Vulnerabilities / Threats

5/22/2015
10:30 AM
Michael McMahon
Michael McMahon
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Cyber Threat Analysis: A Call for Clarity

The general public deserves less hyperbole and more straight talk

I must admit that I’ve grown increasingly weary over the constant harangue in the popular press about the ever-increasing volume and severity of “cyber attacks” worldwide. The apocalyptic language, the fear mongering, and the dearth of clear and simple explanatory language obscures an already complex topic. The general public deserves less hyperbole and more straight talk.

Don’t get me wrong. I’m not downplaying the threats we are facing. Advanced persistent threat actors are homesteading on sensitive federal agency and corporate networks. Cyber threats to industrial control systems (ICS) threaten to hold critical facilities and economic sectors at risk. Denial-of-service attacks, financial compromises, and intellectual property theft disrupt our economy and sow distrust in our banking and commercial sectors.

As analysts, we must better frame this public discussion. We can start by doing what we do best – defining and explaining the nature of the problem we confront. Commentators often lump together a wide range of malicious network activity as “attacks,” disregarding the fact that we can distinguish activity by type, intent, and degree. These differentiations matter; they speak to the nature and intent of the threat actors, which ultimately is what we should be most concerned about.

Espionage & Attack
Traditionally, we differentiate between espionage and attack, and we should do the same with network activity. When the Justice Department indicts a Robert Hanssen, or arrests a group of Russian “illegals” living in the United States, we do not characterize their espionage as “attacks.” Nor should we label the reported intrusions into the White House and State Department networks as “attacks,” lest we conjure up images of combat and destruction that are inappropriate to the event. Perhaps labeling every cyber incident as an “attack” advances some political or corporate purposes. As analysts with a professional commitment to critical thinking, we must play stronger roles in structuring this conversation in ways that advance our collective understanding.

Real network attack modifies the function of a network or a physical system that the network controls. We now witness first-generation network attack capabilities taking the field: industrial control system attacks in Iran (2010) and Germany (2014); and corporate network attacks in Saudi Arabia and Qatar (2012), South Korea (2013) and the United States (2014). Federal agencies and security firms continue to identify industrial control attack tools (some of which had gone unrecognized for years) that may reside on any number of sensitive control systems worldwide. Global proliferation of increasingly destructive network attack capabilities warrants serious attention and should be properly differentiated from espionage.

A Chinese hacker stealing intellectual property from a US defense contractor is qualitatively different from a BlackEnergy implant in a natural gas pipeline control system. Both are malicious activities, but differ substantially in intent and degree of potential impact.

Sometimes clear differentiation eludes us. Espionage and attack often employ similar means of ingress, exploitation, and persistent presence. Some operations—such as the Sony Pictures Entertainment hack—combined elements of both. These challenges should compel us to explore new ways to clearly identify and characterize cyber threats.

A way forward
As analysts with a dedication to tradecraft, we must seek out approaches that better differentiate malicious activity by type and intent. We must move the conversation past malware and digital forensics, which surely play a vital role in cyber intelligence but often offer limited explanatory power for key audiences. Most importantly, we must develop tradecraft that anticipates future threat environments, rather than simply describe and characterize present (or past) ones.

We should resist taking the bait that the popular press offers: to lump together all threat activities under one moniker of “attack.” Failing to offer at least some degree of activity differentiation only contributes to the malaise that strangles our general discussion on the nature of cyber threat.

Do not dismiss the general public as incapable of understanding the technical nuances of cyber threat activity. Our audiences are savvier than we give them credit for; to condescend to them or even write them off altogether is simply high-tech hubris. Even more important, popular understanding matters. An informed public discourse—the cornerstone of any democratic society—forms the basis for developing sound public policy. In our role as analysts, we owe this process the best of our tradecraft, our intellectual rigor, and simple clarity.

Michael McMahon is Director, Cyber Strategy and Analysis at Innovative Analytics & Training, LLC, a Washington, DC-based research consultancy and professional services firm. Mike is a 25-year veteran of the US intelligence community, serving most recently on the National ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/29/2015 | 2:32:43 PM
Re: Respectful Disagreement
Well put, Palladium.

I recently attended the MIT Sloan CIO Symposium at the MIT campus, and during a cybersecurity panel session, one of the speakers hammered home the point that you could have the best security system in the world, but if you don't lock the doors and you leave your windows open, it's all for naught.

