Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
All available resources were dedicated to identifying the strange activity. FU had never before been faced with such a big threat. Bill and Sunil stayed throughout the morning, but as evening approached, they felt as helpless as the once fresh morning team. New people arrived and continued processing the network traffic and logs as the two previous shifts had done. The updates to the CIO were becoming a sublime brief interaction between two parties drawn together by a common goal. The increased level of frustration and impatience was evident in FU—not only at the headquarters, but at the field locations as well. Everyone knew that something important was going on, but not everyone knew exactly what that was. Anxiety and tension grew throughout the corporation.
As the sun rose the next morning, it seemed as if a sense of calm fell over FU. Bill and Sunil worked throughout the night on cracking the code on the strange traffic, but there was not really such a heightened sense of imminent danger. That morning, the CIO looked refreshed and was quite jovial. The IT staff rolled in carrying coffee and donuts. Of course, they had Bill’s jelly donut and Sunil’s coffee cake, just as they had brought every Tuesday morning for months.
The sense of urgency and sharpness that had ruled the previous day seemed to have lost a bit of its edge. Conversely, there was still high tension throughout the workforce. They knew less than the IT staff, and that lack of information played out in decreased job performance. Productivity was down, people were taking longer breaks to gossip, and speculation was high.
Meanwhile, over at the other company, a man and a woman were chatting.
“Did you finish?” the man said.
“No, not yet,” replied the woman, “I still have some to go.”
“Let me know when you’re done,” the man stated, “the boss is looking for a status.”
“Will do,” she answered.
The man walked back into the boss’s office and sat down.
“Now explain this whole thing to me,” said the boss. “I’ve kind of been in the dark the last week or so.”
“Well, we started looking at our competitors for the Davis contract and found out that there are only a couple of real threats for the bid. The first was Technology, Inc., but they are trying to win the bid on a different contract. We felt they would not pose a threat to us because, although they have the technology, they lack the required manpower to do it. The other threat was FU. They have both the technology and the manpower to execute the proposal and contract.”
The boss asked more about the technology and got some background of the contract. Then he wanted to know how they took FU out of the picture to ensure they would be the only ones bidding on the contract.
“Simple,” explained the man. “First we had to identify the critical information they were trying to protect. That was pretty easy, considering they were working toward the same goal as us: the Davis contract. Then we took a good, long look at what they thought were their threats. We analyzed to see what made sense. They never thought of us as a threat—intrusions, viruses, and botnets, sure, but not us. They never saw it coming. Next we looked at their vulnerabilities. Let me tell you, they had IDS, IPS, and firewalls. They ran updated virus protection and spyware, and even trolled their networks. They had good physical security, too. They had ID badges with passcodes, swipe assess, two-person authentication, and more. They did a good job technically and physically, but not psychologically. That’s where we identified what their risks were. We knew their soft spot. Do you remember a few months ago when they got hit with that scam e-mail about a vacation? Well, that was our folks.”
“How’d you do that?” inquired the boss.
“It was easy. We masqueraded their CEO’s e-mail, and when their folks opened the ‘Important Offsite Cruise’ note from the boss, we infected almost every computer they owned. To keep their IT staff off balance, we laid low for a while and let them clean up what they saw. It was too late. We had already created administrator accounts on everything with an IP address. At that point, we waited until they reimaged all the boxes, but because they didn’t take everything offline at once, we just jumped from box to box. We maintained access the whole time.”
“That’s incredible!” exclaimed the boss.
“Not quite. Here’s the best part. So we fast-forward a few weeks, and everything’s going along okay for FU, right? Not so much, boss. Remember I said we were going to lay low? Now we are ready for action. We jump up and cause a big ruckus. We get them really interested in some ‘anomalous’ activity happening in a strange way. They start looking at it and realize it’s something big. We planned it out over a long period, with lots of prep to make it look convincing. See, boss, we have to sell them on this thing as being real, or the whole thing is shot.”
“I get it,” said the boss.
“So now, we give them the knockout blow. While they are looking at this strange computer traffic, we sneak back in and grab their proposal. We corrupt the files with the same name, and all the data related to the proposal is gone. All done—they don’t have any data, and they are no longer a threat to us. We win the proposal; game over. The team is about finished in the other room right now. It sure will be great to see them try to figure this one out.”
“It sure will. Ha ha!”
Postmortem
That benign spear phishing episode you encountered yesterday may be the initial foothold into your network. This episode was sponsored by a corporation and was readily financed to ensure success. It was part of a long-term plan and was broken into several phases. Obviously, the first phase was to gain access, but the plan did not have a determinate timeline, and success was based on events.
ATPs are activated by time and events. Of course, that information is not known to the network defenders. Every event should be questioned and taken in context at the time it happened, as well as contrasted against the larger picture of what is going on.
Tall Tale 3
Paul and Rick worked a regular job like anyone else. They took pride in their work and felt they were on the cutting edge. They were engaged, and committed themselves and their staff to ongoing educational opportunities, both within the country and abroad. They promoted technical forums and research opportunities whenever possible. They knew that if they took a break, time would pass them by, and they would be a dinosaur in the computer security arena. This strategy, although rigorous, paid off time and time again.
