Friday, March 12, 2010

The Nature of Funded Threats

Most incidents of espionage are never reported - even though tens of investigations are currently underway as you read this. Without consolidated statistics it will be hard to really understand the damages caused, even direct measurable damages. Espionage is not new, and the primary threat to your intellectual property has always been your front door. The only thing new about e-espionage is the 'e'. A few years back I gave a keynote at DFRWS titled "Funded Threats", in preparation for which I had to dig up some statistics. Although this was back in 2007, I would posit that not much has changed between then and now. I found some FBI statistics earlier that year stating that industrial espionage and IP theft was costing US companies more than $100 Billion USD per year. That was only a national figure. Measured worldwide the damages would probably be in the trillions. Those include indirect costs. Also of interest is that over 70% of a corporations intellectual property is stored online, digitally. It's easy to visualize the changing risk landscape - malware and information living on the same systems. ZDNet had just reported that in 2006, 80% of all malware samples were being missed by the top three AV vendors. Meanwhile, HBGary had just completed an extensive DARPA study into the nature of current rootkit threats (back then everyone liked to use the term 'rootkit' to describe 'advanced' attack tools). The report went dark, but I can sum up some salient points: as early as 2006 there was a global "cyber-arms bazaar" where cyber weapons could be bought and sold. We had samples that would bypass everything (by everything, I mean all the commercial and freeware anti-malware solutions). Most of the participants in this growing black market were foreign to the US. The stuff was well tested and well written, backed by a real software development lifecycle. One of the most specific things we learned was that every major AV and IDS product was installed and tested against during the QA process. When we presented this material to the DoD we joked around saying "the bad guys malware is higher quality than the commercial stuff they are exploiting". It was also becoming clear that information monetization was occurring - mostly identity theft. However, certain activities such as source code theft established themselves well before the mob figured out how to bank online. If you rewind back five years or more, you are going to find lots of interesting indicators that foretell our current situation. The people who operate malware today are the same people who operated malware back then, it's a career choice.