And yet, that's exactly what many companies are doing.
Paladium
50%
50%
Paladium,
User Rank: Moderator
5/29/2015 | 5:39:02 AM
Re: Respectful Disagreement
I agree with Joe on this but from a slightly different take.  The article is another in a long string of nice fluffy articles.  Another in a long string of "noise" that is not really helping with the reality we call Security Operations (SecOps).  Far too many security firms and researchers trying to gin up their brand or latest idea are clouding the waters, adding an intense amount of noise that's masking that basic security problem we see virtually every week in the news.

Security basics are just that.  A foundation on which to build FROM, after which you can begin building in specialized security solutions for the unique business you're in.  But without those basics in place first, nothing else really matters.

Take for instance the large amount of vendor product noise out there right now.  Some SecOps Team somewhere is struggling to keep pace with their existing security-specific workload because they are still considered a Cost Center and do not have any extra staff laying around to look into the latest slice of bread security product.  Then along comes some Director or CISO, back from his latest conference, all ginned up on new, fantastical, "solve all your security woes" solutions.  He/she wants the SecOps team to look into widget X and get a trial going for widget Y. Both activities pull security analysts away from real world threat analysis and response.  You know... some of the key basics.

At some point that five man team gets whittled down 1-2 people guarding the gate.  The rest are doing trials, attending extra meetings for the boss, answering Internal Audits latest barrage of useless questions, and working with the Risk group in formulating the latest Risk deck for the upcoming board meeting.  Let's not forget the vacations, sick days, and similar activities that come with being human.  To hell with the basics!

Then along comes another article talking about how Secutiry needs to relook at how they classify or prioritize threats.  Joy.  Just what we needed.  More talking points with no actual solutions to existing BASIC problems.  Just more noise.

Despite the many breaches in the news there are still many, many Directors and CISO's who just don't get it, don't care, or have given up.  There backgrounds are in Risk Management or Audit and have no clear understanding of WHAT SecOps is, its needs, and how to keep the organization truly safe.  They just don't understand the BASICS.

...and they are just another breach waiting to happen.

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
5/28/2015 | 10:59:04 PM
Re: A way forward
More to the point, basics have to be employed first and foremost.  You have the most sophisticated security systems in the world, but if you're not taking basic precautions, they are all for naught.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/28/2015 | 10:56:51 PM
Re: Respectful Disagreement
Seems perfectly reasonable to me -- particularly in the wake of the Gartner study that found that the vast majority of businesses cease to exist two years after a major data loss.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2015 | 1:39:54 PM
Re: Tradecraft
Sure. That is clear indicator that we will continue to be in a security aware industry and we will continue to spend a lot for money for it. Cybersecurity firms will grow into something that nobody would be able to control.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2015 | 1:37:25 PM
Re: Respectful Disagreement
I do not have any evidence to prove but we may be. If not, one thing for sure there is now an industry built for security, lost for people are being now employed in this industry and banks, insurance companies are part of it. I know one of my friends recently insured his company against cyber-attacks.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2015 | 1:32:27 PM
Re: Cyber COMs
I agree in general. What we are missing is not lack of strategic thinker it is just not applying strategic thinking to the things we do. What drives the market is the cost, quality and time. Not rally strategic thinking and that is where we need to create more focus.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/26/2015 | 1:29:21 PM
A way forward
I like the article, thank you for sharing. A way move forward has to be about re-thinking and creating the systems with security in mind we use in our daily lives. We can not really respond today security problems with the systems designed 10-20 years ago. We need to start thinking strategies that protect us from the beginning to the end of system life cycle, trying to catch up with the threats is not the way to go anymore.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/25/2015 | 10:09:57 PM
Re: Tradecraft
Indeed, I am aware of at least one cybersecurity firm that uses predictive analytics to analyze hacking patterns and determine what future cyber threats/hacks/exploits will be -- and then determines how to combat them.  Neat -- and important -- stuff.
99sbradley
50%
50%
99sbradley,
User Rank: Apprentice
5/25/2015 | 12:33:57 AM
Tradecraft
I especially like the comment about devloping tradecraft to anticipate future threat environments, rather than simply describing and characterizing present (or past) ones.
Page 1 / 2   >   >>
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.