Infiltrated dot Net

Advanced Persistent Monkey See Monkey Do

"I hope you're not serious about that post containing anything valid. The picture is funny though" said the expert [1] in regards to "Shady Rats and Poison Ivy - Chinese APT or Russian RBN?" [2] And so goes the herding instinct [3] over and over. Cattle following other cattle now becoming the "hundredth monkey effect." [4]

    "scientists were conducting a study of macaques monkeys on the Japanese island of Koshima in 1952. These scientists purportedly observed that some of these monkeys learned to wash sweet potatoes, and gradually this new behavior spread through the younger generation of monkeys—in the usual fashion, through observation and repetition. Watson then claimed that the researchers observed that once a critical number of monkeys was reached—the so-called hundredth monkey—this previously learned behavior instantly spread across the water to monkeys on nearby islands." [4]



Let's go back to some facts from the initial article. There was nothing irrelevant in the initial article [1] in fact, the post contained information that can be validated from multiple sources. The article wasn't a "you can trust me I'm an expert" post. It wasn't a "you need to take it from me, I can't show you the evidence, you just have to trust me on it" write-up. Referencing was is known about the RSA attack, the initial attacker from a known RBN network. That host was a known RBN host at the time and up until now continues to be a "known RBN host." [5] There isn't any "speculation" on this. No hype, nada. However, I find it rather amusing that whenever there is something contradictory to what the herd [3,4] state, many experts [1,6] are quick to brush it off and try to throw out the same buzzwords? "China, APT!" Mind you, not one of those experts are presenting anything outside of their own projections. More of the same chest thumping and fist pumping: "Trust me, its China."

We often forget that not too long ago that the boogeyman was Russia. That threat came during the arms race (Cold War) [7] and it was business as usual then too. Many companies profited heftily during this period and I am sure many companies stand to profit handsomely from a Cyber Arms Race. This is nothing more than history being repetitive however, the platform has changed to a computing based battleground. Based on "evidence" smack dab in front of our faces and under our noses, what else do we see or know of in regards to experts' explanation of APT? Not much. We have these experts consistently relying on word of mouth of each other and of IP addressing. Completely ignoring the fact that IP is a horrible identifier. Every security professional knows that IP addressing is not an identifier rather well, yet many are quick to fist pump and shout: "APT, China!!! Look at that IP" even though FACTUAL evidence proves otherwise.

Arguments surrounding APT will remain a battle of expert versus expert - ad nauseam but how about we use some common sense for a moment. If YOU were an attacker, so advanced and sophisticated, why would you bother attacking from your own fixed location? It would certainly make more sense to attack from another country simply for deflection purposes alone. This is a key indicator that many experts [1,6] are overlooking. Think about that outside of an emotional - "you don't know jack I am the expert here" response. Whenever I see the same old hype (APT/China) my response is usually more of the same. Really? RSA? China compromised a known RBN block to make this happen? A "known RBN block" that is still being used by the RBN? Sounds like news to me.

One of the strangest thing that I have noticed about some of these "experts" is, is that many of use criss-cross many a security lists. Many a networking list, many a forensics list. I also know that many "experts" don't even understand enough about certain elements outside of their respective functions in the security industry to make statements regarding hacking or compromises. For example, many of these experts making comments about APT are known forensics experts and while they are likely the best in the "forensics" arena, doesn't mean the know enough about hacking to make such brash statements: "They Came From Outer Space." The forensics arena is not indicative of the security arena as a whole. Many of these guys couldn't hack their way out of a wet paper bag. Many have never developed "hacking" tools, many have never developed any "0day" attacks on their own. Many do not understand the nature of pivoting through covert channels outside of the textbook definition. Yet many of those same experts will convince you (or at least try to convince you) that their word is the gospel. "It was China and their Advanced Persistent Hacking." Nonsense.

