Tuesday, August 27, 2013

What is Cyber?

As a term, Cyber has a broad spectrum.  It has been applied to subjects ranging from low voltage microchips to international law.  In the context of security, when does it apply? Consider a situation where an operator from hundreds of miles of away initiated events that shredded a turbine and killed 75 people.  This was not an attack, it was an accident.  But, what it a cyber accident?
Is this #cyber?
After seeing articles about SCADA and ICS security citing the Sayano accident (among others) I was compelled to ask the community a series of questions about the definition of cyber, which I tweeted over the course of a single day and tagged #whatiscyber.  What follow are those tweets.  I received some good feedback and I outline some thoughts here.

 A modern computer is attached to the Internet and communicates daily with the cloud, is this #cyber?

The most basic of definition is that cyber means computing technology, and in particular, computers that are networked.  There is no larger example than the organic Internet full of people of all intentions, and has the cyber punk aspects of a wild west, even pseudo-intelligent computer viruses.

A LAN party is disconnected from the Internet, is this #cyber?

If one accepts the previous definition, which clearly many do given the basis of the accepted Wikipedia entry, then what about smaller networks?  A LAN party involves hosting a group of people, complex computing hardware, protocols for communication, and probably more than once harbored its share of viruses.  Is this a tiny fractal of the Internet?  Is it cyber?  This introduces the concept of space – a cyberspace being a place where computing occurs.  But, what scale of space is required before it can be called cyberspace?

Is this #cyber?
You have an old 1980's-era, isolated, stand-alone computer not attached to any networks, is it #cyber?

Now we break down.  Many people are thinking this doesn't match the fantastic vision of cyberspace that spawned in science fiction.  This is boring and dusty.  But, while some say nay, some imagine the awesome complexity of that machine.  Look inside.  Systems and subsystems are dancing in electric light, data in motion.  A data bus is connecting peripheral hardware with a multitude of software entities in a field of RAM. Ask yourself how two modules communicating over a bus are different than two computers communicating over a CAT5 cable?  In this, scale is just a matter of abstraction.  The scale and complexity is vast if you zoom in.

Is this #cyber?
Next...
A robotic arm is remotely controlled over wires from 50 feet away, is it #cyber?

This is just a variation of isolation that introduces remote control, perhaps by a human operator.  There are obviously computers involved, and there is a cable - perhaps the CAT5 cable from my previous example.  There is a communication protocol of unknown complexity. There is also an industrial device.  But, the operators are probably confined to a warehouse, and not attached to any large network.  This is where the parallel to the Sayano disaster starts, except that with Sayano the connection was made from 500 miles away, not fifty feet. 

Is this #cyber?
You dial up to the robotic arm using a modem, and give it commands, is it #cyber?
Nearly exactly the same as the previous example except that the connection can be made from a great distance. Does distance matter? The modem is interesting, because the Internet used to run on them.  By exposing this dialup, one exposes a system to the world.  One could say that even the BBS networks that predated Internet adoption were a form of cyberspace.  Telephone networks are complex and span the globe, so they very much smell like cyberspace.  If you think a modem makes it cyber, you are in effect saying that cyber requires networking.  And, not just networking, but also networking of a certain scale.  If you define it this way, then ask where the threshold lies?

Is this #cyber?
You have a line of sight network with a homemade model airplane that carries a video camera, is it #cyber?
Modern in terms of technology, but small in terms of networking.  Not altogether different than the robotic arm example.

Is this #cyber?
The military has a fleet of remotely controlled drones over a city, is it #cyber?
The drone programs used by the military are 100% cyber if you use the media as the yardstick.  There is no better poster child flaunted by the modern, technically advanced military.  Any distinction between the small UAV's controlled by a single soldier and the big UAV's controlled by teams of soldiers seem superficial, don't they?  The context of cyber here is not the scale of networking, but the laws of warfare.  Nation states using computers for war is often called cyber, without regard to the details of the technology itself. 

A cloud computing infrastructure running millions of lines of code, but isolated in the lab and not being attacked by anyone, is it #cyber?
The isolation case is being beaten to death here, but now consider the idea of the system being attacked.  Even if a complex system is not networked, if it's being attacked by someone does that make it a cyber attack? What if it’s a criminal, not a nation state, is it still cyber?  Cyber is used in conjunction with criminal law all the time. “Cyber-crime” is widely accepted to mean non-state actors operating for personal gain, and has little to do with details of the computing technology used.  Cyber is being applied to both state and non-state computer attacks. And, hacktivism has blurred the ideological lines between warfare and crime.

