1. 27
  1.  

  2. 6

    How many of the global “threat intelligence” companies are highlighting TTPS actually in use by APEX predators (instead of merely spotting low hanging fruit).

    I’ve been thinking about this a lot lately, so many of the NSA attacks used mechanisms that were not within typical threat models. For instance IRATEMONK^0 which compromises the firmware on the your harddrive to replace the MBR on bootup to ensure their implant persists. One wonders if these sorts of attacks were not caught when the NSA did them, have other actors used this methods as well and we are just unaware?

    Is there a feedback loop at work here whereby basic attackers use simple tactics, those tactics get the attack discovered, the discovery gets attention which becomes written in articles which future simple attackers read? An amplifying street light effect?

    If someone had a 0-day for cheap home routers^1 and used it to perform passive interception against businesses of interest, would this ever be discovered? Or an RF side channel^2 which allows someone to make money off the stock market?

    How do you get VC to fix security problems that you have no evidence anyone is exploiting? Anti-virus software isn’t going to sell prior to the first computer virus.

    1. 7

      Attackers use basic attacks because they often have a success ratio that justifies their use. If you send a binary to 100 people at a random company, and ask them to run it up-front, you can probably expect somebody to do so. No electronic vulnerability involved.

      I’m not sure people care about the quality of their tech until it gets in the way of them doing something. To be honest, that’s how I treat a pretty large proportion of the things I use. The things I do will cause me to run into more problems with technology than a non-tech worker would, but the same mechanism is at play. In terms of infrastructure quality, manufacturers often only make more secure things when they are being broken so frequently that they face a threat to their business unless they fix it. This was starting to seem like the case for Windows, and Microsoft stepped up their security game a bit in response.

      It’s interesting that so many of these attacks target layers that are much more expensive to fix. A lot of them exploit problems with protocols and basic characteristics of electronics rather than a software memory corruption. There’s not an easy answer for a lot of these. I go on rants all the time about how I hope Rust will make the world safer by preventing vulnerabilities that stem from software-triggered memory corruption, but we still have to trust hardware and standard protocols, and that trust is being actively exploited.

      I’m curious how many people are using honeypots that they use to lure the NSA into attacking to harvest some free (minus a bit of reverse engineering) exploits and tools. I wonder if we’ll see groups doing this and then just going crazy with them on the open internet at some point. It would really be destructive, but it may also lead to manufacturers producing slightly safer things afterward.

      1. 2

        Attackers use basic attacks because they often have a success ratio that justifies their use.

        There are two qualities at work here, visibility of an attack and cost to execute. Attacks which are highly visible and easy to execute, are likely to be well known and enter the standard malware tool box becoming mainstream. What about attacks which are invisible and easy to execute? If an attacker discovers such a method it it unlikely to become common knowledge for sometime. Tools will not be built to catch it because “no one exploits it”. Even if it started to spread among attackers, if it is hard to measure, it might not become something that CSOs worry about. Known Known and Known Unknown’s drive markets.

        Rust will make the world safer by preventing vulnerabilities that stem from software-triggered memory corruption, but we still have to trust hardware and standard protocols, and that trust is being actively exploited.

        One result from the Snowden revelations that I expect to see is security companies selling fixes for these vulnerabilities. I’m waiting for PCI-bus firewalls and IDSes.

        I’m curious how many people are using honeypots that they use to lure the NSA into attacking to harvest some free (minus a bit of reverse engineering) exploits and tools. I wonder if we’ll see groups doing this and then just going crazy with them on the open internet at some point.

        0-days and novel tools is so dangerous. Captured tools provide cover, which enable nations to strike back with reduced fear of attribution. Consider if Iran had discovered Stuxnet, changed the payload slightly so it just caused all ICS' to malfunction and released it into the oil refining systems of Saudi-Arabia. The physical damage would be slight but the diplomatic effects would be far greater.

        If Saudi-Arabia blamed Iran without evidence, Iran could rightly point out that the code is covered in US/Israeli intelligence fingerprints. If Iran got caught they could accurately claim that the US struck first. The US would figure out what happened, but would they be willing to go public and expose themselves to claims of responsibility. It certainly would make the decision to use Stuxnet look irresponsible, the US foolish, and Iran powerful, who in the US government wants to own that. From Iran’s perspective this is all win, since the US would be far less likely to target them in the future (the “one burned twice shy”-theory of international relations might not be true in all cases, but I could see the argument being made). Some people believe that the Saudi Aramco attack was in revenge for Stuxnet, so Iran has shown the political will to strike back^0.