Advanced persistent threats in cybersecurity

¶ … Persistent Threat

Historical Background of APT

Today, APT, or Advanced Persistent Threat, describes cyber attacks, which are produced by organized teams of individuals, whom have extremely in-depth resources. These teams of individuals have highly advanced technological and database penetration skills and they target specific profiles. Attack tactics are very precise and deliberate and they remain consistent in their attacks. The attackers evaluate the attacked profile's defense and what their likely response will be to the attack in an attempt to anticipate what techniques will need to be implemented.

According to a 2010 CSO Cyber Security Watch Survey, threats posed to organizations by cyber crimes have increased faster than potential victims over the last few years. Cyber threats are becoming significantly more common throughout the world today. Throughout this report, I'll discuss how cyber threats are currently an APT, particularly from the Chinese government. I'll also provide a brief history of the Internet.

Internet history can be traced back to 1858. This is when the Atlantic cable was established in order to carry communications across the ocean. Some believe this to be the first steps to "online" communications. Unfortunately, the cable did not last even a few days, and was considered to be a failure due to technical difficulties. By 1866, more cables had been laid out and success was discovered in those cables. The successful cables were used for nearly 100 years.

The first artificial satellite was launched in 1957 and by 1958, the U.S. Department of Defense issued directive 5105.15, which established ARPA (the Advanced Research Projects Agency). ARPA was doing research to improve the military's use of computer technology by the early 1960s. The timeline thus far are considered to be milestones in Internet pre-history. We have come a long way since the 1960s in both communications and in technology.

The Internet can best be described as hundreds of millions of computers connected with a global network throughout the world. These computers are connected so that they can communicate with each other. Today, many individuals use the Internet to act out many parts of their everyday lives. Families throughout the world pay bills online, look up information, book flights and buy and sell products. A lot of an individual's personal data can very easily be sought out via the Internet. Data from important government entities and the military can also sometimes be accessed, which is where an advanced persistent threat comes into play. Cyber war is becoming an increasingly popular theme throughout the world, but these types of advanced threats have been seen throughout history, even before computers and the coming of age technology.

The history of computers is really thousands of years old. People rarely understand or realize this. The abacus was the first documented and proven source archeologically. This was an artificial tool used for calculations and was documented 5,000 years ago in Asia Minor. Some countries still utilize the abacus today and early merchants utilized the abacas for trading transactions.

By 1642, Blaise Pascal, who was the 18-year-old son of a French tax collector, invented the numerical wheel calculator in order to help his father in his collections and duties. Jumping ahead to 1880, American inventor Herman Hollerith invented the first large scale computer, which was used to compile census information. Previously, this information had taken ten full years to compile, but with Hollerith's machine, it only took six weeks. This was a rapid improvement. By 1944, Harvard engineer Howard H. Aiken, was working closely with IBM and successfully produced an all-electronic calculator. The purpose of this computer was to create ballistic charts for the U.S. Navy. By 1976, Steve Wozinak and Steve Jobs completed their work on the first computer circuit board. They called this circuit board Apple I. After this, the Apple Computer Company was formed. Not long after Apple I was created and the Apple Computer Company was formed, Bill Gates and Paul Allen signed a partnership agreement, officially creating the Microsoft Company.

In June of 1980, Seagate Technology announced the first Winchester 5.25-inch hard disk drive. This hard disk drive cost $600 and held 5 MB. The Seatgate's product hit the market and caused a huge growth in technology and development. From there, the world of technology and computers took off and by 2003; storage capacity for the worldwide hard disk had reached 30,200 terabytes.

The history of communications plays a significant role in APT. In an older history of communications over any type of distance, hand signals, fire beacons, flags and telegraphs were used. These types of communication methods can be traced back for thousands of years. The Internet has caused APT to develop into a more real and common problem, however, APT can be seen throughout history in country to country wars and inner country conflicts.

Terrorism and APT

Terrorism attacks have been prevalent for hundreds of years. The use of terror by governments and those that contents their power is still considered to be somewhat misunderstood. From the French revolutionary governments instituting terror against the population of France in the 1790s, to the past 20 years of terrorists committing violently threatening acts for political or religious reasons throughout the world, terrorism is probably the most common example of APT.

