Technical Lead, Neohapsis Labs
Nathaniel Puffer is a Technical Lead for Neohapsis Labs. He is currently concentrating on providing information risk, security, and compliance management services to enable clients to meet both their immediate and long term goals. Mr. Puffer specializes in developing and implementing programs designed to proactively identify and manage risk within enterprise organizations.
APT in Corporate America and the Exposure to Foothold Scenarios
This paper compares and contrasts the likelihood of two scenarios, defense against the exploitation of previously unknown flaws, and defense against an opponent who has already infiltrated key systems. The strategic focus of this analysis will be on corporate or privately held systems. This is done for realistic and pragmatic reasons since these systems are resistant to regulation by the defenders yet critically necessary to the operation of a state as a whole. Evidence and examples from Heartland Payment Systems and Aurora will be used along with the results of Cyber Shockwave to draw out the exposure States may have to these scenarios.
Two major methods exist to create an effective offensive capability for cyber warfare. The first of these is knowledge of unknown flaws in systems, or zero‐day. The second is having an undetected presence in the opponents systems, or a foothold. There is a tendency with zero‐day vulnerabilities to want to stockpile them for a possible conflict. However, experience has shown that there is an attrition rate to effective unknown flaws along with a risk of third party disclosure. The most effective time to exploit unknown flaws is shortly after discovery.
Faced with the practical drawbacks of developing zero‐day for a stockpile it is more reasonable to seek out strategies that leverage the effort put into researching these flaws towards a tangible gain. Using zero‐day to gain access to a system, and then establish a monitoring and control capability without damaging the opponent is a viable method to create a foothold with minimal risk.
Both the attacks against Heartland Payment Systems and high profile Silicon Valley Firms during Aurora demonstrate the difficulties for defenders in discovering intruders to the systems. In both cases it seems that the tipping point for discovery of the attacks was when they were leveraged to exfiltrate data. Up to that point the presence of attackers was undetectable, overlooked, or ignored.
The Cyber Shockwave simulation run by the Bipartisan Policy Center in February 2010 demonstrated two critical points. First, that the nation is critically dependent on private and civilian run infrastructure and systems. Second, that these systems are resistant to regulated protection prior to an incident. Simply, the citizenry of a State relies on the infrastructure and services provided by private corporations, yet these same corporations are not always motivated to spend the time and resources to fully protect their systems from cyber attacks.
The combination of these factors creates an overall situation where a likely and demonstrated attack vector, use of zero‐day to create a foothold scenario, can be used against corporate systems. This foothold can then be leveraged to force a tactical advantage as States must focus resources inward to resolve issues.