Synopsis: Chinese hacking effort APT10 is actually the evolution of “Titan Rain”, an earlier PLA cyber warfare effort. Titan Rain was aimed at government and defense, but APT10 is also being aimed at American small businesses, who do not have the resources to defend themselves. Security culture is also discussed, along with how to identify qualified cyber professionals in what is an unregulated sector.
If you watch the History Channel enough, you might know that Kiev, the current day capital of Ukraine, was once actually the capital of Russia. That is, until the Mongols sieged Kiev in 1240, occupying most of Russia for the next two and a half centuries. It was during this period that Moscow became the capital of Russia, with the Mongols later being driven out of by Ivan the Great around 1480.
A few centuries later came the Thirty Years War, the Great Napoleonic wars, and in the 20th century there were several massive theater and world wars which shook humanity to its knees.
The instruments of war may be swords, tanks, or keyboards — but it seems that people will always fight in one way or another over treasure and resources. From a certain point of view – global cyber warfare is somewhat of an improvement, because it is largely non-violent (although the capability of actual physical harm does exist).
In the new age of bread and circuses, corporate media and the body politik misrepresent nearly everything, including cybercrime and cyber warfare, leaving small business owners confused and afraid. What’s worse, because the tech sector is largely unregulated (unlike tattoo parlors and nail salons) the predictable results are a mad rush of companies selling technical solutions that, while helpful, are partial credit answers and won’t provide full protection from cybercrime.
The newest things in the cyber news this summer are the WannaCry ransomware worm and “APT10” (Advanced Persistent Threat Ten). WannaCry was an over-hyped North Korean stinker which was defeatable by tying your shoes (keeping your Windows computers patched and up to date). APT10 (also known as Cloud Hopper), while advanced and capable, is not new at all – it is the evolution the much older Chinese hacking effort “Titan Rain”, an estranged cousin of the RBN (Russian Business Network). What does makes APT10 different is the targets — APT10 is being aimed at small American businesses and MSPs (Managed Service Providers), whereas Titan Rain was generally aimed at the government and defense sectors. This is bad, because small businesses lack the cyber expertise to defend themselves, and the Chinese government (among other threat actors) is actively targeting them to steal their information.
I spent years in the deep dark DoD, many of them at Camp David, working in windowless, aspen green buildings patrolled by heavily armed Marines. Often, we knew what was going on in the world before things hit the news cycle, especially events that were related to cyber security. We all went home to stone faced spouses who knew that “we knew something” but could not talk about it. When Russia compromised the EOP (Executive Office of the President) in 2014, I had a seat on the 50-yard line for the whole thing, having the opportunity to attend classified meetings and chat with the NSA guys. Over the years, I sat through endless briefings and read hundreds of reports.
And guess what? The way that hackers get into these networks is nearly always by neatly tricking humans into making bad decisions — reusing passwords, ignoring written policies, clicking on a malicious hyperlink. Pour over the APT10 reports and you will find that, once again, the attack vectors were humans. Even in the case of Stuxnet – Iranian scientists were tricked (ostensibly by American and Israeli agents) into carrying infected USB sticks into their enclaves. Technology alone is not enough to keep bad actors out of your business networks.
The problem for small businesses is that the overarching cyber security CBK (Common Body of Knowledge) is just as baffling as the tax laws. And again, we security practitioners are not licensed like accountants and lawyers. It can be very difficult to know who to actually trust with the protection of your vital business systems and data. Legally speaking, there is basically nothing to stop tattoo parlors and nail salons from offering cyber security services. Probably, the best evaluation currently available for determining who is qualified to work in cyber security is the freely available, vendor neutral, U.S. DoD Directive 8570.
Known to cyber wonks simply as “Eighty-Five-Seventy”, this short directive lays out a simple three-tiered qualification strategy, mapping levels to common industry security certifications. Allowing IT technicians who do not have the proper certifications to perform cyber security work, is like allowing your bookkeeper to file your business tax returns – fraught with major, uncontrolled risks.
While common “best-practices” technology such as firewalls, back-ups, and anti-virus (the stuff that makes money for cyber security vendors) still comprise the basic elements of a cyber security program, they are only equally as important as written security policies and properly trained employees. These things taken together – technology, policies, and training, contribute to an overall culture of security (called Defense in Depth) like you would find at a large bank or Lockheed Martin.
Imagine for a second a visit to an amusement park or a dealer auto garage, and take note of all the safety precautions in place. Signs, lines, cones, vests, safety glasses, fire drills — it goes on and on. Every employee trained to a “T”. We are so used to safety in America that we don’t even notice it anymore – it’s a normal part of our business culture.
In enterprises with mature cyber security programs, security professionals have a mirror of the safety program, but for cyber security. Security awareness flyers, security awareness training, security drills. Posters in the lunch room — a culture of security.
Therein lies the challenge, and the way forward, for American small businesses where their cyber security is concerned. They have safety programs because they are mandated by law, but they must willfully choose to build security programs on their own, and pick the right people to help.