Terrorism can be dated back as early as the 1st Century AD. The earliest known organization was the Zealots of Judea, who carried an underground campaign of assassination of Roman occupational forces. By the 19th century, the world was seeing a vast improvement in weapons and technology and the act of terrorism was becoming even more common. The Cold War changed perceptions of conflict throughout the world and the age of modern terrorism began in the 1960s. The history and development of terrorism, which is a prime example of APT, can be directly linked to the development of communications and technology.

Using China as an Example

In using China as a prime example of APT, we'll discuss an assessment of their capability in conducting computer network operations (CNO) during times of peace and during periods of conflict. We'll discuss their strategies for network operations and talk about their planning efforts. We'll also cover possible targets against the United States as well as examples of Chinese intrusions into the U.S. government and industry networks.

Antecedent Intelligence Environment

The Government of the People's Republic of China (PRC) has utilized military intelligence to fight what can best be described as high tech wars. The Chinese use INEW (Integrated Network Electronic Warfare) as an offensive mission for a computer network attack electronic warfare. The highest organizational authority of the PLA is the General Staff Department. They are responsible for the daily administrative duties of the Chinese military.

Signal intelligence utilizes a strategy, which relies on the simultaneous application of electronic warfare and network computer operations against adversary command. In analyzing this strategy, CNO tools will be used in even the earliest phases of conflict. They also may be used to preemptively assess enemy information systems.

The PLA is training its force to use a variety of tools for intelligence gathering and in establishing information dominance against the enemy while in conflict. It is extremely important to gather and utilize information regarding the enemy and their technology in conflict early on. INEW is designed to specifically support this objective.

Antecedent Policy Positions

Today, the PLA is reaching out to civilian personnel in an attempt to meet personnel requirements for better program support. They are seeking people with specialized skills from many industries and areas of expertise, including the commercial sector, the academic world and may even reach as far as China's hacker community to reach their goals.

China has an exceedingly maturing computer network and they are using this network to support intelligence data collection against the U.S. Government. This involves conducting a long-term, sophisticated computer network exploitation campaign. This exploitation is well-organized, disciplined and uses standardized operations, as well as sophisticated techniques. Supporting evidence shows that the Chinese are utilizing individuals who support illegal hacking activities in order to customize applications and tools and to exploit vulnerabilities in software.

To sum it up in simple terms, individuals who support illegal hacking activities out of China who are being used to continually gather information illegally from the U.S., are participating in what is referred to as the zero-day exploit, meaning that the defenders have not yet begun counting the days since the release of vulnerability information.

This type of in-depth computer networking is used to target several different countries and this is a good example of an APT. It is ongoing and could be potentially damaging. Much of the information that is stolen is of no interest to the person that stole the information, but rather to third party buyers. This type of information hacking is even more dangerous to the person being attacked, because it can be very difficult to trace the attack to the third party buyer.

The main difference between computer exploitation and an actual attack is that computer exploitation is simply for the purpose of collecting data, whereas an attack is meant to collect information for a negative means or to essentially hurt the individual or organization where the information was collected from.

According to Toronto Star reporter Stephan Handelman in an article printed in 2005, the U.S. senior intelligence analysts consider China to be the greatest long-term threat to U.S. stability. China's military force and computer intelligence has reached its peak. Both the Europeans and the U.S. agree that the expansion of the Chinese military is more than "worrisome."

Another article posted on November 16, 2007 by the Washington Post claims that spying by China in the United States is the biggest threat keeping American technologies secret. Advances by the Chinese military are catching U.S. intelligence officials by surprise. It has also been suggested that the U.S. Department of Defense could inadvertently outsource the manufacturing of key weapons and military equipment to China. China is attempting to reverse its move into free markets by setting up state-owned enterprises and control over the 12 major industries, which include oil, telecommunications, shipping, automobiles, steel and information technology.

The PLA has developed a strategy called "Integrated Network Electronic Warfare," which is said to be guiding employment of CNO, as well as related warfare information tools. The strategy consists of the implementation of network warfare tools and electronic warfare weapons against enemy information systems. One of the main goals of the PLA is to achieve information dominance at both the strategic and the campaign levels. This statement is according to the Science of Military Strategy and the Science of Campaigns. It is important that the PLA make the transition from a mechanized force to an information force in order to win local wars against the enemy using a greater technological advantage, such as the United States. A strong warfare capability to control an enemy's access to its own technology is extremely important to winning.

