Tinker, Tailor, Soldier, Malware

27.02.13

Categorie: Cyberspace, Secrecy, Steve Weintz |
Tags: , , , ,

by STEVE WEINTZ

[N]othing that I write is authentic. It is the stuff of dreams, not reality. Yet I am treated by the media as though I wrote espionage handbooks. — John le Carré

Rob Rachwald of Imperva, a business cyber-security firm, gave a most informative talk entitled “The Compromised Insider” at West 2013, the annual San Diego conference put on by the U. S. Naval Institute and the Armed Forces Communications and Electronics Association. As Mr. Rachwald spoke on the cryptic world of malicious software or malware, it seemed to me there were many parallels to the “secret world” and its time-tested techniques so vividly portrayed in John le Carré’s spy novels. Today, as the clandestine international battlefield spreads into cyberspace, many of the same hard-won principles from the 20th-century espionage struggle apply today.

Like Moscow Centre, the fictional Soviet spy headquarters, the opponent is potent, well resourced, numerous and driven. The brutal fact is that hacking is now a major worldwide multilingual industry, complete with employment networks serving hundreds of thousands of smart folks, technique forums full of crowd-sourced advice, and a complete ecosystem of software code ready to be cobbled up into nearly any kind of malware imaginable, very like the way cheap chips, electronic components and motors allow for all sorts of gizmoneering.

“I asked whether ‘lateralism’ was a word for you.
“It most certainly is not.”
“It’s the ‘in’ doctrine. We used to go up and down, now we go along…today everything operational is under one hat. It’s called London Station. Regionalism is out, lateralism is in.’”

The “mole,” or falsely-trusted double agent, has been a staple of of intelligence and counterintelligence for nearly a century. Mr. Rachwald defined an insider threat as “someone with trust and access in excess of accepted practice.” A typical malware attack proceeds very like the classic planting of a “mole.” A trustworthy asset is compromised and then brought into the target organization, where it rises in authority and access and spreads out its control laterally into all aspects of the system.

Bill’s real trick was to use them, to live through them to complete himself, here a piece, there a piece, from their passive identities … and finally submerging this dependence beneath an artist’s arrogance, calling them the creatures of his mind.

In Tinker, Tailor, Soldier, Spy, Karla the Soviet spymaster recruits young aristocrat Bill Haydon while still a student at Oxford, and increases his power over the British Secret Service as Haydon rises in the ranks to second in command. During his career Haydon’s manipulation of information, closing of investigations and betrayal of agents culminated in his success in planting Karla’s disinformation flow, “the Witchcraft product,” in the heart of British policy circles. His upper-class background and dashing personality deflect nearly all suspicion. In his talk, Mr. Rachwald noted that malicious human insiders who traitorously sold secrets were a diminishing minority, but 100 percent of all employees and customers were potentially unconsciously compromised by malware.

For months the Admiralty had been screaming at the Circus for anything relating to this exercise. It therefore had an impressive topicality, which at once, to Smiley’s eyes, made it suspect.

In one disturbing example, specific employees of Sandia Labs received a spearphishing email, apparently from the Human Resources department, with an attached PDF concerning changes to their benefit plans. The PDF carried a malicious payload. Current malware trends include taking advantage with search-engine optimization, by imbedding malware inside topical material and letting it distribute itself via the surge of interest in the topic. A newer technique, best known from an exploit dubbed Havij (“carrot” in Farsi), uses SQL injection to modify databases on the fly. This is a Big Deal because data integrity is the bedrock upon which any system rests. Corrupt data is an obvious problem for GPS spoofing so that locations are off-target, but what about small deliberate errors in personal data? In currency flows? In current flows?

“To my mind no existing method of Whitehall distribution meets the case. The dispatch-box system which we used in GADFLY fell down when keys were lost by Whitehall customers, or in one disgraceful case when an overworked undersecretary gave his key to his personal assistant.”

Against this onslaught the current scheme of defenses, of antiviral software installed on every device kept current by published lists of analyzed threats, with sometimes additional layers of software and hardware defenses in depth, is everywhere failing.

“Protect and monitor the cheese, not the mice,” urged Mr. Rachwald. In 2011, he said, 80 percent of data was hacked from servers, not end users. Have a persistent and consistent security policy. Classify your information. Map user permissions carefully onto the classification scheme. Monitor and audit activity and look for behavior and entry methods inappropriate to user permissions. A new approach to data security may look very like the time-honored approach to state security: rarely the dashing exploits of Our Man In Cyberspace, and more often the unglamorous, painstaking work of baseline establishment and anomaly detection, of the sort that Sandra Grimes and Jeanne Vertefeuille used to catch Alderich Ames.

Till now, to Smiley’s suspicious eye, Merlin had been a machine: faultless in tradecraft, eerie in access, free from the strains that make most agents such hard going. Now, suddenly, he was having a tantrum.

One key giveaway for most all malware: it’s not human, so it acts in strange inhuman ways. Very high download volumes, for example, using very high access privileges. If an organization knows what typical user behavior is then weird behavior will stand out more easily. Le Carré writes of Smiley “shaking the tree,” of stimulating the mole into panic action so as to flush him out, of him looking for unusual behavior in his suspects under pressure.

“[A] member of the Soviet Embassy here in London is … even in the extraordinary position of being able to use, on rare occasions, the Embassy facilities to talk to Merlin in Moscow, to send and receive messages.”

Another malware vulnerability to be exploited is the one George Smiley used to catch Bill Haydon. All agents need to communicate with their masters, whether human of code. By looking for odd communications from the network to the outside world cyberhounds can take “back bearings” on the malware’s operators.

A very dull monument, Smiley reflected, surveying these much-handled files, to such a long and cruel war.

The Cyber Age is the Information Age carried forward a decimal point, and long before the rise of the machines it was human intelligence agents, or HUMINT, that infiltrated and established and observed, and in some cases sabotaged and murdered. During the Cold War, vast networks of intelligence collection and organizational penetration were built and operated, drawing forth information that may have served to preserve the balance of terror. There may be no other way to contain cyberthreats save by old-school tradecraft, even if most agents now in the field are virtual. The “social engineering” exploits that form the majority of successful cyber-penetrations are simply remakes, albeit very clever ones, of old devilries.

|

Leave a Reply