The Rise of the Subversive Multivector Threat
Security against defeat implies defensive tactics; ability to defeat the enemy means taking the offensive.
Sun Tzu, The Art of War
In his monumental piece on tactics and strategy The Art of War, General Sun Tzu—arguably one of the greatest military minds the world has ever seen—described all aspects of warfare germane to leadership, command, tactics, strategy, and logistics. Sun Tzu understood that in order to achieve victory—regardless of whether one is the aggressor or the defender—one needed to be fluent with and possess a formidable understanding of the following:
Sun Tzu, a leader of men, had an obligation to develop mastery in each of these areas in order to be totally effective on and off the battlefield. For generations, tacticians and strategists alike have studied Sun Tzu’s words, meditating upon their meaning and relevance as they sought to develop a greater understanding of the art of war in the context of their own lives and situations. We too must revisit the words of Sun Tzu with respect to the wars we wage in the cyber realm knowing that our adversaries will do so knowingly or as the result of instinct. It is difficult to say with any certainty that any one of these 13 principal areas of study plays a greater role than the others. Sun Tzu asked that warriors and leaders be prepared to apply the knowledge contained in his words so that under no circumstances would they find themselves unaware and in a position of weakness. In developing the concept of taxonomic model for the subversive multivector threat (SMT), special thought and consideration were paid to the thirteenth chapter of The Art of War, “The Use of Spies”. Though we knew that men had been used as spies for thousands of years, the authors felt compelled to revisit Sun Tzu’s words on this noble area of study within The Art of War.
Sun Tzu knew that the costs of entering into battle could be great in a number of ways such as the following:
He also understood that what enables a leader or general to strike and conquer effectively was the foreknowledge gathered and analyzed inductively via experience and insight provided by other men. Sun Tzu advocated the use of spies seeing the virtue in their actions as they serve the greater good. Specifically, Sun Tzu advocated the use of the following five categories or classes of spies:
Sun Tzu called this the “divine manipulation of the threads,” a system that he believed was strong and impregnable because of its architecture. He believed in engaging local spies—those spies who were essentially inhabitants of a geographic area; inward spies—those that were essentially exploited members of the enemy government and leadership; converted spies—spies who once belonged to the enemy but have been turned and thus belong to your side (the ancient world’s equivalent of the double agent); doomed spies—those spies who engage in certain actions and activities of deception allowing your own spies to become familiar with them to be subsequently reported to the enemy; and finally, surviving spies—those who escape captivity by the enemy and report information back to their command.
Sun Tzu believed that spies could not be employed without a certain intuitive wisdom. He believed that they required special management, which he called benevolent management, and perhaps most importantly that one must apply ingenuity in order to ensure that the truth of their reports was, in fact, the truth. Once a leader was reasonably convinced of that, he could in fact apply all of which Sun Tzu advocated with respect to spies, he was encouraged to use them with subtlety in every kind of business. In Sun Tzu’s day, this was the basis for human intelligence (HUMINT) gathering. This is evident in his avocation for seeking out enemy spies sent to spy on a given leader or government with the hope that they can be converted and thus used to acquire information and other spies (local and inward). The end game of course is that by application of the five varieties of spies, a leader could gain knowledge of his enemies.
Sun Tzu argued that as long as discretion was employed with respect to the use of spies for espionage, the ends achieved by their use and employment were boundless, ultimately culminating in victory. Equally important to Sun Tzu and those who succeeded him in the tradition of military tactics and strategy was the notion of mitigation subversion and the activity that fuels it. The concept of subversion can therefore be viewed as one that is extremely difficult to wrestle. Espionage and subversion go hand in hand with each other. They are complimentary and often viewed as being synonymous with the desire to overthrow or corrupt a government, regime, or moral institution.
These tactics are often used and applied in a destructive manner highlighting propaganda, physical and logical sabotage, and other covert tactics. As such, it can be safely assumed that the concept is neither new nor unfamiliar. However, espionage and subversive techniques are quite novel and new to many professionals and lay people alike. As we have discussed in the previous chapters, there is a level of activity and momentum within the cyber underworld that suggests that illicit activity within the cyber realm (and the points of confluence that impact the tangible world in which we live) shall neither slow nor subside. In its 2009 Annual report, the Internet Crime Complaint Center (IC3) reported a staggering rate of growth with respect to dollars associated with the cases that were reported to and investigated by its team.