The above mentioned cloud infrastructure is a server running the lastest virtual-reality MMO with over 10 million users, is it #cyber?

OK, this was a loaded question - we can all agree on a MMO that has over 10 million users.  We can probably agree that this virtual world can be called a "cyberspace".  It, after all, is the closest real representation of the fantastic imagined world of cyberspace spawned in science fiction many years ago.  An attack on this system would most assuredly be called a cyber attack in the media. 

By this definition, cyberspace is a computing environment where structure can be visualized (at least in the mind). There is some level of interaction between forms, the most basic being programs interacting with data, and evolving to programs that act as an extension to a human operator.  The MMO example is simply the evolved case of a virtual reality space.

Starting with isolation again…

There is an old, isolated, non-networked computer, but it has a USB port, is it #cyber?

All we did here was introduce a non-networked interface into the otherwise isolated computer.  If this is cyber, then so is the old 1980's-era computer from above if it has a floppy drive.

Is this #cyber?
If it's an old, isolated computer with a USB port, controlling a SIEMENS S7 PLC, is it #cyber?

Yeah.  So if old isolated computers are not cyber, then the Stuxnet attack on the Iranian nuclear plant isn't cyber either.  That is, unless cyber is defined as a malicious attack.  But if it’s only defined as attacks, that means an accident that wipes out 10 million users in that MMO isn't a cyber event, just an IT accident.  Albeit, an IT accident that just wiped out a cyberspace by most accounts. 

If cyber has to be a malicious attack, then Sayano was not cyber.  But, if cyber merely means networking of a certain scale, or remote connections, or is independent of the age of the system, then Sayano was a cyber accident.  And more importantly, a cyber accident that illustrates what could happen to a hydroelectric dam if it were under cyber attack.

A computer of any age with a backdoor installed by a foreign intelligence service, is it #cyber?

Just introducing motive and ideology - a nation state sponsored attack on a computer system would definitely be called a cyber attack by most accounts.  And, it wouldn't matter if that system were a complex computing environment, or a lowly embedded system on a security camera.

Is this #cyber?

An experimental and 100% _mechanical_ computer is backdoored by a foreign nation using sabotaged punch cards, is it #cyber?

Of course it is.


-Greg

Thursday, July 25, 2013

The script kiddie is dead

SQL attacks are pervasive; the result is leakage of credentials. Millions of username/email + password pairs have been stripped out of compromised SQL servers and posted into public spaces. Thus, attackers are routed to corporate surface areas when employees use their work email when registering on 3rd party application sites. The insidious part is that corporations are exposed to attack even when their enterprise infrastructure is secure. The problem swells when employees re-use their passwords across multiple sites. Even when the corporation has adopted two-factor authentication and strong password policies – an attacker may still gain access to employee personal data. That personal information can lead to secondary attack vectors against the corporation – such as direct access to the employee’s home network, mobile computing devices, and cloud data. With such vast amounts of contextual data available, it would only be a matter of time until a focused attacker can leverage something to further access into the enterprise. Previously the stuff of spy novels, attacks such as software bugging an Android phone are now very real.

While some security consumers still think of SQL attacks as Plebeian, they should remember that in Verizon’s 2013 Data Breach Investigations Report™ (DBIR), 76% of network intrusions exploited weak or stolen credentials. Please remember that these stolen credentials are being posted by the millions into publicly shared cyberspaces, largely downstream of an SQL injection. Furthermore, it would be ludicrous to think that a foreign intelligence service doesn't have a desk devoted only to exploiting these leaked credentials – it’s free access. And beyond that, consider they may also have a budget to maintain cyber-criminal persona for directing contractors at targets or purchasing stolen information.

Credentials stolen over approx 12 month period by a single non-state actor (courtesy Veraxes)
A few years ago, some security marketing programs tried very hard to draw a bright line between cybercrime and APT – but a handful of us took the opposite stance (See Kelly’s article) and illustrated the crossover between cybercrime and APT. Other news stories followed (Krebs, et al).

Regardless of these first hand experiences of security practitioners, security buyers still bifurcate cyber threats into “APT” and “everything else”. In this case, “everything else” means Botnets, Drive-by downloads, Zeus infections, Defacements, and “Script kiddie” attacks on websites. I have heard decision makers in the security organization tell me these are just a low-threat hygiene problem. Perhaps in the past this was true, but threats evolve. [soapbox]Personally I think this is just fallout poisoning from over-aggressive marketing used to educate people about the difference between real intrusions and anti-virus solutions.[/soapbox] Regardless, the idea that malware and script-kiddies are not dangerous is dead wrong.

