Sophisticated Threats: Yesterday, Today and Tomorrow

Jason HealeyJune 2014

jhealey@atlanticcouncil.org Twitter: @Jason_Healey

Computer Network Vulnerabilities

Hardware LeakageSoftware Leakage

Deliberate PenetrationAccidental Disclosure

Physical AttackModify at Factory

Look Familiar?

Hardware LeakageSoftware Leakage

Deliberate PenetrationAccidental Disclosure

Physical AttackModify at Factory

Written in 1969 ….

State-Sponsored Cyber Espionage?

• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … insulated from risks of internationally embarrassing incidents”

Heard this Lately?

State-Sponsored Cyber Espionage

• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … insulated from risks of internationally embarrassing incidents”

Written in 1988 ….

Advanced Persistent Threat

• “Extensive resources in money, personnel, and technology”

• “Adept in circumventing physical and procedural safeguards”

• “Patient and motivated”

• “Capable of exploiting a successful attack for maximum long-term gain”

Look Familiar?

Advanced Persistent Threat

• “Extensive resources in money, personnel, and technology”

• “Adept in circumventing physical and procedural safeguards”

• “Patient and motivated”

• “Capable of exploiting a successful attack for maximum long-term gain”

Look Familiar?

From 1991 ….

The Threat … from 1997Look familiar?

From President’s Commission on Critical Infrastructure Projection (PCCIP Report) 1997

The Threat … from 1997Look familiar?

JTF-CND Commander’s Presentation to DSB Summer Study, 2000

Bad Guys Finish First

• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”

Heard this Lately?

Bad Guys Finish First

Lt Col Roger Schell (USAF) in 1979

• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”

Back to the Future All Over Again

“…the only cyberwar raging is inside the U.S. government where Washington lawyers and policymakers, military leaders, and official hackers battle over the value and legality of network attack.” Washington Post, 1999

“Attention to security gimmicks results in overlooking serious weaknesses.” Schell, 1979

“The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems.” Computers at Risk, 1991

“Government and commercial computer systems are so poorlyprotected today they can essentially be considered defenseless - anElectronic Pearl Harbor waiting to happen.” Schwartau, 1991

TODAY

Adversary Groups on Left Which Industry Each Targets

on Right

CrowdStrike Annual Report2013

Everyone, Everywhere, All Ways, and Always

Russia china

usa

Organized crime – israel – france – UK - IndIa…

•Titan Rain •Night Dragon•Shadows in the Cloud•Putter Panda – Unit 61486•Unit 61938

•Estonia, Georgia, Ukraine•Buckshot Yankee•Energetic Bear•Snake

•Stuxnet, Flame•Xkeyscore•TAO•Bull Run

Everyone, Everywhere, All Ways, and Always

Russia china

usa

Organized crime – israel – france – UK - IndIa…

•Titan Rain •Night Dragon•Shadows in the Cloud•Putter Panda – Unit 61486•Unit 61938

•Estonia, Georgia, Ukraine•Buckshot Yankee•Energetic Bear•Snake

•Stuxnet, Flame•Xkeyscore•TAO•Bull Run

To companies like Microsoft or Google, all of these are ‘attackers’ and so all are

adversaries.

If you belong to a SIGINT organization, you are APT too!

What Has Changed?Some Important Trends

1. Rise of the professionals

2. Fed by power of the free/stolen market

3. More aggressive attacks and espionage

4. Real national security attacks

5. Attacks aren’t just by the “bad guys” anymore

6. Scope and scale of attacks

What Has Not Changed?Some Important Trends

1. Basic computer vulnerabilities

2. Basic categories of threat

3. Identities of low- and high-end threat

4. General fecklessness of defense

5. Dynamics of cyber conflict

6. Relationship of offense to defense (O>D)

7. Truly destructive attacks are still “five years away”

WHAT COMES TOMORROW?

Tomorrow…

• The conventional answer:

• Maybe our “five-year clock” finally runs out

– Being hurried perhaps more by our increasing vulnerability than ability or intent of adversaries

– We can discuss in Q&A

– But first, the unconventional answer

Great News!Security is Getting Better!

Whether in detection, control, or prevention, we are notching

personal bests …- Dan Geer, 2014

Time

Effe

ctiv

enes

s

Improvement of Defense

Tipping Point?

2014

Bad News! We’re Still Losing and at a Faster Rate! O>D

Whether in detection, control, or prevention, we are notching

personal bests but all the while the opposition is setting world

records.- Dan Geer, 2014

Time

Effe

ctiv

enes

s

Improvement of Defense

2014

Improvement of Offense

http://geer.tinho.net/geer.rsa.28ii14.txt

Or Is It Exponentially Worse?

Time

Effe

ctiv

enes

s

Improvement of Defense

2014

Improvement of Offense

Can This Last Forever?

Time

Effe

ctiv

enes

s

Improvement of Defense

Tipping Point?

2014

Improvement of Offense

O>D

O>>D

Time

Effe

ctiv

enes

s

Tipping Point

20xx

When There Are More Predators Than Prey

“Somalia”

“Wild West”

THIS HAS BEEN VERY NEGATIVE, SO TO END ON A POSITIVE NOTE…

QUESTIONS?

jhealey@atlanticcouncil.org Twitter: @Jason_Healey

Cyber Statecraft Initiative• International conflict, competition and cooperation in cyberspace •Our goal is Saving Cyberspace•Publications (all at our website, atlanticcouncil.org)• Public and Private Events

1. History of cyber conflict2. Future of cyber conflict3. Systemic cyber risks4. Public sector-centric

strategy5. Sustainable cyberspace