According to the IC3, 2009 saw a growth rate of slightly more than two times from the previous year’s report, yielding a figure of approximately 559.7 million USD, or a 22.3% increase, an all-time high.1 Financial figures and statistics such as these and others aid in providing an important foundation from which we can build our case as we delve ever more deeply into the realm of the SMT. As long as authority has existed in informal or formal context, there also has existed the idea, potential, and in some instances, the very real need for actions of a subversive nature to be taken. Misinterpreting the need and context as well as motivation for subversive action is dangerous and can lead to ends, which former President Dwight D. Eisenhower called “dishonest subversion.”2 There is in fact a form of subversion which, when warranted by circumstance and need, is the very stuff of which loyalty, duty, and service are made of.
SMTs, however, do not fall into the latter category but rather the former. Merriam-Webster’s Dictionary defines subversion as “a systematic attempt to overthrow or undermine a government or political system by persons working secretly from within.”3 Research suggests that there is ample evidence that demonstrates the role that SMTs play in state-sponsored geopolitical actions such as those seen in April of 2007 in Estonia,4 in August of 2008 during the Russian versus Georgian aggression,5 in July of 2009 in South Korea,6 and again in 2009 during the now infamous “Operation Aurora” attacks, but it should be noted and emphasized that it is our belief based on this same body of research that SMTs are in no way solely relegated to state-sponsored aggression. World recognized intelligence community leaders such as the United Kingdom’s MI5 echo this sentiment as well suggesting, “In the past, espionage activity was typically directed towards obtaining political and military intelligence. In today’s high-tech world, the intelligence requirements of a number of countries now include new communications technologies, IT, genetics, aviation, lasers, optics, electronics and many other fields. Intelligence services, therefore, are targeting commercial enterprises far more than in the past.”7 The authors agree that a fundamental shift has occurred. Although it is quite difficult to establish at what point this shift began, it is undeniable that it has occurred and forever changed the way in which threat analysis in any context can and must be conducted.
As we can see from the insights provided by Sun Tzu, espionage, deception, and subversion are par for the course in the world and have been for centuries. In the twenty-first century, the rapid advancement of technology, in addition to the kinetic nature of global geopolitics and business, has seen these concepts become more relevant than perhaps ever envisioned by Sun Tzu or his compatriots. Although Sun Tzu did not directly address economic espionage (sometimes referred to as “industrial espionage”), in The Art of War, it is clear to the authors that a natural evolution and application of the techniques are and remain relevant and applicable. Were this not the case, Nation States such as the United States would not endeavor to mitigate risks associated with economic espionage by virtue of the creation of a legislation such as the Economic Espionage Act of 1996 (18 U.S.C. § 1831–1839).8 This act makes the theft or misappropriation of a trade secret a federal crime. Whereas espionage is governed by Title 18 U.S. Code Sections 792–799,9 economic espionage involves commercial information as opposed to classified or unclassified information relevant to national defense information.
The Economic Espionage Act of 1996 contains two sections that criminalize two distinctly different of types of activity falling into the category of economic espionage. The first, 18 U.S.C. § 1831(a), criminalizes the misappropriation of trade secrets (including conspiracy to misappropriate trade secrets and the subsequent acquisition of such misappropriated trade secrets) with the knowledge or intent that the theft will benefit a foreign power. There are several recent examples of activity that falls into this category. In 2005, the United States Federal Bureau of Investigation (FBI) arrested a California man, Chi Mak, a naturalized citizen of the United States, born in China, after the conclusion of an investigation of Mr. Mak.10 Technologies noted as having been allegedly compromised by Mr. Mak include but are not limited to the following:
Mr. Mak, along with his brother Tai Mak, entered the United States legally in 2001 and worked as broadcast and engineering directors for Phoenix North American Chinese Channel, a satellite television service that provides Chinese-language programming in the United States. Tai Mak, who was arrested on October 28, 2005, along with his brother Chi and his sister-in-law Rebecca Laiwah Chiu, was implicated as a coconspirator and accomplice to his brother because of the role he played in duplicating sensitive data stolen by his brother from Power Paragon, a defense industrial base (DIB) corporation where Chi Mak worked in developing a new electric-drive submarine propulsion system.
