Security Experts:

Long-Term Strategy Needed When Analyzing APTs: Researcher

J. A. Guerrero-Saade at Virus Bulletin

Analyzing advanced persistent threats (APTs) is not just about collecting pieces of information, and companies that focus on APTs should accept the fact that they have become intelligence brokers.

In a presentation last week at the Virus Bulletin conference in Prague, Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, detailed the ethics and perils associated with APT research.

Cyberattacks sponsored by nation states are increasingly investigated by both startups and well-established security companies. However, it appears that many firms involved in researching APTs lack long-term strategy and they’ve failed to consider the repercussions of their work.

According to Guerrero-Saade, one of the main issues is that companies and researchers have failed to understand that cyberespionage is a part of classic espionage, and those analyzing such cyber operations have failed to accept their role as intelligence brokers.

Intelligence agencies and private security firms involved in the analysis of cyber espionage campaigns follow similar procedural methodologies, but there are some noteworthy differences.

In the case of intelligence agencies, they receive a request, they gather information, analyze it, and deliver it. But before delivering it, the resulting report is taken through a strategic filtering process that ensures the well-being of all involved parties.

On the other hand, threat intelligence teams don’t necessarily need a delimiting request in order to begin analyzing a threat actor’s activities -- an investigation can start from a decontextualized sample or a vague request for incident response. Researchers collect malware samples, indicators of compromise, and data on command and control (C&C) infrastructure, but their analysis is oversimplified, their strategy for release of the information is often deferred to PR or sales departments. The resulting reports, which might not contain any actionable intelligence, are often released to the public in an effort to attract new customers and boost the company’s reputation, but without taking into account the potential consequences, Guerrero-Saade said.

While intelligence agencies and security researchers follow similar procedural methodologies, there are major differences in the ethics and especially the perils they face. The Kaspersky Lab expert has pointed out that the activities of intelligence agencies are not considered suspicious by other governmental institutions, the employees of intelligence agencies enjoy legal protections, and their work is shielded from political blowback.

In the case of threat intelligence teams, however, researchers don’t benefit from any cover for their actions, they don’t enjoy any legal protections, and the companies they work for can also suffer due to their actions.

According to Guerrero-Saade, the list of perils faced by researchers includes subtle pressure, patriotic enlistment, bribery, compromise and blackmail, legal repercussions, threat to livelihood, threat to viability of life in the actor’s area of influence, threat of force, and even elimination. A perfect example of the perils faced by researchers was provided in a separate talk at Virus Bulletin by Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team. Raiu revealed that when he was involved in the analysis of Stuxnet a few years ago, someone broke into his house and left a rubber cube with the message “take a break” written on it.

In the case of companies, they can face political, financial and regulatory repercussions, they can end up losing government contracts and partnerships, and they can become the target of rumors and smear campaigns if they don’t properly evaluate what they disclose and whom they disclose to.

As for ethical concerns, the lack of malware diversification -- the fact that the same malware is used against both extremists and less “malicious” targets such as research institutions -- can cause researchers to question whether or not they should detect the malware. More precisely, if the malware is used against a legitimate organization, then it should be detected to protect such entities. On the other hand, if the malware is detected, it will also make it easier for extremists to protect themselves against cyber spying attempts.

Another ethical issue is related to the fact that the researcher’s insight into the operation they are targeting is always superficial. At first glance, it might appear that the targeted entity is “innocent,” such as an academic or a journalist, but in reality they could be a radical academic or a terrorism-facilitating journalist.

Guerrero-Saade told SecurityWeek in an interview that threat actors can plant false evidence to throw investigators off track -- these are known as “black flag” operations. One good example is the group known as “Wild Neutron” or “Morpho,” whose malware contains strings in both Russian and Romanian.

Guerrero-Saade believes that the best way for threat intelligence teams to overcome the challenges is to accept their role as intelligence brokers and put more emphasis on strategy. The expert believes companies should hire a chief strategic officer or someone who is in charge of making decisions related to who gets what information, instead of leaving the task to PR and marketing departments.

Companies should also focus on providing actionable intelligence. One negative example named by the researcher during his presentation at Virus Bulletin is a recent report from ThreatConnect and Defense Group that focuses on linking the APT group known as “Naikon” to a unit of the Chinese People’s Liberation Army. The problem, according to Guerrero-Saade, is that the connection made by researchers in the report focuses on the analysis of an alleged PLA officer’s personal postings on social media and provides little actionable intelligence. The Kaspersky researcher told SecurityWeek that this is equivalent to “doxing” someone you don’t like, just like members of the Anonymous hacktivist movement do when they get uncomfortable with another member.

“The current threat intelligence market is in the midst of an identity crisis. As companies transition from plain IT security to intelligence production, the relevant methodology of intelligence brokerage must be embraced in order to stand a chance against the supernatural market tensions that are the product of meddling with the operations of diverse intelligence agencies and enraging their respective governments,” Guerrero-Saade said in a paper accompanying his presentation at Virus Bulletin.

“The transition to intelligence brokerage proper is encouraged as a means of survival for threat intelligence producers facing escalating geopolitical tensions. By empowering the producers to strategically control their offerings, these tensions are relieved or entirely sidestepped and the market can flourish away from the limelight,” the expert added.

The complete paper, titled "The ethics and perils of APT research: an unexpected transition into intelligence brokerage," is available for download from Kaspersky Lab.

view counter
Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.