Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

6/24/2015
10:30 AM
Adam Meyers
Adam Meyers
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Why China Wants Your Sensitive Data

Since May 2014, the Chinese government has been amassing a 'Facebook for human intelligence.' Here's what it's doing with the info.

Leading into 2015, the cybersecurity community was still reeling from the impact of a destructive attack unlike any other we have seen in terms of visibility, scale, and impact. Already halfway into 2015, there is no shortage of breaches. We have already witnessed major compromises in healthcare, the US government, the Bundestag, and media being attacked by sophisticated adversaries, in most cases, roaming freely on networks for months at a time.

Attackers from China, Russia, North Korea, ISIS, and even potentially friendly governments have dominated the headlines. In case you have your head in the sand, this is not going away anytime soon. Compared to traditional espionage, "cyber espionage," or CNE as the military likes to designate it, has a lower cost of entry, less risk if you are caught or compromised, and can often yield equivalent intelligence to feed an ever-growing set of interested consumers. For criminals, the use of e-commerce systems and vulnerable payment mechanisms provides an avenue for rapid monetization and prosperity. Activists or hacktivists as they present themselves on the Internet are able to use electronic mediums to disseminate messaging from banal greets to truly meaningful causes that impact people's lives across the globe.

Since May of 2014, the Chinese government has been amassing what can only be described as the "Facebook for human intelligence targeting" from the databases lifted from some of our most fundamental and essential systems. Why would anyone want healthcare records? If you take a step back, these records are part of a bigger picture, used in concert with the personnel records of US government workers and any other databases that have been stolen over the years. The beneficiary of that data can build an interesting picture detailing the confidential history, preferences, behavioral patterns, and more, of millions of potential intelligence targets.

The point that most people miss is that "cyber" data doesn't just get used for cyber attacks, or cyber bullying, or cyber theft. The People's Republic of China doesn't only conduct network-based espionage, they are a major government on the world stage. They have human intelligence collectors whose job is to identify people with access to interesting or useful information and to collect that information. MICE is a common acronym we use in the information security industry -- Money, Ideology, Compromise, and Ego - a simple set of motivations that can be used to entice or coerce a target to provide continued or temporary access to data.

Using stolen healthcare data, these human collectors can identify someone with access to sensitive information who unfortunately has a sick relative. As the healthcare bills pile up and they become increasingly despondent to help their sick relative get the medical treatment they need, an opening begins to emerge. The human collector, if they are able to identify this opening, can approach the target and begin to sow the seed for access, a simple trade of money for information, information that may seem insignificant to the target, but in aggregate across many different sources becomes quite valuable.

[Learn more from Adam about how to consume, operationalize and integrate threat intel during his training session on the fundamentals of intelligence-driven security, Black Hat 2015 Las Vegas August 1-2 & 3-4.]

It has been said that the network defender must be right 100 percent of the time, while the attacker need only be lucky once. The asymmetry of this is terrifying! Your network defenders should be in front of 10 monitors with an intravenous drip of caffeine and sugar twitching at every packet surging across your enterprise. The reality is that this is true, but we have systems and tools to help deter and detect these attackers.

These tools out of the box, while capable, don't necessarily have all the smarts they need to root out these attackers:  these tools need intelligence. Intelligence-driven security means learning from previous attacks whether successful or not, and incorporating what you have learned into your defense posture. The military, in dealing with asymmetry encountered in Latin America in the 1980's pioneered a process for incorporating intelligence into their targeting processes that has been continuously improved upon in the past 10 years.

This process involves taking the intelligence gleaned from every action, operation, or encounter and feeding it into the next operation to rapidly adapt to the changing environment. This same process introduced into security operations, what I call intelligence-driven security, can drive the cost of protecting the enterprise down, while simultaneously allowing the Security Operations Center (SOC) to have meaningful conversations with the business owners, the C-Suite, and the Board. Enterprise security isn't just about blocking malware anymore, it's about protecting the business and against dedicated and sophisticated threat actors.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
6/26/2015 | 9:31:47 AM
Re: Have you considered....
It makes sense. In US we have been already experiencing those types of analytics driven targeting individuals. That is what Google, Facebook, Amazon, ... and other social media networks are all bout. Knowing what you do, what you buy and target you based on the knowledge gain from it. This includes medications and other health related products.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2015 | 9:26:02 AM
Re: That follows my own thinking as well
Interesting... There is always some type of related undercover operation when we think China, they are just doing what all other countries have been doing for long time. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2015 | 9:23:08 AM
Re: Have you considered....
I hear you. Or the reason as simple as if you know more information about the public you can adjust, control and do better in sating in power. It may be as simple as that.  :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/26/2015 | 9:20:55 AM
intelligence-driven security
I agree with the article. We are going beyond protecting ourselves from malware or DDOS attacks to your network infrastructure or systems. It is becoming more about protecting overall business and customer and employee private information. As recent attacks, such as Sonny Pictures and Federal Employees, show it is becoming very costly to lose any employees' personal information.
Adam Meyers
100%
0%
Adam Meyers,
User Rank: Apprentice
6/25/2015 | 3:59:31 PM
Re: Have you considered....
Absolutely - in fact the Chinese agenda for healthcare is well documented in the 12th Five Year Plan. The Chinese have interest in not just pharmaceutical drugs, but also medical technology ranging from advanced diagnostics to simple stints and tubing. As China continues to mature they are increasingly facing a huge issue in terms of preventable and treatable disease.  In the current 5 yearplan, they also outline the need to improve domestic hostpital systems, and other medical related infrastructure. First to market is one possible outcome, however, there is also a huge potential market domestically in China that can be served through Chinese enterprises. First to market may not be as important as fullfilling the domestic market.

One must also consider multiple intelligence requirements being filled by targeting health insurance companies. This could faciliate future targeting of pharma and medical victims, it could provide insight into how the US Healthcare System works to aid Chinese healthcare systems, and it could be used to facilitate and corroborate information on specific individuals for human intelligence collection. I imagine the answer is all that and more, the Chinese have a lot of work to do as the endeavor to increase their position on the world stage.

 
jries921
50%
50%
jries921,
User Rank: Ninja
6/25/2015 | 3:44:53 PM
That follows my own thinking as well
But it could and probably will be used to recruit agents of influence as well as spies; and I'm guessing that it will also be used to dig up dirt on or otherwise punish persons deemed to be enemies residing in the US.
Kevin Runners
100%
0%
Kevin Runners,
User Rank: Apprentice
6/25/2015 | 8:36:59 AM
Re: Have you considered....
smb2015 is totally right in my opinion. China always wanted to be first to market with Pharma drugs.
smb2015
100%
0%
smb2015,
User Rank: Apprentice
6/24/2015 | 1:16:18 PM
Have you considered....
That a reason China is collecting medical data is to be 1st to market with potential Pharma drugs. The Pharma industry is huge as we all know. China can compete better in this space if they can predict through data analytics what kinds of medical treatments and medicines are going to be in need for US citizens. The amount of data they have collected can easily show trends. The data can also provide China with insight into what Pharma's are doing in the US to treat illnesses (conventional and test treatments). This would given China a bit of a leap in its research efforts.
<<   <   Page 2 / 2
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...