It would seem that the Mak family was part of what can be described as a classic Chinese espionage ring. Unlike those others pioneered by the likes of the Komitet Gosudarstvennoy Bezopasnosti (KGB), the Chinese differentiate themselves with respect to their espionage style, choosing to leverage a unique approach eschewing more clandestine options and operators depending on a multitude of relative amateurs: Chinese students and visiting scientists, plus people of Chinese heritage living in the U.S., according to United States law enforcement. The People’s Republic of China (PRC) actively targets ethnic Chinese in the hopes of sparking a sense of obligation to China. We can conclude in the case of the Mak family, who were convicted in 2007 with Chi Mak receiving 24 years in a federal prison, that the PRC had worked and, though we will never likely know to what degree the information they provided to the PRC will affect the security posture of the United States, we can almost certainly conclude that it, in addition to data provided by others in concert, will have a lasting impact.
In another case related to the Mak investigation, a naturalized citizen of the United States of America, born in China, was brought up on charges of espionage after what prosecutors described as being a 30-year scheme.11 On February 8, 2010 a Chinese-born engineer Dongfan “Greg” Chung, aged 74, a former Boeing Corporation engineer, was sentenced to more than 15 years in prison for hoarding sensitive information about the United States space shuttle.13 Mr. Chung was convicted in July 2010 of six counts of economic espionage and other federal charges for possessing 300,000 pages of sensitive papers in his home. Evidence produced by the FBI suggested that Mr. Chung had been actively involved in state-sponsored espionage for over 30 years, spying on behalf of the PRC since the late 1970s.
He had been under investigation since 2006 by the FBI and was found to be in possession with intent to distribute data pertaining to technologies such as the following:
• Phased-array antenna developed for radar and communications on the current United States space shuttle
• A 16 million USD fueling mechanism for the Delta IV booster rocket
• C-17 Globemaster troop transport used by the United States Air Force and militaries of the United Kingdom, Australia, and Canada
Prosecutors discovered Chung’s activities while investigating another suspected Chinese spy (Chi Mak), living and working in Southern California.
The cases of Chi Mak and Dongfan “Greg” Chung are but two examples of this sort of activity; activity having to do with members of the DIB community deciding to work with a foreign Nation State in the trafficking of data deemed sensitive to the United States of America. In both of these cases, the root cause was a play on filial loyalty by the PRC on naturalized citizens of the United States of America.12 In the case of Hai Lin and Kai Xu, two Chinese nationals who held high-ranking technical positions at Lucent Technologies, Inc. (now Alcatel Lucent, Inc.), the focus was on economic espionage as it pertained to the private sector versus the public sector.
Lin and Xu, who worked at Lucent’s Murray Hill, New Jersey location, were formally charged on May 3, 2001 with conspiring to steal source code and an Internet leading server technology (which had been developed exclusively by and for Lucent Technologies), with the technology ultimately being transferred to a state-owned corporation.13 The two had desired to create an industry leading data communications corporation in the PRC. Investigators discovered by searching the accused email accounts that Lin and Xu had desired to replicate Lucent Technologies’ industry leading Pathstar technology. The defendants had in fact transferred the data in question in early 2000 and production of the CLX-1000 had begun at the plants belonging to the ComTriad Corporation.14
However, by no means is this problem solely relegated to the PRC15 as either an originator or buyer of information illegally gained via economic espionage. No, in fact it can be safely asserted that globally, Nation States have engaged in this type of behavior as technology and opportunity have evolved allowing for just such activity to occur. Recently, many continental European nations have made bold decisions to address the use of devices such as BlackBerry smartphones because of the fact that the BlackBerry Network leverages servers in the United Kingdom and the United States of America and that those nations’ intelligence agencies have the ability to analyze.
