Since Gartner does not track individual threats or actors it is difficult to say for certain which attacks are state sponsored or not. The recent mandiant report highlighted China as the threat actor. Gartner does not believe that the country of origin is as important as the protection mechanisms that must be in place.

What are are the biggest threats, and from where do they originate?

Threats originate globally, and in the hacker underground the most sophisticated hackers most often originate from Russia. In general, a nation state actor (if targeting you) will likely be successful since they often are given time and resources in order to breach the security of your organization with many different capabilities beyond just cyber assets.  Attribution of attacks is extremely difficult since counter intelligence can be used on the internet such as spoofing source IP’s, using proxy servers, using botnets to deliver attacks out of other locations, developers using keyboard maps of different languages, for example a Chinese American or European that understands Chinese but develops their exploits for their country of origin will result in problematic or impossible attribution.

In the recent report published by the company Mandiant titled “APT1″ hackers appear to originate in China. These threat actors were utilizing common forms of zero day exploitation, botnets and other tools readily available in the underground hacking community. Given they are using the same tools and capabilities of the underground hackers, it is most important to focus on generic security controls that protect against all of these attack capabilities. An organization should take a general approach to combat threats from any location and not focus on the country of origin. In a report published by Gartner last year titled “Network Security Monitoring Tools for ‘Lean Forward’ Security Programs” to call out technologies that can assist in advanced targeted attack detection at the network layer.

What responses are organizations making?

I have written a report titled “Best Practices for Mitigating Advanced Persistent Threats” as a guide for raising the bar for prevention and detection of advanced forms of malware and targeted attacks and these technologies and security techniques are what organizations today are focusing on refining/deploying. The two primary attack vectors of choice for today’s  threat actors is malware to gather unstructured data and web-based attacks such as SQL injection to grab database stored structured data types. The malware can be handled by a number of technologies  at the network layer and  at the windows endpoint. Web attacks can be addressed with a combination of Intrusion Prevention System and Web application firewalls. See report titled “Best Practices for Mitigating Advanced Persistent Threats” and “Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012“ for advanced Malware threats and “Competitive Landscape: Web Application Firewall Market, Worldwide, 2012” for web application firewalls.

Are organizations in a regulated environment facing a greater threat?

Nation states do not often target structured data types such as financial data, however disruption of a banking system or critical infrastructure can be akin to a nuclear attack if an entire banking system, power or water delivery system is properly disrupted. Government regulations target sensitive areas of the economy. Most attackers are financially motivated and thus regulated environments such as Financial organizations often face the largest threat from these actor groups. A nation state would likely consider disruption of critical infrastructure as an end goal during a time of war vs. data acquisition. Prior to wartime, a nation state would likely be focused on distributing “capability” for disruption as a preparatory measure for evocation at a later date. Although we don’t have direct research in this area, we do have many supporting research notes. Please see the list below as a very comprehensive way to deal with both threat actor groups.

Research:

-          Best Practices for Mitigating Advanced Persistent Threats

-          Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012

-          Malware, APTs, and the Challenges of Defense

-          Decision Point for Anti-malware

-          Competitive Landscape: Web Application Firewall Market, Worldwide, 2012

There certainly political motivations for talking about China  and I think it’s fair to say  they are certainly many participants in the global stage of cyber security and intelligence gathering.  In fact, the United Stateshas a long history with its intelligence agencies for performing signals intelligence (SIGINT).  I would like to point out  that as far as sophistication goes, the United States is unmatched with its intelligence gathering capabilities and extends this capability across the globe with an extensive  array of spy satellites and listening stations with strong support of several other countries.  It does not strike me as odd  or newsworthy that governments across the planet attempt to track each other’s  military capabilities and monitor situations through signal intelligence and other intelligence gathering capabilities.  These activities are a necessary function to enable transparency across borders between governments and be ready if another country is planning some sort of attack.  I do think however it is important to mention that I believe that all countries should uphold  strong intellectual property rules in order to maintain fair competition  which creates a dynamic that encourages new developments and technologies and enables fair competition across the globe.

Now lets turn to some of the data often known  ”behind the scenes”  that many security practitioners know and consistently defend against. Deutsche Telecom publishes a real-time dashboard of hacking attacks detected by its global network of attack sensors known as a “honey net”. As many practitioners know, a “honey net” the reference to honey is an analogy to how one might attract a bear in the woods, the bear being the hacker in the case of a “honey net”. For some fun, I used some statistics from the Deutsche Telecom dashboard located at http://www.sicherheitstacho.eu/ to provide data points for some basic analysis. At the time of this writing, the total number of attacks detected over the last month globally were 30,144,538 when tallying the “Top 5 of Attack Types (Last month)” table. They also publish a table called “Top 15 of Source Countries (Last month)” with detected attack values which I found interesting but I wanted to extract percentages so I used those values and threw them into excel to calculate percentage values by top 15 countries and the following is my output.