They were the industry leaders in computer security. They had contracts with NATO, Russia, China, Australia, India, and numerous other international powers. They straddled the fence and offered solutions to anyone who could pay, despite the high-risk stakes. Business was good, and they did everything necessary to keep it that way. Their products were in demand around the globe, and although many countries were concerned that Paul and Rick were dealing with their adversaries, they all believed it was in their best interest to use the solutions provided.
Each solution Paul and Rick provided was custom-made, so technically, no two countries running their products or applications could ever be compromised by another due to a security flaw in one of their products. They went through great pains to ensure everything was locked down tight. They had numerous production quality controls, along with a final and personal check by one or both of them.
There was no doubt that Paul and Rick were the best at what they did. They were conservative and deliberate, and planned out everything. They left nothing to chance. One could say that if the computer security world was drinking Scotch, it would come out of a plastic bottle off the grocery store bottom shelf. That was reserved for Paul and Rick, the top of the line. They used state-of-the-art techniques, as well as in-house developed proprietary software and hardware solutions to secure their rather diverse customer base. When they got the call to go to Germany to improve the network security of the Bundeswehr, it was business as usual—another big contract opportunity and the potential for another big payday.
Germany had drifted into unfamiliar territory. There was a growing uneasy feeling on its border with the Swiss. Diplomats had exchanged harsh words and stabs at each other’s human rights record. That, of course, was just a distracter from the real problem. And there was a growing concern over the border dispute. Germany had recently declared that the Canton of Schaffhausen in Switzerland appeared to belong to the Germans. The Germans cited a 1330 decision by the emperor Louis of Bavaria to give the city to the Hapsburgs. Although Schaffhausen was able to buy its freedom in 1418, the German government said the transaction was not legitimate because the people of Schaffhausen had tricked the Hapsburgs by filing in a neutral court in Switzerland, and not through the German system at all, and sought to annex the canton from Switzerland.
The impetus for all this was a joint research project that included students and faculty from both the Universities of Zurich and Berlin. It was a four-year-long project, but the results were phenomenal. It showed that there was an oil reserve directly accessible by drilling directly through the courtyard in front of the All Saints Abbey in Schaffhausen. It was worth fighting over for sure. The oil, deemed high quality, showed the potential for a reserve roughly 20 times larger than what was discovered in the Middle East—an economic gold mine for any country trapped in such a desperate financial crisis. The eyes of every world leader turned from the Middle East toward central Europe.
Paul and Rick arrived in Germany at a time when many nations around the world were cutting defense spending. The threat from international terrorism was expanding almost daily, but defense spending was getting cut, again. International economics was tepid at best, with depression looming on the horizon like a dark, pendulous cloud approaching from the west. Politicians promised recovery, and people raised their guard. The politicians made more promises, and the people cowered in fear for their personal property and livelihood.
In the advent of all this, Paul and Rick keyed in on the fact that market share was getting smaller and competition was getting more ferocious, and they were more resolute than ever to ensure they got that big payday they sought. They were determined to increase their share, but still provide superior security and the high-quality products their customers had come to rely on. Paul and Rick were oblivious to the politics of it all, as they had to be for corporate preservation. They consistently rose above any scrutiny, and instilled a sense of loyalty and trust in each client. They had to, or they would be out of business.
Discussions with the German defense officials went well, and before too long, there was a contract and a well-developed road map of the way ahead. Paul and Rick felt pretty good, as did the German brass. Paul and Rick had always delivered on time, and things looked good for this network solution to be implemented on time and on budget. The recent unauthorized network activity and exploitation of their information had unnerved the German generals to the point just short of ripping out all the old infrastructure and installing new systems from the ground up. Of course, the budgetary constraints made this prohibitive, so they made the most of it and retrofitted their network with some of the most sophisticated products money could buy. The best part was that the software was proprietary, so there was the extra layer of protection to make sure that nothing was going to be able to affect it in a malicious way.
In a move that shocked the world, the Swiss broke their long-standing pledge of neutrality and took up arms. Of course, they chose to fight against the Germans. Their neutrality was world renown. They had not had a serious threat, let alone engaged in a unilateral combat operation, for hundreds of years. Being such a dire situation with economic crisis so close, many people, corporations, and nations would be withdrawing money from the Swiss banking system, which could affect their economy in a dramatic fashion. The Swiss were not taking any chances either, and as relations degraded with the Germans, they felt it was time to put the final parts of their plan into motion. The Federal Council of Switzerland, the executive body, had planned for many situations with different types of contingency plans—this was one of those plans.
The Swiss army staffed slightly under 140,000, which was significantly larger than the German standing forces, which totaled under 90,000. However, as the Germans started to move forces toward the deputed territory, the Swiss high command wasted no time in maneuvering troops and finalizing plans for defense of their homeland. The Germans’ confidence in their troops soared. With their new GPS-enabled technology, they could track their forces. Attacking Switzerland was not in the cards until recently, but if the German Heer was to navigate the mountainous terrain, there needed to be advanced technology to get them through. Paul and Rick had done their job, got their payday, and arrived back at their office in Stockholm before any shots were fired. They had no interest in belligerents engaged in hostilities. They just did their job and got out to see another payday.