In fact, this has become such a point of concern that senior government officials in France, Germany, and the European Commission have all been restricted from using BlackBerry smartphones. Additionally, many members of senior staff within various European defense firms have been advised to cease and desist from using the smartphones as well because of the security risks associated with the platform.16 In the case of Noshir Gowadia, the communication with the PRC was driven by monetary motivation. Mr. Gowadia, a highly accredited engineer and former Northrop Grumman, Inc. employee was arrested on October 13, 200517 at his home in Maui, Hawaii. He was accused of having allegedly given engineers and officials from the Chengdu Aircraft Design Institute in Chengdu, China classified information having to do with missile exhaust systems that emit little to no heat and are, as a result, much more difficult to detect.
According to prosecutors, Mr. Gawadia had earned approximately 110,000 USD over two years for his exhaust nozzle design. Additionally, Mr. Gawadia was accused of attempting to sell classified stealth technology to the Swiss, Israeli, and German governments.18 Mr. Gawadia maintained his innocence throughout his trial believing that what he had done did not in any way violate laws of the United States of America. Prosecutors in the case of Mr. Gawadia believed that he had clearly violated the tenets of his security clearance in addition to violating the trusts that were placed on him by his former colleagues, employer, and adopted country.
These examples are disturbing and suggest the need to reconsider policies associated with the approval and allocation of security clearances for parties working with and in environments that house sensitive data. Penalties associated with violation of the first section of 18 U.S.C. § 1832 are fines of up to 500,000 USD per offense and imprisonment of up to 15 years for individuals, and fines of up to 10 million USD for organizations. Dongfan “Greg” Chung became the first person to be tried, and found guilty of violating the Economic Espionage Act of 1996 but no doubt, will not be the last. The second section of the Economic Espionage Act of 1996 criminalizes the misappropriation of trade secrets related to or included in a product that is produced for or placed in interstate (including international) commerce, with the knowledge or intent that the misappropriation will injure the owner of the trade secret.
The penalties associated with violation of Section 1832 are imprisonment for up to 10 years for individuals (no fines) and fines of up to 5 million USD for organizations. In addition to these specific penalties, Section 1834 of the EEA also requires criminal forfeiture of (1) any proceeds gained as a result of the crime and property derived from proceeds of the crime and (2) any property used, or intended to be used, in commission of the crime. The Economic Espionage Act of 1996 authorizes civil proceedings by the Department of Justice (DoJ) to enjoin violations of the act, but does not create a private cause of action.
As a result, victims or putative victims must work with the U.S. Attorney in order to obtain an injunction.
The Economic Espionage Act, 1996 has extraterritorial jurisdiction in the following conditions:
• The offender is a U.S. citizen or permanent resident
• The offender is an organization organized under the laws of the United States or any State or political subdivision thereof
• An act in furtherance of the offense was committed in the United States
“Trade secrets” are defined in the act consistent with generally accepted legal definitions such as those used in the Uniform Trade Secrets Act (UTSA) and state laws based on the UTSA, to refer broadly to information, whether in tangible or intangible form, that is, as follows:
• It is subject to reasonable measures to preserve its secrecy
• It derives independent economic value from its not being generally known to or ascertainable by the public
Bearing this information in mind, and understanding that these examples—though serious and worthy of note—do not represent the totality of the challenge being faced today within the world of information security, further validity was seen in support of the creation of a new taxonomy which accounts for the presence of outliers and disparate data sets that are correlated to formulate a more compelling, succinct picture. Thus SMT was born as a paradigm-shifting ideal.
The last ten years have been extremely pivotal in the world of information security. We have seen trends associated with the distribution of malicious code and content rise on a global scale in addition to the introduction of new and exotic mechanisms for the distribution of such code only to see the birthing of a continuum of maturity to follow suit. We ought not to be surprised that maturity is becoming a place in the underground. We ought not to be surprised that quality assurance, a practice which has been seen as a market differentiator within the traditional markets of the global economy is also becoming a staple in the cyber black market.