PLA Information Warfare Planning

In order to effectively fight a technology war, it is important that one has the ability accurately access the likely impact on the adversary of a CNA strike on any given asset. This type of assessment is dependent on various network dependencies. In other words, have a good handle on the center of operations and choose targets in sequence to strike. Organize the enemy's weaknesses and arrange to take down these weaknesses one-by-one. This requires knowledge of their entire operational system and procedures. Mission planners should have a clear understanding of enemy network dependencies in order to break their line of defense. The CNA will also have a clear understanding of cultural and military sensitivities surrounding an attack.

Chinese Computer Network Operations During Conflict

PLA Commanders have CNO available during times of conflict even though the PLA rarely discusses CNO. CNO can be compared to missiles or air power. It is important to understand how the CNO could be used in support of larger campaigns. To do this, one must understand CNO in proper context. The strategy of CNO is simple: denying an enemy access to information systems, which are critical for combat operations and analysis of enemy weak points.

Chinese military leaders are typically influenced by their culture and traditional strategies, they have shown a willingness to use great force and strength in situations where the PRC was considered weaker. In some cases, conflict will be less costly at a later date in conditions that are less favorable to China. This logic seems unusual to Western cultures, but it reflects the ever changing strategic conditions. Both PLA and PRC leaders use this same logic and strategic planning, particularly in weapons planning.

The PLA uses CNO with EW weapons as a joint campaign capability. CNO is used for obtaining information, while providing opportunities for air, ground and naval forces to act upon. In a military crisis between China and the U.S., the CNO would most likely be used in order to make repeated attacks against the U.S. Department of Defense. These types of attacks are typically used to gather and degrade U.S. information and support systems so that the PLA may achieve their overall objectives. Both CNO and IW weapons may help delay the U.S. military weapon response without requiring direct combat with U.S. forces, which are far more superior.

The Logistics of Networks and Databases in a Conflict

In assessing U.S. campaigns of Iraq (Desert Storm and Operation Iraq Freedom), weak points can be identified in force deployment and logistics. On the flipside, defeating the U.S. logistics systems will not likely help defeat the U.S. military, but these types of disruptions will help buy the PLA (or attacker, whoever they may be) time. Time is important in battle and can be very beneficial to an enemy's defeat or winning.

Of interest regarding logistics includes specific unit deployment schedules, the rate of re-supply as well as scheduled material movement, assessments of unit readiness, lift availability and scheduling, maritime pre-positioning plans, air tasking orders for aerial re-fueling operations and logistic status of basis in the Western Pacific theater. Maintaining effective movement control during times of major mobilization can be extremely difficult and complex by nature. Major delays can be created by causing disruption to information systems at key nodes with an emphasis on shipping terminals and airports. This would cause the affected destination to stop production.

If the PLA can compromise just one weak password by logging in or exploiting SQL injection vulnerabilities, many logistics databases could easily be compromised with what is considered to be relatively easy access. By having continual access to NIPRNET using CNA techniques, as well as to logistics information, which support the TPFDD for different war plans, this would allow the PLA to put together a detailed intelligence picture of the intended U.S. force deployment.

The basic PLA strategy against NIPRNET logistics is likely very simple. It is speculated that it is a combination of attacks on specific network segments, which do not authenticate common Internet traffic through a proxy server, before leaving the network. By doing this, they will be able to operate much more freely within the network. An attacker in this type of situation can connect to a remote C2 node to download additional tools and can infiltrate data without the requirement of having valid user credentials.

There have been reports of China attacking U.S. networks in the past. These reports suggest that the individuals operating these procedures specifically target the competence to identify specific users within a unit or an organization, based on particular job functions or presumed access to information. If an attacker is able to penetrate or exploit legitimate user credentials, the attacker will be able to review file directories while potentially targeting specific files to alter, but this is all dependent on specific mission requirements and the U.S. INFOCON levels. These attackers can also access passive monitoring information for network traffic, which would be used for intelligence collection purposes. The utilization of these machines and strategies during times of peace may enable attackers to prepare a reserve of compromised machines, which would be used during crisis.

Chinese CNO operators probably possess the technical sophistication to build and upload rootkit, while converting remote access software and creating deep persistent access to whatever host is compromised. This makes their detection extremely difficult if not nearly impossible. Logistics support provided to operational units as a result of what is referred to as an "upstream" attack on the networks of civilian contractors has the potential for a greater impact, while being potentially easier against the smaller companies that usually lack sufficient resources or the expertise for sophisticated network security and monitoring. Many of these vulnerabilities, which I have outlined above, could be minimized if the network were to use a proxy server, implement firewalls, block proxy access without valid user identification and prevent user credentials from being exposed to the attackers.