So getting back to the FACTS I posted in my initial article [2], ask yourself as an expert: "China has been using Gh0st Rat, HTran and has been so successful for months (years even), now why the hell would they go backwards and use Poison Ivy, a RAT tool with signatures known by many antivirus vendors for years now. And why do so from a RBN tainted host?" Certainly as an expert [1,6] that should make you do a double take. Perhaps there is more to the issue at hand that one realizes. Sure China is, and will be a threat and I am sure that as of right now, there are thousands of "cyberthreats" looking for a way into our infrastructure from China as I type. Does this mean we should forget about the other threats in this world? If you think for a moment that another country (Russia) would not collude with say the RBN in an effort to compromise the United States' infrastructure for military secrets, then you'd be wrong. In either event, this whole APT/China theme is rather boring. Always has been. You say APT, I say REO [9] life goes on. You're an expert, I'm an expert, everyone is in this industry nowadays. Perhaps companies can rename some of our titles: "Advanced Persistent Expert" then again, I don't think I want to be an APE. Monkey see monkey do is not my forte.

Ending this, I need to apologize way beforehand as egos get bruised rather easily in this industry. This was not meant to be an attack on any expert. Honestly. It was meant as more of an eye opener. For far too long too many individuals in this industry remind of a puppy chasing its own tail. Always following one another never questioning anything.

Monkey See Monkey Do
I hope you're not serious about that post containing anything valid. The picture is funny though

 

Eight Main Symptoms of Group Think Janis, I. L. & Mann, L. (1977). Decision making: A psychological analysis of conflict, choice, and commitment. New York: Free Press.)

1. Illusion of Invulnerability: Members ignore obvious danger, take extreme risk, and are overly optimistic.
2. Collective Rationalization: Members discredit and explain away warning contrary to group thinking.
3. Illusion of Morality: Members believe their decisions are morally correct, ignoring the ethical consequences of their decisions.
4. Excessive Stereotyping:The group constructs negative sterotypes of rivals outside the group.
5. Pressure for Conformity: Members pressure any in the group who express arguments against the group's stereotypes, illusions, or commitments, viewing such opposition as disloyalty.
6. Self-Censorship: Members withhold their dissenting views and counter-arguments.
7. Illusion of Unanimity: Members perceive falsely that everyone agrees with the group's decision; silence is seen as consent.
8. Mindguards: Some members appoint themselves to the role of protecting the group from adverse information that might threaten group complacency.

 

Avoiding Group Think

1. The group should be made aware of the causes and consequences of group think.
2. The leader should be neutral when assigning a decision-making task to a group, initially witholding all preferences and expectations. This practice will be especially effective if the leaders consistently encourages an atmosphere of open inquiry.
3. The leader should give high priority to airing objections and doubts, and be accepting of criticism.
4. Groups should always consider unpopular alternatives, assigning the role of devil's advocate to several strong members of the group.
5. Sometimes it is useful to divide the group into two separate deliberative bodies as feasibilities are evaluated.
6. Spend a sizable amount of time surveying all warning signals from rival group and organizations.
7. After reaching a preliminary consensus on a decision, all residual doubts should be expressed and the matter reconsidered.
8. Outside experts should be included in vital decision making.
9. Tentative decisions should be discussed with trusted colleagues not in the decision-making group.
10. The organization should routinely follow the administrative practice of establishing several independent decision-making groups to work on the same critical issue or policy.


[1] http://forensicir.blogspot.com/
[2] http://www.infiltrated.net/index.php?option=com_content&view=article&id=42&Itemid=48
[3] http://en.wikipedia.org/wiki/Herd_behavior#Everyday_decision-making
[4] http://en.wikipedia.org/wiki/Hundredth_monkey_effect
[5] http://blog.threatstop.com/2011/04/03/the-rsa-spearphish-attack-and-ip-reputation/
[6] http://taosecurity.blogspot.com/
[7] http://en.wikipedia.org/wiki/Cold_War
[8] http://en.wikipedia.org/wiki/Ad_nauseam
[9] https://www.infosecisland.com/blogview/12788-Advanced-Persistent-Threats-Blame-It-On-REO.html

UPDATE

I reverse engineered the email used to compromise RSA. For those interested in the video please click here to view it. Flash is necessary.