http://www.symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf
Thanks to big yellow for not making us register! Oh, and Adam thanks you for not using pie charts…
Author Archive for alex
They say that Y equals m-x plus b
(well, when you remove the uncertainty).
So let me reveal a secret confession:
You’re the solution to my least squares obsession.
As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real. It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when I was there in 2001-2005. We dealt with it as a firewall vendor at Progressive Systems in 1998. This isn’t a “is the APT real?” blogpost.
That said, I wanted to talk about why there should be still more discussion around the APT. Hogfly at the Forensic Incident Response blog asks:
“What should matter is how successful they have been. What should matter is defending ourselves. What should matter is how and where we share this information. What should matter is taking this information to those with the ability to do something about it. What should matter is taking the fight to the enemy.
So I ask again, does it matter if this threat is new?”
My response is that it actually matters very much.
We are hearing a new label. Whether the label originated from “the cool kids” or not, it’s being co-opted by marketing. And right now, we’re sort of in this important window of trying to get some understanding, some significant amount of intersubjectivity about what the APT is and what it means to a broader audience. Once that’s established, then we can try to understand what to do. But why does it matter if the threat is new or old?
There is a significant increase in the use of the term. When it’s a BusinessWeek cover story (2008, btw), it gets seen by people. What we need to understand is if this “new” visibility is the result of either a change in the threat landscape or a change in the marketing landscape.
IS APT A SHIFT IN FREQUENCY, A SHIFT IN CAPABILITY, OR A SHIFT IN BOTH FREQUENCY AND CAPABILITY?
If it is a change in the threat landscape, we need to understand what aspect of the landscape is changing. The shift could be said to be one of a few scenarios:
1.) More attacks on the same targets by the same actors. That is, is the government, defense industrial base, or other targets attractive to certain nation-states are experiencing a new amount of threat events.
2.) More attacks on new targets by the same actors. That is, are the nation-state actors finding new targets? If so, are their targets of choice changing from organizations that are antagonistic to the policy desires of the sponsor state (certainly the Mandiant report reads like the Chinese are after anyone who threatens their political stability), to other targets – like retailers or hospitals (has, as Mandiant says, the APT become *everyone’s* problem)?
3.) More attacks on the same targets by new actors. That is, it’s not just the usual suspects. If *this* is the case, then we’re seeing a fundamental shift in the capabilities of threats. That is, bad guys who used to be dumb just got a lot smarter thanks to the dissemination of skills/resources (sharing of technique, new access to advanced toolsets, etc) and they are going after all those people who were worrying about the APT in 2003.
4.) More attacks on new targets by new actors. That is, the bad guys who used to be dumb just got a lot smarter and are now trying to use their new smarts against victims who heretofore had not had to worry about the APT.
Finally, the other option is that there is no shift in frequency or capability, but there is a shift in marketing budgets. I tried to run a google trend on “Advanced Persistent Threat” but got:
Your terms – “Advanced Persistent Threat” – do not have enough search volume to show graphs.
And “APT” trend search was clouded by other things that shared the same TLA.
WHAT DO YOU THINK?
I’m not sure what we’re seeing. I was personally disappointed by the Mandiant report’s lack of demographics and frequency information. I’m ready to believe that we’re seeing a fundamental shift in distributions concerning the threat agents, but there wasn’t anything in the report to support that notion. I will leave you with a couple of items from the Verizon Report, though, and I’ll let you draw your own conclusions, given that the Verizon data set isn’t heavy on what we might call the Defense Industrial Base – those folks already live and breathe this stuff – and this data is from 2008.
SOURCE OF ATTACKING IP
TARGETED VS. OPPORTUNISTIC ATTACKS
TREND IN USE OF CUSTOMIZED MALWARE
TIME TO DISCOVERY
From Less Wrong: http://lesswrong.com/lw/1qk/applying_utility_functions_to_humans_considered/
I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff. Adam gave a great talk about Security: From Art to Science. One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering. When we think about the data owner and their decisions regarding “guns vs. butter” – I’d be willing to bet that utility theory and decision theory have plenty of wonderful bits of experience and knowledge we should be familiar with.
So last night the family and I sat down and watched a little TV together for the first time in ages. We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping. Basically, these guys get on snowmobiles, jump them in the air flip around and stuff, and then a panel of judges score their efforts. I suppose the criteria is like ice skating or gymnastics where they score creativity and technique and so forth… If you haven’t seen this sport, here’s a little youtube video of what it’s like:
So we’re watching this sport on ESPN, and after a while I’m noticing a couple of things about the scores. First, they’re using a 100 point scale, and all the scores are coming in between 85 and 92. Fine, I suppose they’re summing up a number of elements.
Then this one rider scores an 88.3. Point Three. Seriously, what judge decides to go decimal? You know, a 100 point scale isn’t good enough, I really need the precision of that tenth of a point to determine if the member of “Team Slednecks” is that much better than the “Red Bull Rockstars” or whatever.
Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable.
— Thucydides
Tried to embed, didn’t work. Here’s the link: http://www.brighttalk.com/webcasts/8093/attend
Hi,
If you like risk, risk management, and metrics, I’ll be giving an online presentation you might want to see tomorrow at 2 EST:
Gleaning Risk Management Data From Incidents
Yesterday, I offered up a little challenge to suggest that we aren’t ready for a certification around understanding information risk. Today I want to mention why I think this CRISCy stuff is dangerous.
What if how we’re approaching the subject is wrong? What if it’s mostly wrong and horribly expensive?
I’m going to offer that we’re still too early on to know the answers to these questions (an offer that if correct, would also serve to prove my point yesterday about CRISC). But if it turns out that we are doing things incorrectly (and really, what’s the probability that we are doing risk management correctly) – does something like CRISC make it easier or more difficult to change to something more effective?
Obviously, you don’t have to have a degree in Organizational Behavior to identify the problem here. If our approach to risk management is wrong, then CRISC is only going to serve to ensure that we are set in our incorrect ways.
Now where this should *really* upset you, my dear reader, is if you subscribe to various theories about how sciences progress. If you believe that sciences progress by sporadic, somewhat instantaneous little revolutions – then we’re totally screwing ourselves by creating a bureaucracy that makes it more difficult for the next revolution to take place. And believe me, as I’ve found out over the past 4 years, creating that revolution in risk management is hard enough already.
What You’ve Said