Today Cyber Security plays a paramount role in global security. On this blog, the CEO of Paramount Defenses shares rare insights on issues related to Cyber Security, including Privileged Access, Organizational Cyber Security, Foundational Security, Windows Security, Active Directory Security, Insider Threats and other topics.

May 31, 2013

Does the Chinese Government Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?


Not a week seems to go by without there being a news headline about the cyber security threat posed to the United States by the Chinese Government.

Does the Chinese Government Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?

The latest slew of headlines allege that the Chinese may have gained access to extensive design information on advanced American weapons. On Friday U.S, Defense Secretary Chuck Hagel said that cyber threats posed a "quiet, stealthy, insidious" danger to the United States and other nations, and called for "rules of the road" to guide behavior and avoid conflict on global computer networks. So, the (rhetorical) question is...

Do the Chinese Pose an Advanced Persistent Threat to the United States on the Cyber Security Front?

Well, let's look at the definition of an Advanced Persistent Threat, courtesy Wikipedia...

"Advanced persistent threat (APT) usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack."

Perhaps we should dissect the defintion ...

a group, such as a foreign government - The Chinese government, and more specifically the Communist Party and the People's Liberation Army (PLA) are a foreign government

with both capability and intent - According to Dr. Larry M Wortzel, a retired U.S. Army Colonel, the PLA has developed doctrine and exercised an integrated information warfare capability that can defend military and civilian computer networks while seizing control of an adversary’s information systems in a conflict.

to persistently and effectively target - According to Arthur Herman of the American Enterprise Institute, over the last 30 months, Chinese hackers have targeted Bloomberg News, Google, Hotmail, Yahoo, The New York Times and The Wall Street Journal — as well as the US Chamber of Commerce, then-Secretary of State Hillary Clinton and then-Chairman of the Joint Chiefs of Staff Mike Mullen.

a specific entity - Well, how about not just one but so many specific business and government organizations of the United States of America that have been targeted thus far.

Based on the above, it does seem to the logical mind that the Chinese Government may very well pose an Advanced Persistent Threat to the United States.

An Organized and Structured Cyber War/Espionage Effort?

According to Mark Stokes and his colleagues at the Project 2049 institute, the PLA General Staff Department (GSD), Third Department and Fourth Department are organized and structured to systematically penetrate communications and computer systems, extract information and exploit that information.

Unit 61398?
Their research indicates that cyber operations are a massive effort in China with the GSD Third Department being responsible for monitoring communications, communications security, computer network exploitation, and cyber security for the PLA, and the the GSD Fourth Department being responsible for electronic countermeasures, electronic support measures, gathering electronic intelligence, and probably cyber attack to penetrate information systems and assists in computer network exploitation. There apparently also are militia units that have cyber-related missions for the PLA, and the People’s Armed Police has its own technical reconnaissance unit.
According to Mike McConnell, former Director of National Intelligence, Michael Chertoff, former Secretary of Homeland Security; and William Lynn, former Deputy Secretary of Defense, China has a national policy of espionage in cyberspace and is "the world’s most active and persistent practitioner of cyber espionage today"

Chinese Attempts to Gather Know-How on Advanced Exploitation Techniques

If you scroll down the Wikipedia page on Advanced Persistent Threats to the APT life cycle section, you'll find the following excerpt: "In 2013, Mandiant presented results of their research on alleged Chinese attacks using APT methodology between 2004 and 2013 that followed similar lifecycle:
  1. Initial compromise — performed by ...
  2. Establish Foothold — plant ... 
  3. Escalate Privileges — use exploits and password cracking to acquire administrator privileges over victim's computer and possibly expand it to Windows domain administrator accounts.
  4. Internal Reconnaissance — collect ...
  5. Move Laterally — expand ...
  6. Complete Mission — exfiltrate stolen data from victim's network."
The 3rd step, Escalate Privileges is the defining step that gives a perpetrator administrative access in target IT infrastructures, by virtue of which substantial willful damage can be inflicted.

We happen to know a thing or two about it because we help organizations worldwide prevent the successful enactment of this step in their Active Directory infrastructures, which is where the prized "domain administrator" accounts reside.

We have seen the Chinese attempt to gather information on a specific, advanced exploitation technique / threat related to the escalation of privileges in Windows environments, "Active Directory Privilege Escalation".

We also believe that many business and government organizations may still be vulnerable to such attacks, and we have been privately and publicly helping organizations become aware of the importance of adequately protecting their foundational Active Directory infrastructures, so that any attempts to infiltrate their networks and subsequently escalate privilege to obtain unrestricted administrative access in their internal IT environments can be thwarted.

A Call to Establish Rules of the Road - Is the U.S. Government Scrambling?

The U.S. government would like to see Rules of the Road established for Cyber Security, and it would like the Chinese to adhere to these rules, apparently so as to prevent the continued barrage of cyber security attacks and breaches.

That's very gentlemanly, but with all due respect, that's like Iron Man requesting his adversaries to please not kick him on his knees while engaging in battle, since the armour around his knees is not strong enough yet.

One cannot rely on the presence of rules of the road for protection, especially with the Chinese. What is needed is for our organizations to realize just how serious the threat of cyber security is, and to take immediate steps to adequately bolster their defenses, so as to be resilient in the face of attacks.

I say so because the threat is not only from China. The threat is equally from any other foreign government or a non-national business entity that might have something to gain by compromising or breaching an organization's IT security defenses. Examples include organized mafia, ideological groups, groups engaged in corporate espionage, and even individuals.

By the same token, its not just U.S organizations that are at risk. Business and government organizations in our ally countries, such as the United Kingdom, Canada, Germany, France, Switzerland, the Middle East, India, Australia etc. are all equally at risk.

The challenge with cyber security is that, unlike physical security, which involves clearly definable and defensible borders, it is very difficult to draw boundaries online, and thus very difficult to protect organizations from attackers and attacks.

I do believe that most organizations do want to adequately bolster their defenses, but struggle to determine how to do so efficiently, measurably and provably. My humble suggestion to them would be to begin by establishing their top cyber security priorities, then performing prioritized risk assessments to assess risks and weaknesses, and subsequently determine and implement an adequate set of asset-specific risk mitigation measures aimed at providing comprehensive security at all times.

No organization can ever completely eliminate risk, but they can substantially minimize it.

Time's Up

I could share a lot more, but my 10 minute alarm just rang, so I'm afraid I'll have to end this here.

More next time. Stay tuned. Alright, back to work.

Best wishes,