Attacks by percentage of total global attack detections.

Source: http://www.sicherheitstacho.eu/

As you can see with this quick analysis, roughly 24.61% of total detected attacks were from the top 15 attacking countries and roughly 8% of all attacks came from the Russian Federation and only half a percent came from China. So the question is, who will you pay most attention to?

- Best Practices for Mitigating Advanced Persistent Threats (Lawrence Pingree, Neil MacDonald)

- Market Trends: Advanced Threat Protection Appliances, Worldwide, 2012 (Lawrence Pingree)

- Competitive Landscape: Network Behavior Analysis Market, Worldwide, 2012 Lawrence Pingree)

- Malware, APTs, and the Challenges of Defense (Dan Blum)

- Information Security Is Becoming a Big Data Analytics Problem (Neil MacDonald)

- Network Security Monitoring Tools for ‘Lean Forward’ Security Programs (John Pescatore, Lawrence Orens)

Note: The table below are Gartner Estimates (actual numbers may vary).

My sense is that most cloud service providers and enterprises will likely gravitate their preference to the hardware or hypervisor infrastructure provider rather than a third party software provider. My position stems from a belief that a strong relative background in networking or a closely tied hypervisor is likely to be preferred by customers over a third party software defined network provider that has limited deployment time in the networking industry.  Personally when I receive inquiry on the topic of proper zoning within a virtualization infrastructure.  I generally gravitate towards the infrastructure provider over third parties as the provider of network segmentation (see Gartner’s Burton research on “Zones”). I lean towards the traditionalist path with physical versus software based zoning for sensitive security zones rather than deployment within a single hypervisor environment. This is likely also why the recent FedRamp program does not intend to move sensitive workloads into Fedramp certified entities. In general I question the ability of a third-party software packages to deliver all of the adequate network technologies within a virtualization infrastructure one step removed from the traditional network infrastructure providers or the hypervisor provider as they likely have divergent business goals for product stickiness and meeting contractual obligations of providing high stability. I’m interested in hearing from you, what do you feel are the security risks or operational risks of relying on a third party software defined network provider and what would you prefer?

Email states:

“As of 9am on Wednesday, June 6th, 2012, the Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO) achieved Initial Operating Capability. As a part of IOC, the FedRAMP PMO is now accepting applications for provisional authorization of cloud systems. The application is currently housed on fedramp.gov and can be accessed via the following URL: http://www.gsa.gov/portal/content/125991“

So now all those cloud providers can chop chop their way into the federal government GSA Schedule. Happy Selling!

Advanced = Continuously Improving Controls
Persistent = Continuously Monitoring Controls
Security = Security Controls as they relate to addressing risks and threats
Program = Apply the prior concepts to the overall security program from budget, organizational structure and how we operate security.

More to follow in my research but thought, what would I do to change this marketing mantra

If interested, I just published a best practices research note called “Best Practices for Mitigating Advanced Persistent Threats“

It may be entirely possible to auto-deploy a malicious virtual image and run it on a host…… once deployed, what could it do?

Malware capabilities:

With a complete operating system downloaded onto the target system just about anything could be possible including surreptitious network monitoring, network information gathering, data grabbing, vulnerability scanning from inside the network as well as just about anything else including forming an outbound virtual private network to use as a way inside the internal network.  Add encryption to the scenario by encrypting the virtualized drives used by the virtual host and it now becomes almost unstoppable.

Let’s walk through this a bit by examining how this may be possible:

1. Create a malware payload which consists of a virtual machine player and an infected image or an image created with hacker tools installed on it.
2. Craft a zero day attack to infect a host with a file dropper to download the image and player.
3. Spread the malware infection using a specially crafted social engineering based e-mail to induce your target to click and execute your zero day and deploy the malware .
4. Have the malware download dropped files containing a virtual machine player (with command line capabilities) along with the malicious image you created in the first step.
5. Launch your newly downloaded virtual machine image on targeted host as an installed service.
6. Use host memory and process obfuscation techniques to make the processes and memory hidden.

A scary concept, one that many of us should think about and plan against.