Before discounting SQL injection, WordPress backdoors, and Drive-by’s as the work of script kiddies or“just cybercrime”, consider that every one of these is a vector for targeted attacks. Of the thousands of credentials for Fortune-500 companies posted to the Internet in the last few months, how many have been subsequently used by hackers to access email or corporate portals?

We are witnessing accelerated exploitation economics.  Knowledge about compromises, no matter how small, will now quickly disseminate across a vast network of blackhat consumers - many of which have the means to leverage small cracks into massive breaches. I have seen a mass WordPress defacer install credential stealers that were then used for lateral movement to other servers.  I have seen an SEO scammer sell server access to an interested 3rd party.  We have to see beyond malware and look at the threat - a threat has his hands on the keyboard. So, when a drive-by download installs Citadel (a Zeus variant) on the network, the corporation is being targeted for IP theft. When a script kiddie puts a webshell on the website, the user credentials are being targeted for follow-on attack and lateral movement. When employee PII is compromised, ask who is downloading thousands of employee emails? How will this data expose your company to greater risks?

Every attack matters. The script kiddie is dead.



Thursday, June 13, 2013

On Precision and Big Data

Most true-positive threat detection is rule based. We use our powers of perception and analysis to find patterns in the data. This is effective because threat behavior is highly repetitive. One can’t say this is data intelligence in the strictest definition, but more of an expert pattern. Albeit behavior, I argue this still resides on the edge of the signature playpen. This is fine as long as it continues to work for the security marketplace (and so far, does). Regarding Big Data; In lieu of ingesting huge quantities of data in the hopes that some needle will become self-evident, I suggest continued development of rigorous expert patterns. Of particular value are patterns that can match against host-endpoint behavior (in conjunction with netflows at the perimeter). I believe this can produce highly effective, non-specific (i.e., resilient) extraction of high-fidelity threat events. With data overload being a huge issue, the role of precision becomes ever important.

-Greg Hoglund
www.veraxes.com

Wednesday, March 28, 2012

Weaponization of Cyberspace

The weaponization of cyberspace started with the advent of criminal enterprise, and over time has enabled cyber warfare for a mass audience. Some of the best exploitation technology was created for banking fraud. These tools include remote access botnets, multi-platform reliable exploits, command and control schemes, zero-day exploits, and blackhat-VPNs for anonymous access to the Internet.

Because the technology was developed in the underground it can be purchased by anyone - it's unclassified and not controlled by state security. As a result, very advanced attack technology has been disseminated to a greater population and non-state threat actors have emerged. Now individual citizens can access the same weaponized technology that was previously only used by the state-level efforts to conduct espionage that advances national interests. These same 'rogue hacking groups' have emerged with mixed ideological goals - many of them anti-state, religious extremist, and anti-corporate. There are hundreds of internationally organized groups that can be enumerated by anyone willing to do a little open-source intelligence research.

The weaponization of cyberspace is a key driving force that started with criminal enterprise, but has grown into a much larger context. Exploitation of systems can now be combined with the exploitation of online media. I predict that traditional terrorist methods will be replaced largely due to the immediate attention an amateur can bring to their cause by latching on to a brand name and posting their ideological views via the countless social outlets available to them. Because the press does not traditionally frequent cyber cafe's in remote parts of the world (where western ideology and freedom isn’t necessarily embraced), would-be terrorists will seek more effective means to distribute and influence from whatever rock they're hiding under. Cyberspace offers far less exposure and risk than carrying a cell phone detonator in a busy marketplace. No, it is far easier to tap out a few keystrokes and get your shot at trending, getting linked, liked, and retweeted. In terrorism the goal is messaging, and those with things to say have found their outlet. Whether highly sophisticated abroad, or in the deepest darkest caves, or down in the basement of their parent’s home, the Internet is their soap box.