Likewise, we should not be surprised to see the convergence of threat vectors such as those described previously throughout this book and in this chapter. Many of the same motivators that Sun Tzu made reference to in The Art of War with respect to espionage are still at work and in place today. Evidence of this can be seen in the examples, which demonstrate a Nation State’s desire to capitalize on an emotional or filial response, and in those which demonstrate the sheer economics at work in the world today for those willing to act as suppliers fulfilling a demand. The emergence of new terminology, concepts, and activities once exclusive to the realm of national and international law enforcement, the Department of Defense (DoD), and the intelligence community has become a phenomenon of epic proportions.19
It has permeated modern culture in ways that could not have been conceptualized 20 years ago. This of course is dependent on a number of variables, many of which we have discussed at length and in great detail earlier in this book. Cultural changes relevant to the adoption of new technologies such as social networking media and other invasive technologies are only the beginning. Although these applications in many respects aid and encourage modern technology users (who might otherwise have been twenty-first century luddites), in adopting and embracing new schools of thought, they also encourage and aid in perpetuating the change necessary in the world today in order to see changes happening in thought, geopolitical policy, and economics.
Globalization (the likes of which Thomas Friedman discussed in his now infamous work The World is Flat,20) marked by degrees of interconnectivity never before imagined has occurred not unlike the momentum discussed in Chaos Theory by Edward Lorenz known as the butterfly effect.21 The Butterfly Effect is a metaphor that captures the concept of sensitive dependence on initial conditions in chaos theory. Many times as an illustration tool, the effect is described in discussing the potential that the flapping of a butterflies wings in Brazil has on creating a tornado in Texas. So too we have and continue to see, extreme outcomes result from what appear to be seemingly innocuous.
It is the combination of the rise in formal espionage and state-sponsored intelligence-gathering operations, economic espionage, and opportunity that led to the cross-pollination we see today occurring between worlds once set apart. In response to these changes and the events that occurred, new designations were defined and arrived at, some bearing more fruit than others. Terms such as the now infamous advanced persistent threat (APT) made their appearance in connection to events associated with computer network compromises. What made these compromises different than others were the following factors:
• The mechanics associated with the attack
• The behavior of the event in question (this is important as there is a general misconception within the world and to a degree within the information security industry that all APTs are alike, whereas nothing could be further from the truth)
• The time that elapsed in association with the attack prior to its discovery
Heated debate ensued within the information security industry which saw debate, discussion, papers, presentations, and at times, amazingly amateurish attitudes that were displayed with respect to the concept of a threat category that was and remains quite different from that which had been historically experienced by the masses.
In an effort to provide clarification to a seemingly awkward situation, another term was introduced which emphasized focusing on the adversary as opposed to the threat.
In January of 2010, Scott Crawford and Nick Selby22 proposed an idea designed to bring clarity to the immeasurable amount of confusion associated with the APT quandary. Their piece was as sound as their line of logic and thought. They credited, among others, Will Gragido, the creator of the SMT taxonomy, who had released the first and earliest version of the SMT taxonomy.
Other respected individuals within the information security industry who, like the authors of this book, had performed services on behalf of their government at one time or other in their careers also began brainstorming, writing, and collaborating on this topic in order to provide definition to this subject. One such party, Richard Bejtlich, Director of Incident Response for General Electric, produced an eloquent and accurate commentary on the concept of APT. Mr. Bejtlich helped provide some much-necessary salience with respect to the terminology, its origins, and characteristics. According to Mr. Bejtlich, the term “APT” was defined by the United States Air Force23 to describe a situational condition, which prior to that point, had other—though not publicly disclosed or official—labels within the Department of Defense dating back nearly 30 years.
Bejtlich, who in addition to his day job with General Electric teaches information security incident response courses with Black Hat and SANS, applied his knowledge as a former United States Air Force Intelligence Officer in order to characterize APTs in the following manner:
• Advanced means that the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.
• Persistent means that the adversary is formally tasked to accomplish a mission. The adversaries are not opportunistic intruders. Like an intelligence unit, they receive directives and work to satisfy their masters. Persistent does not necessarily mean that they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
• Threat means that the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no humans attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it did not degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.
Bejtlich goes on to suggest that APTs, as he understands them, likely focus on the following targets of opportunity:
• Political objectives that include continuing to suppress its own population in the name of “stability.”
• Economic objectives that rely on stealing intellectual property (IP) from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.
• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worrying is the thought that intruders could make changes to improve their position and weaken the victim.
• Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces.
