high stakes games :)

coderman coderman@gmail.com
Mon Oct 12 09:52:58 PDT 2015


"A perfect example of the perils faced by researchers was provided in
a separate talk at Virus Bulletin by Costin Raiu, director of
Kaspersky Lab’s Global Research and Analysis Team. Raiu revealed that
when he was involved in the analysis of Stuxnet a few years ago,
someone broke into his house and left a rubber cube with the message
“take a break” written on it."

---

http://www.securityweek.com/long-term-strategy-needed-when-analyzing-apts-researcher

Long-Term Strategy Needed When Analyzing APTs: Researcher
By Eduard Kovacs on October 07, 2015

Analyzing advanced persistent threats (APTs) is not just about
collecting pieces of information, and companies that focus on APTs
should accept the fact that they have become intelligence brokers.

In a presentation last week at the Virus Bulletin conference in
Prague, Juan Andres Guerrero-Saade, senior security researcher in
Kaspersky Lab’s Global Research and Analysis Team, detailed the ethics
and perils associated with APT research.

Cyberattacks sponsored by nation states are increasingly investigated
by both startups and well-established security companies. However, it
appears that many firms involved in researching APTs lack long-term
strategy and they’ve failed to consider the repercussions of their
work.

According to Guerrero-Saade, one of the main issues is that companies
and researchers have failed to understand that cyberespionage is a
part of classic espionage, and those analyzing such cyber operations
have failed to accept their role as intelligence brokers.

Intelligence agencies and private security firms involved in the
analysis of cyber espionage campaigns follow similar procedural
methodologies, but there are some noteworthy differences.

In the case of intelligence agencies, they receive a request, they
gather information, analyze it, and deliver it. But before delivering
it, the resulting report is taken through a strategic filtering
process that ensures the well-being of all involved parties.

On the other hand, threat intelligence teams don’t necessarily need a
delimiting request in order to begin analyzing a threat actor’s
activities -- an investigation can start from a decontextualized
sample or a vague request for incident response. Researchers collect
malware samples, indicators of compromise, and data on command and
control (C&C) infrastructure, but their analysis is oversimplified,
their strategy for release of the information is often deferred to PR
or sales departments. The resulting reports, which might not contain
any actionable intelligence, are often released to the public in an
effort to attract new customers and boost the company’s reputation,
but without taking into account the potential consequences,
Guerrero-Saade said.

While intelligence agencies and security researchers follow similar
procedural methodologies, there are major differences in the ethics
and especially the perils they face. The Kaspersky Lab expert has
pointed out that the activities of intelligence agencies are not
considered suspicious by other governmental institutions, the
employees of intelligence agencies enjoy legal protections, and their
work is shielded from political blowback.

In the case of threat intelligence teams, however, researchers don’t
benefit from any cover for their actions, they don’t enjoy any legal
protections, and the companies they work for can also suffer due to
their actions.

According to Guerrero-Saade, the list of perils faced by researchers
includes subtle pressure, patriotic enlistment, bribery, compromise
and blackmail, legal repercussions, threat to livelihood, threat to
viability of life in the actor’s area of influence, threat of force,
and even elimination. A perfect example of the perils faced by
researchers was provided in a separate talk at Virus Bulletin by
Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis
Team. Raiu revealed that when he was involved in the analysis of
Stuxnet a few years ago, someone broke into his house and left a
rubber cube with the message “take a break” written on it.

In the case of companies, they can face political, financial and
regulatory repercussions, they can end up losing government contracts
and partnerships, and they can become the target of rumors and smear
campaigns if they don’t properly evaluate what they disclose and whom
they disclose to.

As for ethical concerns, the lack of malware diversification -- the
fact that the same malware is used against both extremists and less
“malicious” targets such as research institutions -- can cause
researchers to question whether or not they should detect the malware.
More precisely, if the malware is used against a legitimate
organization, then it should be detected to protect such entities. On
the other hand, if the malware is detected, it will also make it
easier for extremists to protect themselves against cyber spying
attempts.

Another ethical issue is related to the fact that the researcher’s
insight into the operation they are targeting is always superficial.
At first glance, it might appear that the targeted entity is
“innocent,” such as an academic or a journalist, but in reality they
could be a radical academic or a terrorism-facilitating journalist.

Guerrero-Saade told SecurityWeek in an interview that threat actors
can plant false evidence to throw investigators off track -- these are
known as “black flag” operations. One good example is the group known
as “Wild Neutron” or “Morpho,” whose malware contains strings in both
Russian and Romanian.

Guerrero-Saade believes that the best way for threat intelligence
teams to overcome the challenges is to accept their role as
intelligence brokers and put more emphasis on strategy. The expert
believes companies should hire a chief strategic officer or someone
who is in charge of making decisions related to who gets what
information, instead of leaving the task to PR and marketing
departments.

Companies should also focus on providing actionable intelligence. One
negative example named by the researcher during his presentation at
Virus Bulletin is a recent report from ThreatConnect and Defense Group
that focuses on linking the APT group known as “Naikon” to a unit of
the Chinese People’s Liberation Army. The problem, according to
Guerrero-Saade, is that the connection made by researchers in the
report focuses on the analysis of an alleged PLA officer’s personal
postings on social media and provides little actionable intelligence.
The Kaspersky researcher told SecurityWeek that this is equivalent to
“doxing” someone you don’t like, just like members of the Anonymous
hacktivist movement do when they get uncomfortable with another
member.

“The current threat intelligence market is in the midst of an identity
crisis. As companies transition from plain IT security to intelligence
production, the relevant methodology of intelligence brokerage must be
embraced in order to stand a chance against the supernatural market
tensions that are the product of meddling with the operations of
diverse intelligence agencies and enraging their respective
governments,” Guerrero-Saade said in a paper accompanying his
presentation at Virus Bulletin.

“The transition to intelligence brokerage proper is encouraged as a
means of survival for threat intelligence producers facing escalating
geopolitical tensions. By empowering the producers to strategically
control their offerings, these tensions are relieved or entirely
sidestepped and the market can flourish away from the limelight,” the
expert added.

The complete paper, titled "The ethics and perils of APT research: an
unexpected transition into intelligence brokerage," is available for
download from Kaspersky Lab.



More information about the cypherpunks mailing list