-Greg

Friday, March 9, 2012

The Changing Face Behind the Keyboard

At my recent RSA presentation, I talked about the evolution of cyber threats over the last decade and the slowly shifting goals and intent of the hacking groups behind them. Most of us remember the romantic hacker vision - the lone college student exploring systems for fun, not profit. Mostly harmless, this quest for learning at the center of the hacker ethic led to tremendous innovation in Silicon Valley and elsewhere. But the advent of online banking in the mid-2000's changed everything. The criminal goal became profit. This created a malware economy, and something I call the "weaponization of cyberspace" - a trend towards making cyber weapons easier and easier for non-programmers to use. Then, around 2005-ish, we started to see organized and wide-scale attacks into military and defense systems that seemed to originate from foreign intelligence. The malware behind these attacks were not altogether different from known toolkits (think Back Orifice 2000) - but far more interesting was the fact these toolkits were custom-made and each attack group seemed to compile their weapons from private source code. It didn't take long for these attackers to branch into commercial space - most specifically heavy industry and energy. This made sense from a national perspective as China's (and others') need to dominate the world energy market is critical to their expansion.


Now, with hactivism, non-state actors are targeting these very same systems. These rogue threats are focusing on manufacturing, defense, the financial sector, and more - organizations traditionally targeted by state-level espionage.

So, what is next?

While attitudes against the state are a common recurring theme in younger people in every nation, they rarely blossom into full-blown terrorism. Yet, that is exactly what is occurring right now. As cyber warfare shifts from a state-level coordinated espionage operation to unstructured personal action, the chance for attacks (both physical and cyber) on citizens and the livelihoods of innocent people increases dramatically. The Internet will play a big part in future terrorist attacks - not just because systems can be hacked, but also because of how the Internet has changed media and journalism. As I detailed in my post on Asymmetric Warfare and Cyber Terrorism last July, remember that terrorism is first and foremost about messaging. Exacerbating the lines of truth, the Internet mediasphere has surpassed all other forms of traditional journalism and has become an information weapon, disseminating propaganda in conjunction with social media campaigns far more effectively than a single actor detonating a car-bomb in Karachi could ever achieve.

I will be giving a webcast version of my RSA presentation next Wednesday (March 14th, 11AM PST) for those who are interested. The RSA registration link is here.

-Greg

Wednesday, November 2, 2011

Detecting APT Attackers in Memory with Digital DNA™

HBGary’s Digital DNA™ system is an alternative to traditional signature-based approaches to detecting malicious backdoors. While the “APT is not Malware” mantra is common, APT commonly use malware. To be precise, APT is just a hacker in the network. Remote access to the network is guaranteed only through stolen VPN credentials, or through the placement of a remote access tool (RAT) – in other words, malware. So, enter DDNA.

DDNA is designed around generic detection of subversive code. To do this, HBGary disassembles everything on-the-fly and pushes it through a sieve of regular expressions that match against control flow and data flow features. I thought it would be fun to delve into some specific examples.

As Martin recently pointed out in his blogpost, APT has started to use in-memory injections as a means to hide code. We have noticed remote-access functions injected and split over a range of memory allocations.


In the screenshot, you can see a dozen 4K (0x1000) allocations injected into explorer.exe. (Note: this type of activity can be detected using the free Responder CE.) Each page of memory only contains a tiny portion of the overall malware – something that would frustrate most AV scanners. However, the allocations themselves are suspicious to Digital DNA™, and in particular the last page has a suspicious code fragment that scores quite heavily in Digital DNA™. This illustrates why a filesystem-only view is not sufficient to detect APT tools. Many advanced techniques involve modifications to the running system and can only be detected in memory.

In this example, the hacker hasn’t hooked anything. Instead, he starts some additional threads to service the malware code. Even though the malware has been split over a dozen pages, the hacker has only started two threads. In this example, allocations #8 and #11 each host a thread subroutine. The other memory pages each hold specific subroutines. For example, one of the memory pages has a function for installation into the registry, while another has a function for hiding a copy of the malware in an alternate data stream. It’s these suspicious behaviors that Digital DNA™ is focused on detecting. Furthermore, it’s the behaviors being used together that will really light up color-coded DDNA alerts.

One suspicious feature is when code exists outside the bounds of a known module. This will occur if the hacker allocated additional space for storing an injected routine. This is commonly done using VirtualAllocEx(), but can also be achieved using the stack of an injected thread. In the latter case, CreateRemoteThread() is used with a stack size argument large enough to store an injected routine. In either case, executable code is detected outside of a defined module, and this will score as suspicious by default even without further analysis.

Moving further, however, injected code is typically handwritten assembly. In most cases, the operational code will not resemble known compiler patterns (such as code compiled by Visual C++ or Borland). In particular, the code may contain position-independent operations – function calls and data references that are designed to work independent of the address where the code lives in memory. These are further indicators of suspicion. In my experience, the only time this kind of code appears in a legitimate binary is when DRM is being used (DRM looks and smells like malware anyway).

