DNI Threat Assessment - Practical Guidance for your Company

By -


DNI Threat Assessment - Practical Guidance for your Company
Last week the Director of National Intelligence released a Worldwide Threat Assessment. It’s fairly short and to the point (only 42 pages), but I wanted to summarize for those who don’t have time to read it and help apply it to enterprise defense.
The main two things to take away from this report are:
  1. Threats: there are real threats against your organization, and
  2. Capabilities: it’s important to understand their capabilities.
Who they are, their motivations, and where they live is not important for most organizations.

First, we’ll look at some of the threats in the report related to critical infrastructure, then we’ll move on to those faced by large corporations and financial institutions.
 
The report says that China can conduct localized attacks such as “disruption of a natural gas pipeline for days to weeks.” The same is said for Russia with the example being “disrupting an electrical distribution network for at least a few hours – similar to those demonstrated in Ukraine in 2015 and 2016… with the long-term goal of being able to cause substantial damage.”



Next we have Iran who is listed with similar capabilities against corporations: “capable of causing localized, temporary disruptive effects–such as disrupting a large company’s corporate networks for days to weeks.”


The last example I want to call out is the threat against financial institutions which is nicely summed up in two sentences. “North Korea continues to use cyber capabilities to steal from financial institutions to generate revenue. Pyongyang’s cybercrime operations include attempts to steal more than $1.1 billion from financial institutions across the world–including a successful cyber heist of an estimated $81 million from the New York Federal Reserve account of Bangladesh’s central bank.”
While the target of attack varies, the common theme is that there are attackers out there who want to do things which don’t align with your organizations goals. This is not surprise, but it raises the question of what actions should an organization take to combat these threats?
One option would be adversarial-based defensive modeling which uses threat intelligence to guess which technical systems will be attacked next and focus efforts on these systems. This means enumerating attackers against your enterprise and their motivations, which will influence their choice of specific targets. If an attacker is missed or the motivation is not accurately understood, this strategy can fall apart. A skilled attacker is going to use this to direct efforts away from the systems which are valuable to them. Meanwhile the less skilled attackers are going to go after the weak points.
Instead, I propose largely ignoring who the attackers are, where they live, or what their motivations are. Decisions about where to prioritize security efforts should be based on what is important to your organization, not what it important to your adversaries! For example, your security people are already working on important projects to prevent the most damaging attacks (e.g. stealing money/IP). You hear about a criminal group mapping out your organization. Should you pull them off what they’re currently working on to deal with this threat? Of course not.
That’s not to say that the DNI reports are not useful. They are evidence that the threats are not merely hypothetical, and they describe some of the capabilities, which are important to understand to have a better idea of what “adequate” defenses look like. At the same time, there’s a risk of the reports to change the narrative from “we need to stop people from stealing money from us” to “how do we find out what North Korea is doing?” The former protects you from all attackers, where the latter only protects you from one, at best.
[About GRIMM: GRIMM engineers have decades of experience helping organizations identify what to protect and how to protect themselves.]

Popular posts from this blog

New Old Bugs in the Linux Kernel

By Anonymous -
Image
  Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to yourself "Wait a minute, that can’t be right"? That’s the position we found ourselves in when we found three bugs in a forgotten corner of the mainline Linux kernel that turned out to be about 15 years old. Unlike most things that we find gathering dust, these bugs turned out to still be good, and one turned out to be useable as a Local Privilege Escalation (LPE) in multiple Linux environments. Who you calling SCSI? The particular subsystem in question is the SCSI (Small Computer System Interface) data transport, which is a standard for transferring data made for connecting computers with peripheral devices, originally via a physical cable, like hard drives. SCSI is a venerable standard originally published in 1986 and was the go-to for server setups, and iSCSI is basically SCSI over TCP. SCSI is still in use today, especially
Read more

Automated Struct Identification with Ghidra

By Anonymous -
Image
At GRIMM, we do a lot of vulnerability and binary analysis research. As such, we often seek to automate some of the analysis steps and ease the burden on the individual researcher. One task which can be very mundane and time consuming for certain types of programs (C++, firmware, etc), is identifying structures' fields and applying the structure types to the corresponding functions within the decompiler. Thus, this summer we gave one of our interns,  Alex Lin , the task of developing a Ghidra plugin to automatically identify a binary's structs and mark up the decompilation accordingly. Alex's writeup below describes the results of the project, GEARSHIFT, which automates struct identification of function parameters by symbolically interpreting Ghidra's P-Code to determine how each parameter is accessed. The Ghidra plugin described in this blog can be found in our GEARSHIFT repository . Background Ghidra is a binary reverse engineering tool developed by the National Sec
Read more

SOHO Device Exploitation

By Anonymous -
Image
Netgear R7000 SOHO Device Exploitation After a long day of hard research, it’s fun to relax, kick back, and do something easy. While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind. Thus, when it’s time for some quick fun and a nice confidence boost, I like to analyze Small Office/Home Office (SOHO) devices. This blog describes one such session of auditing the Netgear R7000 router , analyzing the resulting vulnerability, and the exploit development process that followed. The write-up and code for the vulnerability described in this blog post can be found in our NotQuite0DayFriday repository. Initial Analysis The first step when analyzing a SOHO device is to obtain the firmware. Thankfully, Netgear’s support website hosts all of the firmwares for the R7000. The Netgear R7000 version 1.0.9.88 firmware used in this blog post can be downloaded from this web
Read more