If you had asked me a few years ago, I might have predicted that the rise of large scale hacking and network-based Advanced Persistent Threats (APTs) would spell the end of old-school espionage (poison-tipped umbrellas, office break-ins, dangles and the like). Those of us who fancy ourselves logical, savvy cyber security specialists can be forgiven for thinking such analog antics wouldn’t persist in a digital world.
And yet, human espionage remains a nagging issue. A Russian spy ring was disrupted in New York in January. New stories about employees stealing trade secrets from their employers regularly make headlines, such as this one in May. More than one article alleges that Vienna and Lausanne (home to recent Iranian nuclear negotiations) are swarming with spies from Tehran. And these are just the stories that get reported.
There is no question that spycraft is changing with the times. Recent, damaging breaches of US government employee information—amply documented elsewhere—provide some interesting hints as to how:
- Re-prioritized: In some cases, information is accessed via a contractor, sometimes a foreign national. This is nothing new; spies have walked through the front door with contractor badges before. But now, what they want is not stored inside a locked file cabinet, inside a locked office. It’s in a marked folder. It’s easy to find. It fits in a pocket.
- Spies and criminals work within budgets too, so they go after ‘bang for the buck’. Traditionally, classified government systems were the big prize, but the value of corporate data and trade secrets is rising. It may actually be cheaper to recruit an employee with access at a targeted company (or its partner) than to breach firewalls remotely.
- Hybrid: For spies (as opposed to criminals), personal information may not be valuable in and of itself. It is a means to an end. Admittedly, the blackmail value of personal information of cleared government employees may be overstated, but combined with frequent flyer or health information, it could give intelligence services valuable ammunition for social engineering. Comparatively un-glamorous bureaucracies may get less attention and protection than fully classified government networks—until they are ransacked and their collateral value becomes the topic of Congressional hearings.
- The point here is that APTs almost always involve multiple steps: some digital, and some time-honored espionage tradecraft. Malware is combined with social engineering to compromise digital certificates, for example. If your information is valuable, someone will find a way to get around your defenses. It may start with HR files.
- Opportunist: Spies have always been opportunists. In the old days, that meant an unlocked door or a propped-open emergency exit. What’s different now is what the ‘bad guy’ finds when he walks through the door, and the ease with which he can walk out with it literally in his pocket.
- We should not be surprised when we hear that stolen data was either stored or transmitted in the clear. Failure to encrypt is not a laziness problem. Security software is notoriously difficult to use. If information security experts are to enforce encryption and security requirements, it needs to be easier to use. There are no networks that are 100% secure, but having reliable, easy-to-use systems would go along way toward increasing adoption and implementation.
With old-school espionage alive and thriving in the digital world, security specialists may want to keep these old tricks in mind.
We should all keep these old tricks in mind…
Despite the almost daily headlines of one or other company being hacked, their non-public information exfiltrated and put up for sale on a hacker forum somewhere on the dark net, the fact remains that the vast majority of proprietary information stolen from companies leaves via the front door – not by remote hackers and their tool chests of malware, phishing schemes, and the like. In fact somewhere in excess of 70% of stolen corporate non-public information walks out with employees, contractors, partners and interns. This ranges from simple customer contact lists with those moving to their next job, to current new business opportunities, to full-blown intentional, corporate espionage and overt theft of intellectual property and trade secrets – formulations, inventions, research, etc.
The need to implement tools like Cisco ISE and TrustSec to isolate different users and groups, and to allow access only to those with a legitimate need to know is more important now than ever. As Target found out, granting remote network access to its refrigeration vendor, without the correct controls allowed those vendor credentials to be used to access its payment card systems, resulting in the theft of 40 million credit card numbers and 70 million customer personal records.
The on-site human component may be combined with malware and other tools of the trade to elevate privileges and access protected information then posted to cloud file-sharing services or copied down and physically removed on laptops or removable media. Most companies have security and other policies that are designed to prevent the exfiltration of company information by “friendlies” (insiders), but rarely are these policed in most organizations. Compounding this fact is that much more goes out the front door than is ever realized. A recent case I worked showed that US university interns under the pretense of gaining job experience as part of their degrees, were purposely looking for and taking well-honed operating and lab procedures, perhaps decades in development, back to their native countries to boost their domestic industries and to then compete head-on with the company they did their internship with.
It’s a fine line between security and productivity but you are absolutely correct in that espionage alive and thriving in the digital world. Its just in a different form than it was during the Cold War.