To look back at our example, it had some interesting techniques for embedding data inline with code:


In the example, you see the “w32_32” string in use, but what makes this interesting is how the string is embedded inline to the code. Right before the string we see a short call that jumps over the string, and code execution continues on the other side. Again, this idiom is suspicious and can be detected generically, as opposed to reliance on a specific string or byte pattern.


In the case of Digital DNA™, code 16 30 detects short calls and jumps over inlined networking related strings. How did we get here? HBGary detected that some APT groups were producing this code pattern as a result of some code-level anti-forensics tools. This is exactly the kind of pattern that produces big wins on the detection side as the code is often cut-and-paste or the obfuscation is applied in batch to otherwise custom-compiled malware. (Of course, now that I’ve blogged about it they will switch off to another trick – it’s OK, we have thousands of traits to detect suspicious behaviors).

Another example of handwritten code is the CRC function used by the hacker to load his table of function pointers. This CRC-based technique has been around in shellcode for a long, long time (digression: I think I released the first public CRC loader in shellcode in the early 2000’s – it was 32-bit CRC. Thinking back, Halvar Flake publicly released a better and smaller 16-bit CRC loader in shellcode shortly afterward. The technique has been written about many times since).

The routine that actually calculates the CRC is usually hand-made – so it too can become a form of attribution. But even if it’s not hand-made, the proximity of CRC to a GetProcAddress() call would be indicative of this pattern. In our APT example, the author has created a CRC for loading a function table:


The CRC calculation is referenced from a routine that is rolling through KERNEL32.DLL and calling GetProcAddress(). This pattern screams for attention “Hey! I’m malicious!”


So again, Digital DNA™ for the win. The CRC can be detected using a generic method, and when detected in control flow in proximity to GetProcAddress() loop, it scores hot with trait C3 F7.

These are just some examples of how Digital DNA™ focuses on analyzing the code itself, as opposed to blacklisted MD5’s or ASCII strings. It is not possible to specify these behavioral patterns with simple languages like OpenIOC or even ADXML (Active Defense’s XML for scan policies) – they can only be detected programmatically. That is why our product Active Defense doesn’t depend on IOC’s alone to do the job – in fact, Active Defense starts with full physical memory analysis and Digital DNA™ sequencing. IOC’s come second and only if the user wants to extend the default detection capability with custom threat intelligence. The two methods work well together, Digital DNA™ to detect new and unknown threats, and IOC’s as a follow-up sweep for known APT behaviors.

Using IOC’s effectively

One of the reasons we invented Digital DNA™ is because IOC’s alone aren’t good enough. A problem arises when IOC’s are only used to detect known threats. Think about this – if your IOC’s are just a blacklist of recently discovered malware MD5’s and unique strings then its equivalent to a small AV dat file. Even though IOC’s can be used to detect TTP’s (i.e., scanning the enterprise for split RAR archives or recent use of ‘net.exe’) we generally see them employed to detect specific malware files. If your organization has a database of IOC’s then look for yourself. How many entries have MD5 checksums? How many are specific to a malware sample, a specific registry key used to survive reboot, etc? If you see an overabundance of these signatures then beware – this is the same old blacklist-driven security model that has been failing us for over 10 years now. On the other hand, if you are using IOC’s to scan for more generalized things, such as command-line usage, access times on common utilities, executables in the recycle bin, etc., then you are on a far better trajectory. I support open intelligence sharing, but I caution you against falling into the “magical strings” bucket. Too often our industry shares threat intelligence in the form of blacklisted MD5’s or IP addresses – this kind of threat intelligence is nearly useless.

HBGary’s managed services team generates many IOC’s in the course of their work, and I am happy to say that we share all of them with our Active Defense customers – we don’t keep them secret. They are provided automatically in the form of a library that is auto-updated. Customers can pick and choose from many search definitions and use these as a basis to create their own custom searches. Our team tries to steer away from malware-specific indicators, and instead focuses on the generic attack patterns that can be detected at the host. We give these to our customers because we want them to get the most from our software. We enable people to be self-reliant.

When you use Digital DNA™ and IOC’s together, you aren’t relying on a “magical bag of strings” that go stale every two months. Instead, you are detecting new threats and then using IOC’s to apply attrition against the attacker’s persistence. This is a strong defensive position. This is why our proven behavior-based solution approach is increasingly winning us new customers – even unseating our competition in many accounts.

