The Cybersecurity Canon: Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Founder & Palo Alto Networks CSO, Rick Howard: Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats (2011) by Will Gragido and John Pirce

Executive Summary

Cybercrime and Espionage, published in 2011, is a book that was ahead of its time. The authors were pushing the envelope in terms of how the security community should think about advanced threats. However, almost five years later, there is not enough in here to make the book Cybersecurity Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them.

My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage, this is not it.

Introduction

Will Gragido and John Pirc published this book in February 2011 — the year after the commercial industry experienced its wake-up call in terms of cyber espionage: Operation Aurora. [1] Aurora refers to the adversary campaign launched at Google and other commercial organizations that was designed to steal intellectual property, collect information on human rights activists, and gather intelligence regarding on-going FBI wiretap operations. [2]

What made Aurora notable was Google’s reaction to it. They went public and accused the Chinese government of being responsible for the attacks. Before Aurora, most commercial organizations would not admit that they had been breached, even though nation states had been targeting commercial organizations for at least a decade. Business leaders worried that admitting a breach would significantly affect the bottom line. After Aurora and Google’s public mea culpa, it became easier for other commercial entities to admit that they had been breached. Fast-forward to today, and public breach notifications are so common that it is difficult to keep up with them all.

But this was the beginning. Before Aurora, the only significant cyberthreat to the commercial world at the time was crime. After, cyber espionage became something that we all had to worry about. This is the context for the book: defining cybercrime and cyber espionage as motivations — what makes them different and what makes them the same.

Impressions

The two authors, Will Gragido and John Pirc, are experienced cybersecurity professionals, and it is clear that they know what they are talking about; but the book is a bit disorganized in terms of who the target audience is. The content is a mix of introductory and advanced material. However, I did not see that the book had a through line. The authors’ analysis of the cybercrime world is at the introductory level. If you want a more in-depth book on the same topic that was published around the same time, consider Kingpin, written by Kevin Poulsen. [3] If you are looking for something a little more recent, consider Spam Nation by Brian Krebs, which was inducted into the Canon earlier this year. [4] The espionage material is more advanced, but if you want to go deeper, consider Kim Zetter’s Countdown to Zero Day [5], another Canon inductee, or Richard Bejtlich’s The Practice of Network Security Monitoring. [6]

I do give the Gragido and Pirc credit though for covering some advanced ideas ahead of their time that have not really become popular until just recently. One idea that I really like is that commercial organizations should build their own intelligence teams to track adversary campaigns. They published the book almost five years ago, and this was not universally accepted at the time. It is not universally accepted today either, but more and more organizations are starting to understand the value of such teams. As an aside, this is one of the reasons I got hired at Palo Alto Networks: to build an intelligence team that we eventually called Unit 42.

Gragido and Pirc push their own intelligence model called MOSAIC: Motive, Awareness, Open Source Intelligence Collection, Study, Asymmetrical Intelligence Correlation, Intelligence Review and Interrogation and Confluence. It is a good framework for an intelligence analyst; unfortunately, the model has not really caught on. Most intelligence organizations — the CIA, the FBI, and the NSA, as well as Unit 42 — use a model called The Intelligence Cycle. [7][8] They are basically the same thing, but the MOSAIC model has more detail.

The authors introduce a new phrase called Subversive Multivector Threats (SMTs), a sort of superset to what the cybersecurity community used to call the Advanced Persistent Threat (APT). They even explain the origin of the APT phrase, a phrase the military had been using for almost a decade in an UNCLASSIFIED setting to mean anything that involved Chinese government-sanctioned cyber espionage. Gragido and Pirc were ahead of their time, understanding that the community needed another name to label similar attacks that did not originate from China. Thus, they came up with SMTs, but the community has not embraced that term. We have evolved the APT phrase to include everything instead.

Another advanced idea presented that I really liked was the concept that there are humans behind these attacks. Tools do not attack our systems. Humans — often organized into groups — attack our systems, and they use tools to accomplish some goal. These adversary groups can be rated in skill level from novice to expert and have motivations like cybercrime and cyber espionage; and it helps defenders do a better job by understanding that context, according to the authors. I wholeheartedly agree. But today, I think we can expand that motivation list to include hacktivism, cyberterrorism and cyberwarfare, and I thought their definitions of hackers’ maturity levels were not definitive enough to be useful.

Also, Gragido and Pirc introduce a two-tiered categorization scheme for adversary campaigns, where Tier – 1 campaigns target:

"… air-gapped networks or networks that would be considered highly secured, such as those of power companies (supervisory control and data acquisition or SCADA networks), governments, and defense organizations." [9]

Tier-2 adversary campaign plans are all other APT campaigns. This two-tiered system seems ill-conceived today. The security community considers SCADA networks in general, and power companies in particular, as being at least 10 years behind the rest of the community [10].  And government networks have proven to be even less secure than most commercial organizations, except for maybe the intelligence community’s networks and some select defense networks. [11] I do not see a need for this two-tiered system in today’s threat environment.