The authors were pleased by the definition that Mr. Bejtlich provides although they did find it interesting that he purposefully omitted the potential for an APT to be involved in the compromise of people or systems for the express purpose of revenue generation and profitability. Mr. Bejtlich is not alone in this opinion and although we have the utmost respect for both Mr. Bejtlich and others who subscribe to this scope, we respectfully disagree. Nevertheless, the debate rages on with a never-ending stream of arguments, marketing campaigns, debates, and discussions surrounding the topic. The “APT” has become a staple in the lingua franca of the twenty-first century.
And although there still remains an egregious number of misinterpretations related to it—often the direct result of the misinformation being perpetuated by sensationalists, marketing firms, and the press—the “APT” is still extremely relevant and important to understand in the proper context. This in part served to fuel the fire behind the author’s decision to explore and define a more robust taxonomy; one that accounts for subordinate elements such as the APT and the advanced persistent adversary (APA) among others, while leaving room for further growth and development in this space. Codifications are important. In our industry and chosen field of study, they are vital as they aid in avoiding misunderstanding and lack of clarity.
Just as metrics provide organizations the opportunity to establish a baseline from which all growth—positive or negative—can be measured and accounted for, so too can a properly architected taxonomy establish a systematic ordering of traits, characteristics, differences, and terminology. Additionally, the definition of a taxonomy can and almost always does yield the creation of a culturally relevant lexicon. It is the author’s belief that such a taxonomy must be embraced as a living system akin to biological ecosystems. In approaching and treating the taxonomy in such a manner, one should be able to account for the dynamics in the world in which we live today and demonstrate both flexibility and extensibility.
At this point, it is appropriate to discuss what constitutes an SMT. To begin with, it is important to note what SMTs are not. SMTs are not APTs nor are they APAs although SMTs accommodate and account for them as subontological concepts, as mentioned earlier in this chapter. SMTs are not malware nor are they botnets although they certainly may include amalgamation of these threat types with other nontechnical threats. In short, an SMT may contain an APT, an APA, or any combination of malwares and/or nontraditional threats not associated with cyberspace.
SMTs are new in both taxonomic terms and practical terms; however, at the same time, they represent threats which have plagued humanity in some respects since our earliest days. SMTs are highly sophisticated although not always technically advanced as was evidenced in the case of GhostNet.24 They are generally well-crafted with a great deal of time and energy having been devoted to attention to detail as the minutiae can often times hold the keys to the kingdom. Target appropriation is a meticulous process that involves sober selection and decision-making. Opportunity cost and yield are considered along with the potential for both short- and long-term exploitation and manipulation of the target(s) in question. It goes without saying that the risk of discovery and exposure is considered and factored into the overall process associated with the execution of these threats. Elegance is achieved via the simplicity of the attack associated with both the adversarial elements and technological avenues chosen. For simplicity, SMTs can be defined in the following way:
• Subversive. Insurrectionary and underground, these threats are both destructive and rebellious. They focus on introducing a crippling systematic approach to overthrowing or undermining governments, political systems, social and moral systems, and organizations of various denominations by persons working secretly from within or outside.
• Multivector. Unlike other threat categories, SMTs offer and count multiple paths or courses that enable mission execution and achievement. Often times, the path of least resistance becomes inopportune and requires an alternate course to be taken in real or near real-time; as a result, having multivectors associated with each aspect of the mission is crucial in preventing team and mission compromise.
• Threat. Threat is the expressed potential for the occurrence of a harmful event such as an attack. Threats can be manmade or acts of nature and in the context of the SMT are typically blended. This blending is, generally speaking, an amalgam of opportunity, technology, intelligence, and human beings.
SMTs are sinister in their elegance and again, as mentioned previously, their elegance is often achieved via their simplicity. They are efficient in utilizing and exploiting people, process, and technology as we saw in the cases of Chi Mak, Dongfan “Greg” Chung, and Noshir Gawadia. Although some might argue that this in itself is neither new nor novel, the authors would argue that for the first time in modern history a comprehensive taxonomy has been introduced, which represents and demonstrates clearly the points of confluence at work in the threat landscape. It is the belief of the authors that threats such as SMTs represent a new beginning in cybercrime and espionage. Complex unions of UMINT, information security, communications intelligence (COMINT)/signals intelligence (SIGINT), and open sources intelligence (OPSINT). SMTs are discretionary and associated with less intelligent, banal attacks. These are the surgical strikes, rather than the carpet-bombing attacks, of the cyber realm. They are predominantly focused on carefully selected targets of opportunity chosen after a considerable amount of time has been spent studying and observing the following:
• Target’s vices (if the target is a human being)
• Target’s general security postures from a vulnerability perspective (if the target in question is an individual host, system, or enterprise)
It is the authors’ belief that the SMTs can only be truly addressed by taking every precaution to institute and implement a comprehensive risk management framework and a security program that stresses programmatic elements, compensating controls, policy, process, procedures, and technology.