-Greg

Thursday, September 22, 2011

APT - The Plain Hard Truth

The survivors from the front line have reported in. We stand on the ridge, a tangled mess of bodies behind us. We are the ones who have chased the demon, descending into the binary pit the users call the “enterprise”, and climbed up the other side. What we have seen is not pretty. The collective corporate filesystem is a parking lot for castaway software barely able to run on modern operating systems, squeezing the last bit of life out of burned out win32 DLL’s. There are big piles of unwashed garbage downloaded by employees that were passing by, never deleted, never clean. The strangest mutated crap has been swept tightly into temporary directory corners that have since calcified and become permanent.

More than a single digit percentage of these software programs are a biohazard. Some are just plain broken, wheezing out juice from a hooked windows message chain just long enough to cough up and die, only to be resurrected by the swift kick of a boot-time registry key the next time the machine reboots. Some have pretty little labels of well-known companies – clearly so you won’t look twice at them and notice how they are exfiltrating personal browsing statistics and other data to some cloud server – really like malware but allowed by the EULA that you didn’t read. Some of these things don’t seem to have any purpose but to act as a low-fidelity binary listening device.

Everything looks bad. So, it’s no wonder that hackers can just plug something new in and nobody notices. As long as it doesn’t infect five million residential banking customers then nobody is going have a description of the suspect. That is the reality of hacking today, and it has nothing to do with advanced persistent threat. It has to do with the enterprise and the complete LACK of control you have over the endpoint. When security is limited to the network perimeter, you are not in control. Oh, and what a breath of fresh air the mobile device is. A new pile of software, mostly social media, that is directly connected to thousands of strangers that are not your employees, communicating in real-time with processes running within your defensive wall. In effect, you now have thousands of potential multi-homed routers to 3G-space* from your network that don’t belong to you.

*4G if your lucky

Here are some basic security facts:
  • Today, malware is a tool for persistent adversaries
  • Adversaries are financially or politically motivated
  • Intrusions involve a real human being or hacking group that targets your organization directly (*)
  • Attackers are motivated to steal something from your network
*Somehow in the mid-2000’s it seems like the security industry lost its way and forget about the basic tenants of Hacking Exposed – unfortunately you cannot condense a set of MD5 checksums out of the hacker problem.
Recently during presentations I have outlined three primary threat groups we face today. I have illustrated the evolution of these in the following diagram.


A. Criminal Enterprise – these are the guys who make more money than drug cartels and the reason a malware economy emerged over the last few years. This is what mere mortals mean when they talk about malware, and the reason people get malware and hackers mixed up all the time.

B. Rogues – these are the hacking groups that you can enumerate on any given day. There are hundreds, if not thousands worldwide. These guys are all capable. The graph expands much slower than criminal enterprise because they aren’t fueled by cash. As early as 2000 these guys were already defacing, DDOSing, and partaking in ‘mostly harmless’ hackery. Yet, a small subset have always been deeply malicious and get pleasure out of destroying things. Others pick up a cause and act like cyber terrorists. And still others really are cyber terrorists.

C. Rogues meet cash - these hired mercenaries are the ones who write malware, sell zero day, and get sucked into the vortex of organized crime. These guys are very, very dangerous.

D. The problem today - all the membranes have been breached - the threat is blended. We live in a time where a state interest can simply buy access to adversary networks from criminals who are selling their botnets. Where state sponsored attacks can be vectored through private hacking groups. Where private hacking groups can fund their operations from cybercrime, while targeting corporations and governments with methodology indistinguishable from APT. There is no tidy bucket to place the threat, all the wires are now crossed. The only thing that is consistent here is that hacking is hacking, and it always looks and smells the same when you see it. This is why the term ‘APT’ is so tired.

E. Private hackers working for the man - when you catch a Chinese malware in a DoD contractor network, it almost always looks like it was written by a “kid”. This “kids” malware is then used to steal the plans for a weapons program that can only have value to the PLA. All the security vendors looking at APT come up with corny little codenames for all the hacking groups (HBGary included), but at the end of the day it’s all the same thing.

F. Thank God for APT - a board room level term that we can all use to cover our you-know-what when we tell the man our millions of dollars in security spending has done nothing for us.

If you want a no-holds-barred, no excuses, and no-snakeoil analysis of APT and the reality of countering it, you should check out HBGary’s new whitepaper The New Battlefield.

-Greg