Familiarity Breeds Contempt: APT Edition

August 4, 2017
intelligence ir

Here’s a familiar scenario:

A new threat is being whispered about. Maybe your office has someone with special access of some kind and they’re being a bit more secret squirrely than usual. The mailing lists you’re on are a buzz about a new piece of malware or vendor code name. You keep hearing about a paid only report that tells all. APT 46: EMPEROR PENGUIN is coming! When your boss asks about EMPEROR PENGUIN you have to say you don’t know much… but you’ve heard they’re very good, very advanced, well funded, with great opsec… obviously a serious threat aimed at hard targets (which your organization obviously is). More data starts trickling out. A blog post here and a malware report there. Someone you know on Twitter or a mailing list is sharing their experience fighting off EP infections and then a PR post disclosing an EP breach, discussing how advanced and effective they were, bragging about the high end consultant team necessary to fight them off.

3(ish) months and a security conference later…

Oh good you think to yourself, another lame vendor report about EMPEROR PENGUIN. You read the first two or three (That one from the one AV vendor was especially good) but EP is kinda lame now. Sure you have the “FEAR THE PENGUIN!” t-shirt you got at that conference but you’re not really concerned about EMPEROR PENGUIN. They don’t even attack your sector and even if they did they’re just a bunch of noobs: they have terrible opsec, their “malware” is just a bunch of Powershell scripts, and they reuse infrastructure all the time. Yeah, they’ve breached some stuff, but they’d never get into your network. Not even worth thinking about. Just some skiddies.

This cycle happens all the time including this week with Sednit/Turla (The link is to the Intercept with leaked 🇨🇦 classifed data, visit at your own risk). Let’s explore it a bit.

There can be no prestige without mystery, for familiarity breeds contempt. ~ Charles de Gaulle

Source: izquotes.com

The Advanced Persistent Threat Hype Cycle

If you’ve been around the incident response/threat intelligence world long enough you’ve no doubt experienced this cycle for yourself. Here’s the breakdown:

Overall and in short General de Gaulle’s quote holds true: Mystery breeds prestige. Familiarity breeds contempt.

Here is the APT Hype Cycle in picture form:

APT Hype Cycle

Original Graph based on the Uncanny Valley

Respecting Your Adversary

This graph leads us to two important concepts:

Phase 3 is what I like to call The Peak of APT Superiority. The Peak is when defenders overestimate the skill, resources, and tradecraft of an adversary to the point that the defenders assume the adversary is nearly omnipotent. This is a dangerous attitude that leads to inaction due to paralysis in the face of an insurmountable foe where defenders are sure that a better resourced and more persistent foe will always beat their defenses. This peak was particularly pronounced after the Kaspersky Equation Group report when compromise by NSA TAO was discussed not simply as a possibility but often as an inevitability.

Phase 4 gives us what I’d like to call The Valley of Defender Condescension. The Valley of Condescension is equally as dangerous as the Peak, assuming that a once mysterious but now revealed foe is incapable and unworthy of effort. It leads to dismissiveness. Plenty of _unsophisticated (whatever that means) _adversaries have compromised organizations and completed their goals. A prime example of this was the Mandiant APT1 report, where many seem defenders seemed to forget just how effective the Unit 61398 had been against some very aware and well resourced victims.

The fact is both the peak and the valley are elements of bias that as defenders we must avoid at all costs. Overestimating and underestimating are both dangerous to our posture as defenders. The idea of threat intelligence is always about understanding the adversary. IOCs & TTPs are one thing but the idea of generalized adversarial capability, how scared we should be, is equally important and infinitely more abstract. Given that this “measure” is used to determine budgets and deploy resources we need to mitigate bias setting these levels.

The fact is adversaries are people just like defenders. They have budgets and bosses. Goals and metrics. Skills and habits. Just like defenders these things add up to an adversary’s strengths and weaknesses. Misunderstanding either aspect can be dangerous. Instead we must seek to understand an adversary’s strengths and weaknesses and eventually work to exploit their weaknesses and mitigate their strengths. That’s a nice platitude, but can we actually do though?

In the end I couldn’t say it any better than Medal of Honor winner and Marine Corps Gunnery Sergeant John Basilone:

Never fear your enemy but always respect them. ~ John Basilone_

Using Robots to Fight Bad Guys

May 14, 2014
intelligece ir devops