Only through the unrelenting demonstration of diligence as part of an ongoing risk management initiative, is it possible to challenge and mitigate risks presented by SMTs. It is integral that organizations take the time to honestly and exhaustively assess their own risk and, in the process, examine their vulnerabilities, weaknesses, and deficiencies as part of an ongoing threat mitigation program. There are no shortcuts. Only sound risk management coupled with a strong desire to proliferate education, awareness, and vigilance in a user populace along with an in-depth defense security strategy can achieve the goal.
In this chapter, we discussed the historic basis and definition of the SMT taxonomy, recognizing that this taxonomy is in essence a living taxonomy, one that the authors believe will require redefinition on a routine basis in order to properly pace the trends and events seen within the Internet threat landscape. Within this chapter, we discussed tactics and strategies associated with SMTs and examined real-world examples of SMT activity that included, but was not limited to, industrial espionage conducted by foreign nationals working within the United States for American corporations, on behalf of foreign Nation States, while examining and clarifying the differences between APTs and adversarial elements, in addition to tactics and strategy associated with these events. We define tactics and strategy while honing in on key empirical information relevant to total dollars lost (TDL) and estimates associated with the percentage of the gross domestic product that cybercrime and espionage account for.
1 www.ic3.gov/media/annualreport/2009_IC3Report.pdf
2 www.thewashingtonnote.com/archives/2008/05/may_we_never_co/
3 www.merriam-webster.com/dictionary/subversive
4 www.infoworld.com/d/security-central/estonia-recovers-massive-denial-service-attack-188
5 www.zdnet.com/blog/security/coordinated-russia-vs-georgia-cyber-attack-in-progress/1670
6 http://gcn.com/Articles/2009/07/08/Cyberattacks-on-US-Korean-sites.aspx
7 www.mi5.gov.uk/output/espionage.html
8 www.justice.gov/criminal/cybercrime/eea.html
9 www.law.cornell.edu/uscode/18/ch37.html
10 www.csmonitor.com/2005/1130/p01s01-usfp.html
11 www.msnbc.msn.com/id/35300466/
12 www.foxnews.com/us/2010/04/13/opening-statements-begin-alleged-b-spy/
13 Nasheri, H., 2004. Economic Espionage and Industrial Spying, Cambridge University Press.
14 United States v. Lin et al., No.01-CR-00365
15 http://thecable.foreignpolicy.com/posts/2010/01/13/china_s_expansion_of_economic_espionage_boils_over
16 www.reuters.com/article/idUSTRE68E1TH20100915
17 www.usatoday.com/news/nation/2008–08–02–3190157706_x.htm
18 www.ndtv.com/article/world/indian-american-noshir-gowadia-guilty-of-selling-military-technology-to-china-43501
19 www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html; www.damballa.com/knowledge/advanced-persistent-threats.php; http://threatpost.com/en_us/blogs/researchers-google-aurora-attackers-back-business-091310; www.thenewnewinternet.com/2010/09/13/cyber-experts-espionage-apts-malware-among-most-dangerous-cyber-threats/
21 www.stsci.edu/∼lbradley/seminar/butterfly.html; www.nature.berkeley.edu/∼bingxu/UU/geocomp/Week8/Chaos.pdf
22 http://threatpost.com/en_us/blogs/its-adversaries-who-are-advanced-and-persistent-012610
23 http://taosecurity.blogspot.com/2010/01/what-is-apt-and-what-does-it-want.html
24 www.nytimes.com/2009/03/29/technology/29spy.html, www.infowar-monitor.net/, http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network