One last advanced idea that I really liked was that threat prevention is possible. There has been a trend in the industry these past five years where security leaders have thrown their hands in the air saying they cannot possibly stop the APT, and that it is better to concentrate their precious resources solely on detection and mitigation. This is just plain wrong, and Gragido and Pirc do well to point that out. If I can prevent 90 percent of all attack campaigns because most adversaries use known techniques, why not do it? That lets me concentrate my resources on finding the unknown techniques. Detection and mitigation is important, but these activities hould be balanced with a robust threat prevention program. Even in 2011, Gragido and Pirc asserted this philosophy.

Conclusion

Cybercrime and Espionage is a book that was ahead of its time. I give the authors credit for pushing the envelope as to how the security community’s thinking around advanced threats should evolve. If you read it when it was published, it would have stimulated your thought process around your own security program. But almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage that will stand the test of time, this is not it.

Sources

[1] "Google Hack Attack Was Ultra Sophisticated, New Details Show," by KIM ZETTER, Wired Magazine, 14 January 2010, Last Visited 5 July 2015, http://www.wired.com/2010/01/operation-aurora/

[2] "Google Aurora Hack Was Chinese Counterespionage Operation," by Mathew J. Schwartz, Information Week: Dark reading, 21 May 2013, Last Visited 5 July 2015, http://www.darkreading.com/attacks-and-breaches/google-aurora-hack-was-chinese-counterespionage-operation/d/d-id/1110060?

[3] "The Cybersecurity Canon: Kingpin," by Rick Howard, Palo Alto Networks, 11 February 2014, Last Visited 9 July 2015, /blog/2014/02/cybersecurity-canon-kingpin/

[4] "The Cybersecurity Canon: Read Rick Howard’s First-Look Review of SPAM Nation by Brian Krebs," by Rick Howard, Palo Alto Networks, 17 November 2014, Last Visited 9 July 2015, /blog/2014/11/cybersecurity-canon-rick-howard-reviews-brian-krebs-spam-nation/

[5] "The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon," by Rick Howard, Palo Alto Networks, 28 January 2015, Last Visited 9 July 2015, /blog/2015/01/cybersecurity-canon-countdown-zero-day-stuxnet-launch-worlds-first-digital-weapon/

[6] "The Cybersecurity Canon: The Practice of Network Security Monitoring," by Rick Howard, Palo Alto Networks, 10 November 2014, Last Visited 9 July 2015, /blog/2014/11/cybersecurity-canon-practice-network-security-monitoring/

[7] "The Intelligence Cycle," Central Intelligence Agency: Kids Zone, Last Visited 9 July 2015, https://www.cia.gov/kids-page/6-12th-grade/who-we-are-what-we-do/the-intelligence-cycle.html

[8] "The Intelligence Cycle," Federation of American Scientists, Last Visited 9 July 2015, http://fas.org/irp/cia/product/facttell/intcycle.htm

[9] "Cyber Crime and Espionage: An Analysis of Subversive Multi-Vector Threats," by Will Gragido & John Pirc, Syngres Publishing, 7 January 2011, Last Visited 10 July 2015, https://www.goodreads.com/book/show/10651366-cyber-crime-and-espionage?ac=1

[10] "SCADA systems: Riddled with vulnerabilities?" by Doug Drinkwater, SC Magazine, 26 August 2014, Last Visited 10 July 2015, http://www.scmagazineuk.com/scada-systems-riddled-with-vulnerabilities/article/368094/

[11] "4 Worst Government Data Breaches Of 2014," by Jai Vijayan, InformationWeek: Government, 12 November 2014, Last Visited 10 July 2015, http://www.informationweek.com/government/cybersecurity/4-worst-government-data-breaches-of-2014/d/d-id/1318061

References

"APT1 Three Months Later – Significantly Impacted, Though Active & Rebuilding," by Dan Mcwhorter 21 May 21 2013, Last Visited 9 July 2015, https://www.mandiant.com/blog/apt1-months-significantly-impacted-active-rebuilding/

"EU Data Protection Directive (Directive 95/46/EC)," by TechTarget, Last Visited 10 July 2015, http://searchsecurity.techtarget.co.uk/definition/EU-Data-Protection-Directive

"Internet Crime Complaint Center (IC3)," The Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), Last Visited 5 July 2015, http://www.ic3.gov/media/annualreports.aspx

"SAFE HARBOR PRIVACY PRINCIPLES," by export.gov, Last Visited 10 July 2015, http://www.export.gov/safeharbor/eu/eg_main_018475.asp