Infiltrated dot Net

That Shady Rat was Only a Security Peer
Written by J. Oquendo   


After reading about the re-hashed Advanced Persistent Asian Threat that is  now being called "Shady Rat" [1,2,3,4] I could not help but shrug my shoulders and say "so what." It is not that I don't care about the current state of security, it is simply my frustration at the lack of security competent individuals, companies and frameworks. Seriously, why are ten year old attacks and tools still a problem for companies? My answer is simple, cutting, honest and to the point: "many companies and their staff are either under-qualified, incompetent, uneducated, all of the above, or even simpler, just don't care about security and the threat enough."  

Under-qualified: I can go back to countless arguments where one reads a book, passes a test, slaps on a certification in their title and calls themselves an evangelist slash expert, however, that would do no good, it is old news already. I can also point out the "cover your ass" route companies take by ONLY hiring certified individuals. What happens afterwards is often the company is left scratching their heads after a compromise has occurred. Pointing out some of these reasons make no difference at the end of the day as companies are likely to continue their (in)security paths.

Incompetent: Harsh word to throw into this writing but it is an honest term and has its shock value: "How dare he!" or "He doesn't understand the threat" and other similar comments along those can be imagined. It is what is it, certification does not always translate into competency.

Uneducated: Sure, the end user is likely to be uneducated but so seem to be some of the security professionals tasked to maintain, deploy and or addresses security in some of those 71 companies mentioned in the Shady Rat report. "It is what it is" said Captain Obvious. Reliance on say CPEs is not a real gauge of competency. Seriously, I hate dishing out reality so late in the week, but just because someone signed up and streamed a vendor video does not translate into them 1) watching the video and 2) understanding what was said. Nevertheless the issuance of CPEs for many peers is overrated for one, and useless most times. Yet I know of many who continue to earn CPEs, possess nifty certifications all without even understanding much about security. It is sickening to call them a peer.

Much to the dismay and tolerance of many security peers, it is best to call it what it is. "Security failures to the Nth degree". None of the frameworks, baselines and or mandates seem to have been followed. After skimming through the Shady Rat write-up, I can see all sorts of NIST SP failures, HIPAA, SOX, D(ITS/A)CAP failures. Not to mention failures from the TOGAF/CoBIT/ISO/PickYourFrameworkAndInsertItHere writings as well. Now I don't believe the frameworks are the failures, nor the technologies, I believe that the people are the failure. Where were the so called security evangelists in these companies? Why weren't they holding their ground and doing their jobs? Why aren't those individuals on the unemployment line along with their managers at this point. Harsh words indeed, in fact I will likely have less friends after this article but enough is enough. How many CISAs, CISMs, CISSPs, C|EHs, SANS certified people work at Booz, L3, etc? I am not singling those companies out, I am just pointing out the obvious.

Getting away from the scathing indictment of some "security peers", HTran and similar programs mentioned in almost all of these "APTs" could have been detected with simple tools such as host based intrusion detection, strong monitoring and so forth. That doesn't even get into GPOs which should have disallowed installation of these programs and or alerting to when someone is overstepping their bounds. Sure I know of the client side attack, surely Tripwire would have sent off enough alarms to counter those who would argue "client side." Now AV and malware experts would say otherwise, but even simple log monitoring would have detected the anomalies. Far too many times it has been mentioned: "Extrusion Prevention and Monitoring!" This would have been nipped in the bud long before it became "security" epidemic. Not to mention, proper network based ACLs would have minimized exposure. Why are machines allowed to connect to geographic ranges at certain times? Why are machines allowed to connect to known-to-be-shady networks is another story. Nevertheless every time I read "APT" it usually bores me.





File format exploits and client side attacks: Seriously? Using 10 year old exploits? Exploiting and leaving 10 year old RATs? [5] This to me indicates that policies were not followed via way of updates and patching, this includes operating systems, antivirus and so on. I am not even getting into frequent virus and malware scanning. Indeed the whole "Shady Rat" fiasco reeks of companies relying on under-qualified, incompetent and uneducated security professionals, policies, oversight and management. There is no "but..." - it is what it is: "under-qualified, incompetent, uneducated" *people* - not technology - that are to blame. However, as Sophocles once said "What people believe prevails over the truth."

Too many companies are also relying too often on other companies and never giving their own networks a security peek. This is the oft-mentioned "herding-instinct" and "confirmation bias:" (via Wikipedia)

In psychology and cognitive science, confirmation bias is a tendency to search for or interpret new information in a way that confirms one's preconceptions and to avoid information and interpretations which contradict prior beliefs. It is a type of cognitive bias and represents an error of inductive inference, or as a form of selection bias toward confirmation of the hypothesis under study or disconfirmation of an alternative hypothesis. [Confirmation Bias]

It has become far simpler and cost effective to rely on say an AV vendor or AntiMalware vendor or some other security cartel to perform the crossing of the Ts and dotting of the Is. This is what the security industry has become and what a sickly industry it will continue to be until "real" security practitioners stand their ground and do something about it. You should not rely on another company to dictate what should or should not be relevant in your architecture. Security should always be tailored to ones own needs, not that of another company as all companies differ. Stop following the herd, stop listening to the Jones' so much, start making quality judgements based off of real world applicable needs to your own environment. Who the heck am I kidding, most security peers probably stopped reading after the griping about incompetence.

We cannot have security where there is compromising for the mere sake of convenience. Have we not learned our lessons throughout the years? Has anyone been oblivious to the names of the companies that have publicly announced "they got served?" Security managers need to start doing a better job of standing their ground when requesting monies for not only technologies, but for the proper and adequate training of how to use, deploy and maximize those technologies. I challenge any security peer in the industry to tell me that these "Shady Rat" attacks would not have been detected with HIPS, SIEM and proper policies and ACLs in place. Honestly, one would have to be uneducated, incompetent and under-qualified to make that argument. It is not the technologies that are failing, it is us as a security industry that are failing.

In the science community, lets say pharmaceutical, researchers often collaborate with one another. Sure companies compete, but companies know that in order to survive, there needs to be collaboration. Were we to take the same approach in the security arena, there would be a greater chance to minimize threats such as Shady Rat. Where are the companies sharing their incidents? Most of the times, if not all, we see, read and hear about: "Company X compromised by Advanced Persistent Recurring Threat" yet that is all we hear about the situation. From the security and network engineering perspective, we are never told "how" someone got their foot in the door or "what they did while there" and this definitely hinders any kind of defensive progress we could hope to make. The argument for not disclosing the compromise is the same old: "national security, non-disclosure" or just a company trying to "save face" by not reporting anything. Compromise data CAN BE and SHOULD BE sanitized and shared.

Imagine for a moment a repository of sorts similar to say DatalossDB [6] where collectively, threats can be analyzed, successes and failures shared amongst security peers. "Threats in the wild" analyzed and reverse by peers for the sake of defending one another. A database where vetted companies and individuals can cross reference rogue applications, rogue destinations, file checksums, files sent and so on. It is not that difficult and certainly would be of great benefit for companies, researchers, academia and the like. When is this security Utopia coming? As I would tweet - nevar! The first response would likely be: "National security", followed by: "We can't disclose we were compromised" and anything in between. Anyway, there was nothing new about Shady Rat other than me realizing that the Shady Rat was one of my peers.