Angry Animal 8

Rebuttal: Northrop Grumman, Cyber-gangs, APT and 0-day [Messmer]

Thu Jun 23 18:30:52 CDT 2011

security curmudgeon

This is a rebuttal piece to "Northrop Grumman constantly under attack by cyber-gangs" (June 21, 2011) by Ellen Messmer (@EllenMessmer), Senior Editor at Network World.

Warning: Due to Northrop Grumman, Timothy McKnight and Ellen Messmer's use of inflammatory words like "Advanced Persistent Threat" and the mis-use of "zero day", the witnesses will be treated as hostile.




The fact that this article stems from a talk at a Gartner conference is the first warning sign. Gartner is not known for useful, timely or accurate analysis in many security circles.

About a dozen separate legions of organized hackers have been diligently attempting for years to break into aerospace and defense company Northrop Grumman to steal sensitive information, the company's chief information security officer (CISO) said at a Gartner security conference here.

"These advanced attacks have been going on for several years," said Timothy McKnight, vice president and CISO at Northrop Grumman, during a panel discussion on the topic of the "Advanced Persistent Threat," (APT) the term often used to describe attacks by hackers determined to break into companies and government agencies with the goal of stealing intellectual property or other sensitive information.

The introduction sentence comes across as if McKnight thinks his company is special or different. On the off chance he believes so, let's clear that up real fast. Bad guys have been attempting to break into tens of thousands of companies for years, decades in some cases. Back in the day, vendors like Sun Microsystems, operating system creators like Microsoft and service providers like Hushmail have been targets. A wide variety of bad guys, some more persistent than others, spent weeks, months and years trying to break in. This is how the Internet works. That statement ranks right up there with "TCP/IP is the backbone protocol of the Internet" to me. Both statements are equally known and equally boring.

Second paragraph, things go downhill quick. First, using the term APT makes you an idiot who buys into marketing terms that have nebulous meanings (or someone whoring to an industry that relies on everyone using the same poor term equally). Case in point, you assign 'APT' to hackers "determined to break in" "with the goal of stealing intellectual property or other sensitive information". Most idiots use APT to brand an attacker on the grounds of being advanced (e.g., "that SQLi was totally advanced, we couldn't have stopped it!"), persistent (e.g., "they attacked us, and only us, for three weeks trying to get a foothold in the door) or a threat. Wait... if an APT is a threat, and an APT keeps breaking into places like RSA, Lockheed, or the Department of Energy, why are you still calling it a threat? At what point does it become an APPWFU (Advanced Persistent Person Who Fucked Us)?

Since you don't mention any actual compromises, are they really advanced? Are they really a threat to you if you are so easily detecting and thwarting these attacks? It sounds more like you are setting the stage to proactively blame your next compromise on an "APT". Don't worry, we understand, we did the same thing.

The cyber-intelligence group at Northrop Grumman keeps a tally of forensics on attacks emanating from the groups that each work as a team "waking up each day to get into Northrop Grumman," McKnight said. "We can tell what their attack procedures are, how they write the malware."

The typical attack methods are attempts to compromise user machines through zero-day vulnerabilities. While about 300 zero-day attack attempts were recorded last year, the pace has ramped up enormously where it's not uncommon to see zero-day exploits coming in at 11-minute intervals.

This is very telling, Timothy, that you really don't have much of a clue about security, and that any pretend-metrics or statistics you throw out are absolutely meaningless. When you say these dastardly attackers are writing malware, that means one thing. When you suddenly transmogrify that into zero-day vulnerabilities, and further claim there were 300 zero-day attacks last year, you firmly demonstrate you don't know the definition of these terms you casually throw about. Further, it means the "Senior Editor" of Network World doesn't validate any of the spew being offered by a source. No attempt to sanity check his comments, no attempt to define the terms to make sure they are offered in the correct context.

A zero-day (0-day) vulnerability is one that has not been published; the security community doesn't know about it, it isn't listed in vulnerability databases and there are no vendor advisories about it. Detecting 0-day in an attack is not easy. If Northrop Grumman really did detect 300 zero-day attacks last year, and sees one every 11 minutes, then it is their duty to report them to vendors. The fact that we haven't seen the company credited in advisories from Microsoft, Apple or any other vendor seems to confirm my suspicion that McKnight is mixing "zero-day" with "any garden variety attack that has been published". Unless all of those attacks are against Northrop Grumman created applications, in which case it simply isn't believable you'd have that bad of programmers and that good of security staff. So Timothy, are you (A) an idiot or (B) the most unethical toad the security has ever seen, sitting on nearly 500 zero-day vulnerabilities that are likely being used against other companies this very second? There is no (C) answer.

This is why CISOs should be kept on a leash, away from journalists.

In March, RSA acknowledged it was hit by an APT attack that resulted in the theft of undisclosed information about its SecurID product. The problems only seemed to grow.

Really, if an attack is successful, when isn't it an "APT"? It was obviously more advanced than your security, just persistent enough to work (even if it was all of an hour long) and clearly threatened you in some way. Seriously people, drop this bullshit term. If you don't, we can use it as a good litmus test to ferret out the idiots in our industry. As $someone wrote, "hacking is what happens to other people, APT is what happens to us".

This is another key area that Messmer screwed up. Why let RSA get away with this? Theft of undisclosed information is factually incorrect. The bad guys know what information was taken. RSA knows what information was taken. It was disclosed to two parties when it happened. Qualify that statement to " undisclosed to RSA's paying customers" (without signing a restrictive NDA) and hound them for details. Take them to task for keeping it secret while only offering bits and pieces as public pressure demands it. Remind your readers that their silence is putting their customers in jeopardy every single day.

Lockheed Martin recently disclosed that it was hit by an attempted APT that in part made use of this stolen information related to RSA SecurID tokens. Lockheed does not believe that the attackers managed to steal sensitive information, however.

Really?! Now we have "attempted APT"? Which is it.. attempted to be advanced, attempted to be persistent, attempted to be a threat, or they attempted all three? If this doesn't prove how overblown and mis-used this term is, then keep using it so we know who to feed to the zombies first.


main page ATTRITION feedback