB fob virus), and promote a true understanding for the threat that we are really trying to describe, and the technologies that we are promoting to counter it.

Friday, January 22, 2010

Power Grid Security Reporting

The much anticipated white paper entitled "Critical Infrastructure: Attacks, Actors, and Emerging Threats" by the Project Grey Goose team has just been released, and I wanted to spend a moment to discuss some of its content in the context of much of what has been published on the topic over the past year. This is a topic that is near and dear to me due to my daily dealings with many users of industrial control systems; and it was with great hope that the Grey Goose white paper would set the record straight regarding many of the false innuendos that exist in this domain.

To begin, the title of the white-paper (Critical Infrastructure: Attacks, Actors, and Emerging Threats), suggests an exhaustive analysis of the threats posed to the many components which constitute national critical infrastructure. Generally, these include financial infrastructure, the military, transportation, and of course energy. The media (and often even security industry) tend to miss-use the term Critical Infrastructure to refer to what is often a very small component of the nations over all CI. The fact that the authors of the white paper made the very same mistake raises a big red flag, as it demonstrates a lack of understanding on the topic.

Moving past this without prejudice, the introduction posits "whether there has been any successful hacker attacks against the power grid, both domestically and internationally". The answer to this question is possibly one of the most debated, and often heated discussions within the automation security community, and so it is with great interest that many will read this document in the hopes of finding concrete evidence in support of one side or the other.

Unfortunately, the white paper falls far from short on answering this question, and sights mostly existing media references which are widely disputed in regards to their accuracy. The PGG white paper then concludes in its key findings that many nation states (the usual suspects, PRC, RF, Turkey etc) are "almost certainly" targeting and penetrating critical infrastructures (remember, this means a lot of industries, not just power). Further it states that attacks against the bulk power grid will "almost certainly" escalate over the next year.

The remainder of the white-paper sights a number of existing publications regarding power grid security, the so-called 'smart-grid' and the water utility security. It also contains incorrect statements, such as stating that the power industry does not have to comply with NERC/FERC regulations. This is untrue, and anyone working in the IT security space within transmission or generation providers will tell you that their last twelve months have revolved almost entirely around CIP compliance efforts (and associated compliance deadlines/audit activities).

In summary, there is nothing new here, and the document does not answer any of the questions that it asks in the introduction. At best, it is a collection of existing materials and thoughts. Statements such as "almost certainly" in my opinion are a cop-out, and indicate a lack of certainty amongst the authors concerning the conclusions they might otherwise like to draw. This is a great shame, as a concise report backed up by new, and corroborated evidence on the real threats to energy generation and transmission would be a great guide to the many, in and outside of Washington, DC who are trying to figure out where best to spend their security dollars in 2010.