Since May 2014, the Chinese government has been amassing a ‘Facebook for human intelligence.’ Here’s what it’s doing with the info.
Leading into 2015, the cybersecurity community was still reeling from the impact of a destructive attack unlike any other we have seen in terms of visibility, scale, and impact. Already halfway into 2015, there is no shortage of breaches. We have already witnessed major compromises in healthcare, the US government, the Bundestag, and media being attacked by sophisticated adversaries, in most cases, roaming freely on networks for months at a time.
Attackers from China, Russia, North Korea, ISIS, and even potentially friendly governments have dominated the headlines. In case you have your head in the sand, this is not going away anytime soon. Compared to traditional espionage, “cyber espionage,” or CNE as the military likes to designate it, has a lower cost of entry, less risk if you are caught or compromised, and can often yield equivalent intelligence to feed an ever-growing set of interested consumers. For criminals, the use of e-commerce systems and vulnerable payment mechanisms provides an avenue for rapid monetization and prosperity. Activists or hacktivists as they present themselves on the Internet are able to use electronic mediums to disseminate messaging from banal greets to truly meaningful causes that impact people’s lives across the globe.
Since May of 2014, the Chinese government has been amassing what can only be described as the “Facebook for human intelligence targeting” from the databases lifted from some of our most fundamental and essential systems. Why would anyone want healthcare records? If you take a step back, these records are part of a bigger picture, used in concert with the personnel records of US government workers and any other databases that have been stolen over the years. The beneficiary of that data can build an interesting picture detailing the confidential history, preferences, behavioral patterns, and more, of millions of potential intelligence targets.
The point that most people miss is that “cyber” data doesn’t just get used for cyber attacks, or cyber bullying, or cyber theft. The People’s Republic of China doesn’t only conduct network-based espionage, they are a major government on the world stage. They have human intelligence collectors whose job is to identify people with access to interesting or useful information and to collect that information. MICE is a common acronym we use in the information security industry — Money, Ideology, Compromise, and Ego – a simple set of motivations that can be used to entice or coerce a target to provide continued or temporary access to data.
Using stolen healthcare data, these human collectors can identify someone with access to sensitive information who unfortunately has a sick relative. As the healthcare bills pile up and they become increasingly despondent to help their sick relative get the medical treatment they need, an opening begins to emerge. The human collector, if they are able to identify this opening, can approach the target and begin to sow the seed for access, a simple trade of money for information, information that may seem insignificant to the target, but in aggregate across many different sources becomes quite valuable.
[Learn more from Adam about how to consume, operationalize and integrate threat intel during his training session on the fundamentals of intelligence-driven security, Black Hat 2015 Las Vegas August 1-2 & 3-4.]
It has been said that the network defender must be right 100 percent of the time, while the attacker need only be lucky once. The asymmetry of this is terrifying! Your network defenders should be in front of 10 monitors with an intravenous drip of caffeine and sugar twitching at every packet surging across your enterprise. The reality is that this is true, but we have systems and tools to help deter and detect these attackers.
These tools out of the box, while capable, don’t necessarily have all the smarts they need to root out these attackers: these tools need intelligence. Intelligence-driven security means learning from previous attacks whether successful or not, and incorporating what you have learned into your defense posture. The military, in dealing with asymmetry encountered in Latin America in the 1980’s pioneered a process for incorporating intelligence into their targeting processes that has been continuously improved upon in the past 10 years.
This process involves taking the intelligence gleaned from every action, operation, or encounter and feeding it into the next operation to rapidly adapt to the changing environment. This same process introduced into security operations, what I call intelligence-driven security, can drive the cost of protecting the enterprise down, while simultaneously allowing the Security Operations Center (SOC) to have meaningful conversations with the business owners, the C-Suite, and the Board. Enterprise security isn’t just about blocking malware anymore, it’s about protecting the business and against dedicated and sophisticated threat actors.
Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International.