Another way Chinese CNO operators may compromise the U.S. is by uploading invalid information (or false records) without the U.S. knowing, or by corrupting current user files and records in an attempt for possible intentional detection. Discovering this type of file corruption would generate the manpower and an intense resource review of targeted unit's database records, as well as other files, which would in turn, create very costly operational delays. If this type of attack was made against several large or critical supply nodes, there would be a significant impact.

If NIPRNET-based logistics database became compromised and files were uploaded or current files were exploited, it would require that PLA operators compromise a computer on the targeted LAN, while being able to operate the user's credentials. This capability has been observed in previous U.S. network intrusion attempts. These types of past compromises or attack attempts can be attributed to China in many instances.

If this type of attack were to be detected, there may be a greater impact on U.S. forces regarding the perception management and psychological operations. This would have a greater impact than if there was an attack made on more localized targets or to redirect supplies. There is actually only a limited number of compromises, which may be required to have any kind of impact on the U.S. operations. If information security concerns were to require a time-consuming validation of logistics or other databases by system administrators and logistics personnel across the theater, this would require only a limited number of compromises.

There are at least six technical reconnaissance bureaus (TRB) that the PLA maintains. These bureaus are located in Lanzhou, Jinan, Chengdu, Guangzhou and Beijing. These are all military regions in China. These military regions are responsible for SIGINT collection against tactical and strategic targets, but have no apparent CNO duties, but the U.S. does not know to be a fact, because no specific details are available regarding the precise role of subordination of these particular units.

Event in Question

According to the China Military Report, China has had a rapid rise as a regional political and economic power. The U.S. encourages and welcomes this rapid growth; however there are some who are questioning this growth and whether or not it will have a negative impact on the U.S. Since 2006, evidence has suggested that China has revised the 1993 Military Strategic Guidelines for the New Period. This is the PLA's guidance documents for military strategy and force development. The specific contents of these guidelines are currently unknown to the U.S. In January of 2007, China successfully tested a direct-ascent, anti-satellite (ASAT) missile against a Chinese weather satellite. This demonstrated China's ability to attack satellites operating in low-Earth orbit.

Two counterterrorism exercises were conducted by China in 2006. These exercises were conducted with the Shanghai Corporation Organization (SCO) partners. Also in 2006, a PLA Navy SONG-class diesel-electric submarine broached the surface in very close proximity to the U.S.S. KITTY HAWK aircraft carrier in waters located near Japan. This particular incident is a good example of the fact that U.S. And the Chinese military air and maritime assets are operating close to each other.

China is making a long-term effort to improve the strength of their military. If successful, China will improve capabilities for power projection, anti-access and area denial. China's naval forces include 72 principal combatants, approximately 58 attack submarines and approximately 50 medium and heavy amphibious lift vessels, as well as approximately 41 coastal missile patrol crafts.

China is developing and testing offensive missiles. They are also forming additional missile units and upgrading the quality of such missiles. Finally, they are developing methods to counter ballistic missile defenses. In October 2006, China had already deployed roughly 900 mobile CSS-6 and CSS-7 short-range ballistic missiles to garrisons opposite Taiwan, expanding at a rate of more than 100 missiles per year. There are newer versions of these missiles, which have improved range and capacity.

China has employed many efforts to maintain stability on its borders while asserting its territorial claims. Beijing continues to make attempts to advance strategic interests while encompassing Central Asia and the Middle East. The security goals behind these attempts help maintain access to resources and markets. It will also help establish a regional presence while influencing a balance and competing with other powers. This would include the U.S., Japan and India.

Intelligence Failures

According to the Washington Times, there was a recent cyber attack made on Google and other U.S. companies. Reports confirm that the attacker is part of a suspected Chinese government operation, which launched last year and uses human intelligence techniques in combination with high-technology in order to steal corporate secrets and government data. This type of attempt could have very easily been made on a U.S. government database and is a good example of a failed intelligence attempt. An Obama administration official said that the U.S. government was able to link the attack, which was first discovered in the summer of 2009, to the Chinese government. Details regarding the Chinese cyber attack identification have not yet been released.

