high stakes games :)

Cari Machet carimachet at gmail.com
Mon Oct 12 11:32:25 PDT 2015


Umn this dude mike no kaspersky as there is something so profoundly
unethical about a researcher that is unable to self critique

Being able to point out fuck ups by others but not the self is an
engagement in dellusion looped

Nice infos here though codermans
On Oct 12, 2015 7:57 PM, "coderman" <coderman at gmail.com> wrote:

> "A perfect example of the perils faced by researchers was provided in
> a separate talk at Virus Bulletin by Costin Raiu, director of
> Kaspersky Lab’s Global Research and Analysis Team. Raiu revealed that
> when he was involved in the analysis of Stuxnet a few years ago,
> someone broke into his house and left a rubber cube with the message
> “take a break” written on it."
>
> ---
>
>
> http://www.securityweek.com/long-term-strategy-needed-when-analyzing-apts-researcher
>
> Long-Term Strategy Needed When Analyzing APTs: Researcher
> By Eduard Kovacs on October 07, 2015
>
> Analyzing advanced persistent threats (APTs) is not just about
> collecting pieces of information, and companies that focus on APTs
> should accept the fact that they have become intelligence brokers.
>
> In a presentation last week at the Virus Bulletin conference in
> Prague, Juan Andres Guerrero-Saade, senior security researcher in
> Kaspersky Lab’s Global Research and Analysis Team, detailed the ethics
> and perils associated with APT research.
>
> Cyberattacks sponsored by nation states are increasingly investigated
> by both startups and well-established security companies. However, it
> appears that many firms involved in researching APTs lack long-term
> strategy and they’ve failed to consider the repercussions of their
> work.
>
> According to Guerrero-Saade, one of the main issues is that companies
> and researchers have failed to understand that cyberespionage is a
> part of classic espionage, and those analyzing such cyber operations
> have failed to accept their role as intelligence brokers.
>
> Intelligence agencies and private security firms involved in the
> analysis of cyber espionage campaigns follow similar procedural
> methodologies, but there are some noteworthy differences.
>
> In the case of intelligence agencies, they receive a request, they
> gather information, analyze it, and deliver it. But before delivering
> it, the resulting report is taken through a strategic filtering
> process that ensures the well-being of all involved parties.
>
> On the other hand, threat intelligence teams don’t necessarily need a
> delimiting request in order to begin analyzing a threat actor’s
> activities -- an investigation can start from a decontextualized
> sample or a vague request for incident response. Researchers collect
> malware samples, indicators of compromise, and data on command and
> control (C&C) infrastructure, but their analysis is oversimplified,
> their strategy for release of the information is often deferred to PR
> or sales departments. The resulting reports, which might not contain
> any actionable intelligence, are often released to the public in an
> effort to attract new customers and boost the company’s reputation,
> but without taking into account the potential consequences,
> Guerrero-Saade said.
>
> While intelligence agencies and security researchers follow similar
> procedural methodologies, there are major differences in the ethics
> and especially the perils they face. The Kaspersky Lab expert has
> pointed out that the activities of intelligence agencies are not
> considered suspicious by other governmental institutions, the
> employees of intelligence agencies enjoy legal protections, and their
> work is shielded from political blowback.
>
> In the case of threat intelligence teams, however, researchers don’t
> benefit from any cover for their actions, they don’t enjoy any legal
> protections, and the companies they work for can also suffer due to
> their actions.
>
> According to Guerrero-Saade, the list of perils faced by researchers
> includes subtle pressure, patriotic enlistment, bribery, compromise
> and blackmail, legal repercussions, threat to livelihood, threat to
> viability of life in the actor’s area of influence, threat of force,
> and even elimination. A perfect example of the perils faced by
> researchers was provided in a separate talk at Virus Bulletin by
> Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis
> Team. Raiu revealed that when he was involved in the analysis of
> Stuxnet a few years ago, someone broke into his house and left a
> rubber cube with the message “take a break” written on it.
>
> In the case of companies, they can face political, financial and
> regulatory repercussions, they can end up losing government contracts
> and partnerships, and they can become the target of rumors and smear
> campaigns if they don’t properly evaluate what they disclose and whom
> they disclose to.
>
> As for ethical concerns, the lack of malware diversification -- the
> fact that the same malware is used against both extremists and less
> “malicious” targets such as research institutions -- can cause
> researchers to question whether or not they should detect the malware.
> More precisely, if the malware is used against a legitimate
> organization, then it should be detected to protect such entities. On
> the other hand, if the malware is detected, it will also make it
> easier for extremists to protect themselves against cyber spying
> attempts.
>
> Another ethical issue is related to the fact that the researcher’s
> insight into the operation they are targeting is always superficial.
> At first glance, it might appear that the targeted entity is
> “innocent,” such as an academic or a journalist, but in reality they
> could be a radical academic or a terrorism-facilitating journalist.
>
> Guerrero-Saade told SecurityWeek in an interview that threat actors
> can plant false evidence to throw investigators off track -- these are
> known as “black flag” operations. One good example is the group known
> as “Wild Neutron” or “Morpho,” whose malware contains strings in both
> Russian and Romanian.
>
> Guerrero-Saade believes that the best way for threat intelligence
> teams to overcome the challenges is to accept their role as
> intelligence brokers and put more emphasis on strategy. The expert
> believes companies should hire a chief strategic officer or someone
> who is in charge of making decisions related to who gets what
> information, instead of leaving the task to PR and marketing
> departments.
>
> Companies should also focus on providing actionable intelligence. One
> negative example named by the researcher during his presentation at
> Virus Bulletin is a recent report from ThreatConnect and Defense Group
> that focuses on linking the APT group known as “Naikon” to a unit of
> the Chinese People’s Liberation Army. The problem, according to
> Guerrero-Saade, is that the connection made by researchers in the
> report focuses on the analysis of an alleged PLA officer’s personal
> postings on social media and provides little actionable intelligence.
> The Kaspersky researcher told SecurityWeek that this is equivalent to
> “doxing” someone you don’t like, just like members of the Anonymous
> hacktivist movement do when they get uncomfortable with another
> member.
>
> “The current threat intelligence market is in the midst of an identity
> crisis. As companies transition from plain IT security to intelligence
> production, the relevant methodology of intelligence brokerage must be
> embraced in order to stand a chance against the supernatural market
> tensions that are the product of meddling with the operations of
> diverse intelligence agencies and enraging their respective
> governments,” Guerrero-Saade said in a paper accompanying his
> presentation at Virus Bulletin.
>
> “The transition to intelligence brokerage proper is encouraged as a
> means of survival for threat intelligence producers facing escalating
> geopolitical tensions. By empowering the producers to strategically
> control their offerings, these tensions are relieved or entirely
> sidestepped and the market can flourish away from the limelight,” the
> expert added.
>
> The complete paper, titled "The ethics and perils of APT research: an
> unexpected transition into intelligence brokerage," is available for
> download from Kaspersky Lab.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 9158 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20151012/952e2552/attachment-0002.txt>


More information about the cypherpunks mailing list