Threat Intelligence Blog

Now that APT reports have been exposed, the “thrill” of discovering and calling out suspected nation state actors engaged in clandestine cyber activity has become almost routine. Excitement over what was once considered a difficult thing to do (detecting “advanced” cyber adversaries) is now expected. And therein lies the problem. The rush to attribute and increase marketing visibility in the wake of such incidents has taken the place of adding value through the exchange of actionable information.

As a result, the cybersecurity community appears to be at an almost breakneck speed in producing APT reports. Certainly, the research that is offered to the public under the auspices of information sharing provides some proficient technical analysis and indicators of compromise that can help organizations detect if similar activity is occurring against their networks. But what is the real benefit of revealing to the world what is known? Does it capitalize on the business marketplace?

One security vendor intimated that there appears to be a direct correlation in the decline of suspected nation state hacking and private company earnings. This was perceived to be the case when a particular company’s decline in stock performance occurred at the same time a certain nation state was hacking less frequently. Then three months later, the same company noted a spike in stock value when another nation state’s alleged hacking efforts surfaced and became prominent in the news. While based on very limited evidence, the bottom line message appears to be clear: many of these reports seem to serve as more of a marketing resource – if not more – than information sharing.

According to a security researcher, one of the driving factors behind the growth in reporting is the inherent marketing value (they provide sound bites and quotes for computer security-related, cable, and even network news, particularly when they name “who” was behind such activities), which translates to sales.[1]  The more we focus on such nation state activities, the more we’ll see vendor reports pointing attribution in a particular government’s direction. However, there is evidence that the volume of such reports being produced by so many vendors is saturating the marketplace, and may not be achieving the intended purpose. The same researcher concludes that with several vendors competing to release intelligence reports exposing suspected APT actors at work, the marketing value has dropped significantly while the self-inflicted harm has only increased.

To be fair, the media shares some responsibility in all of this, as it sensationalizes alleged nation state hack often times without validating the information. Recent media activity around Russia’s suspected involvement in hacking the U.S. election illustrates this point. While one intelligence agency seems convinced of Russian culpability to influence election results, several others including the Office of the Director of National Intelligence have differing opinions as to the intent of such activity.[2]  Most major news headlines promote the former’s conclusion, not the latter’s.

The October 2016 distributed denial-of-service (DDoS) attack against Dyn, a cloud-based Internet performance management company, is further indicative of the media breaking stories without substantiating information. Initially, many news outlets incorrectly reported who was responsible, while most of the security community did not share that view. Ultimately, the security community was correct. Such claims are not reserved just for stories about hacking. President Obama made such intimations toward the press at a journalism award dinner in 2016, admonishing the press for “irresponsible election coverage.”[3]

Furthermore, there is some question as to the benefit of publishing such APT reports in the first place. In early 2016 at a prominent cyber threat intelligence conference, the question about whether or not publishing APT reports for wide public consumption (rather than just within an info-sharing community of professionals) was the right course of action. One presenter at the conference provided several compelling cases of APT actors shifting their TTPs shortly after the release of reports detailing their operations, thereby reducing their usability for network defenders.[4]

Another salient point raised was the fact that often these vendor APT reports lacked enough substance to be effective for the public writ large at all. In the haste of trying to “break the story,” these reports sacrificed utility for instant notoriety, again calling into question the real intention of such reporting. A 2015 presentation by two security researchers found that with the advancement of defensive security and the constant release of research papers into their toolsets, advanced threat actors have had to adapt with new operational security practices, as well as with new technology.[5] In effect, by publicizing what is known about their activities, these actors can change up how they do things, either a little, perhaps to suggest a “false flag” operation, or a lot.  Either way, the same result is clear: we are helping the bad guys.

As we start a new year, there needs to be a concerted effort to get back on track to work collaboratively to perform better information sharing in order to enable better decision making, or else we risk ending 2017 in the same position we are now.

By Emilio Iasiello


[1] https://cyber.leidos.com/blog/highway-to-the-danger-zone
[2] https://www.thenation.com/article/why-are-the-media-taking-the-cias-hacking-claims-at-face-value/
[3] http://www.syracuse.com/politics/index.ssf/2016/03/president_obama_syracuse_university_toner_prize_washington.html
[4] https://cyber.leidos.com/blog/highway-to-the-danger-zone
[5] https://www.youtube.com/watch?v=ISxmTpfcY6U

Additional Posts

Weekly Threat Intelligence Brief: December 20, 2016

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...

Weekly Phishing Activity: December 19, 2016

Phishing Activity: TOP TARGETS Week of December 11 – December 17, 2016 In this week’s phishing ...