This attack was targeted, as are many of the Chinese government's strategic planning habits. The attack was targeted to engineers and quality assurance developers, or people with very high levels of access into the organization. Several companies, which were targeted, are under an investigation at this time. This Google attack, code name Operation Aurora, because one of the targeted files discovered by McAfee was named Aurora, can be traced to a previously unknown software flaw in Internet Explorer 6.0.

The attackers identified the flaw and spent months gathering information about the company executives. These executives had high-level access to company data, which the Chinese government would find to be extremely attractive. Personal data on company executives was gathered from personal networking sites, such as Twitter, Facebook, LinkedIn and MySpace, by the attackers who sent fake e-mails to the company executives, which appeared to come from a company official, but contained links to a pirated server in Taiwan. Once the victim computer accessed the Taiwan server, a Trojan or trap door was implanted into the computer. The attackers were then able to take over the computer.

Analyzing the Potential of the National Criminal Intelligence Sharing Plan (NCISP)

On September 11, 2001, the need for a National Criminal Intelligence Sharing Plan (NCISP) was recognized as a critical need in the United States. By spring of 2002, law enforcement executives and intelligence experts attended the International Association of Chiefs of Police (IACP) Criminal Intelligence Sharing Summit in an attempt at all law enforcement officials and agencies to work towards the same goal. This goal included gathering information and producing intelligence within each government agency. By 2003, President George W. Bush made a speech in which he promised to make information sharing an important tool in the nation's war on terror.

The vision of the Global Justice Information Sharing Initiative is to create a model intelligence sharing plan, a mechanism to promote intelligence-led policing, a blueprint for law enforcement administrators to follow when enhancing or building an intelligence system, a model for intelligence process principles and policies, a plan that respects and protects individuals' privacy and civil rights, a technology architecture to provide secure, seamless sharing of information among systems, a national model for intelligence training, an outreach plan to promote timely and credible intelligence sharing and a plan that leverages existing systems and networks, yet allows flexibility for technology and process enhancements. September 11, 2001 is a good example of failure without the National Criminal Intelligence Sharing Plan. It's the main reason the plan was implemented in the first place and it happened because Americans simply were not prepared.

The biggest question is whether or not September 11th could have been prevented if this type of plan had been put into play already? The truth is, if individuals want to find a way to get into a place, they likely will. Americans can be as prepared as they want to be, but the U.S. is still a free country, which means the people in the U.S. are made up of various nationalities and if someone wants to go through the motions of living and working in the U.S. Or even in becoming a citizen, it's possible. It's probably easier to live and stay in America than it is anywhere else and even for individuals who do not go through the proper steps or "do it right," so to speak, they can remain in America undetected for quite a while, if not their entire lives. There are many illegal aliens in the U.S. who have gone and will continue to go undetected.

The NCISP is a good plan and in many ways it makes events like 9/11 more difficult to accomplish, but it is still possible. People will find a way and will forever more be trying to penetrate a country as strong as the U.S. If you read information provided by the U.S. government, it will tell you that America is now safe. Since 9/11, the U.S. has taken measures to prevent something like that from occurring again, but it doesn't take someone outside of the U.S. To make it happen. Consider the Oklahoma City bombing. That couldn't have been prevented either, not with the information out there or the NCISP. Nothing about today's safety measures in airports, the U.S. Postal Mail, etc., would have prevented the Oklahoma City bombing and it wasn't a foreigner, but an American who decided to blow up a building in the middle of downtown Oklahoma City.

The NCISP has a lot of potential and it most likely prevents a lot of bad things from occurring throughout the U.S., but will it prevent everything? Probably not. As with any plan of actions, there are flaws and Americans are likely not as safe as they think, but when you consider advanced persistent threats or information presented about the Chinese government, you learn that there are other ways of penetrating the United States and the government, so we may still be compromised, even with the current safety measures.

China as a Strategic Threat to the U.S.

China persists in the attempt at creating a dominant or predator nation. As a nation, much of the Chinese nations share an abundance of characteristics. A very large portion of the nation tend to be poorly educated people who do not have open contact with Western cultures and can be manipulated through propaganda, having the ability to form large armies. Many have a long history of what is commonly referred to as authoritarian leadership instead of a government that is based on principles of fundamental rights. Some describe the Chinese as being a discouraged and intimated people who are used to being ordered around. Finally, many Chinese are described as being ruthless and insensitive with the ability to create leaders and security forces capable of creating mass destruction and unthinkable war. China has its sights set on world hegemony.