"Researchers shy away from attribution because it often impossible to be 100% certain," he told iTWire during a detailed interview.
"However, an intelligence comment by its very nature is a probability statement. When you speak to researchers, they are generally very confident about attribution, but when you read research papers and articles, they tend to be less concise."
Over 30 years, Clayton has been responsible for building and delivering global operations for the National Security Agency, the Government Communications Headquarters, Rackspace and Bitdefender.
He is responsible for Bitdefender’s global operations in support of customers, including the strategy, service delivery and oversight of Services and Support Operations, including the Security Operations Centre, Customer Success Operations and associated engineering functions.
He has an MS in Leadership and Management and a BA in Intelligence Management from City and Guilds (Royal Charter) in London, as well as a BA in Russian from the University of Westminster. He was interviewed by email.
iTWire: What is your definition of an APT (advanced persistent threat)?
Daniel Clayton: This is an increasingly loaded question today. In the past the definition of ‘an APT’ centered around the description of certain types of attack. Namely that they were very difficult to detect and that the attacker retained access to the network for an extended period. The implication being that these types of attacks required high levels of sophistication, requiring, in turn, significant resources which could only be brought to bear by nation states.
So advanced persistent threats and nation states became largely synonymous. In practice this is no longer true, stealthy attacks with significant longevity are routinely carried out by non-nation state actors. Today, it makes sense to separate the two.
In a paper he wrote some years ago, the well-known security researcher J.A. Guerrero Saade said: "The terms ‘APT’, ‘targeted attack’, ‘nation-state sponsored’, and even ‘cyber espionage’ are inaccurate and misrepresent the object of study, which is to say an espionage operation partially carried out with the use of malware." Do you agree with this? If not, why?
As a general statement in 2021, I don’t agree. Our understanding of the terms has evolved over time and researchers today are less likely to throw these terms around than they were five years ago.
In the past higher levels of sophistication led researchers to default to the phrases mentioned, the inference being that if any one of them was true, all of them were true. "It’s sophisticated, so I must be persistent. It’s persistent, so I must be a nation-state, it’s a nation-state, so it must be espionage.: Serious intelligence professionals don’t make this mistake today.
All attacks that are attributed to so-called APTs are always said to originate from four countries that also, coincidentally, happen to be the enemies of the US – China, Russia, North Korea and Iran. A journalist tends to get a bit sceptical about this. Your comment?
All our realities are rooted in our perspectives. China, Russia, North Korea and Iran are all considered "threats" by the US (the West) in any context, not just cyber, that they have the resources to be advanced and persistent on the cyber battlefield is axiomatic.
This same conversation is probably being had in Asia, or Russia between a journalist and a cyber intelligence professional with an equally well justified, but entirely different four nations listed in the question above.
These days, it looks like a security firm always needs some kind of collaboration with an intelligence agency in order to provide information that will catch the attention of the media - which seems to be the whole idea of the game. What is your comment about this?
If an agency like the FBI or Interpol gets involved, the media tends to pay close attention because it usually means a severe threat with wide implications is in progress… so take heed to protect yourself or organisation (much like a weather alert that a storm is imminent). It helps add immediate credibility to new threats and research. If an intelligence agency cares…so should you.
National intelligence agencies have controls around things like source-reliability and have collection capabilities that civilian organisations cannot rival. So, if a national agency is paying attention, we can assume the work to validate has (to some degree at least) been done.
A CIA-sponsored "think-tank", Recorded Future, has now set up a media outlet known as The Record for disseminating technology news. Does this not increase the possibility of misinformation being spread?
Not really, researchers have been dealing with open-source reporting and "disinformation" for a long time, serious intelligence professionals pay attention to sources and source reliability.
Good researchers do the analysis to separate the noise from the facts. What is true is that not everyone will do that work before spreading the information. But that has always been the case.
You mentioned that one topic you would outline was how APTs choose their targets. Go ahead.
It depends what we’re talking about when we talk about the APT. If we’re talking about nation states, targets are driven by national level intelligence requirements, which are a set of questions that the government has deemed critical to decision-making.
How those intelligence requirements are answered depends largely on where the information is available and governments will use multiple techniques to collect. Signals intelligence (SIGINT), the collection of electronic transmissions and human intelligence (HUMINT), the collection of information from human sources are the most common, especially in the content of espionage.
Nowadays, the availability of data makes cyber a very effective collection capability and the interconnected nature of government and the commercial sector, through contracts, partnerships and supply chains provides the APT with many targets that may be a weak link, that provides an entry point to a target network.
Again, you mentioned that you would like to offer some clues on the top ways that APTs gain a foothold in an environment. Once again, go ahead.
As technology stacks and security teams get better at identifying anomalous activity, bad actors are becoming better and better and "living off the land", meaning they are learning how to use the tools that are already on the network and already part of the network's baseline.
Endpoint technology focuses on a system of behavioural scoring which requires a threshold of activity on a single resource to be met. We’re now seeing attackers break down their activities across multiple resources in order to stay below the activity threshold that a technology platform may need in order to detect.
The combination of OCTUPUS and KOADIC (KOCTUPUS) in the recent Pysa attack is a good example of an attacker intentionally using two resources to execute in order to avoid meeting the threshold for detection on a single resource.
What are the steps organisations can take to detect and recover from most common attacks?
There is a lot of information out there on steps that companies can take to detect and recover from common attacks. In summary, I would say the following:
- Understand your own threat landscape and build relevant capabilities that protect you from those threats.
- Be proactive. Over-reliance on technology has punched many companies in the face over the last few years. Assume compromise, understand what compromise may look like in any given circumstance and go look for it. If you don’t have detection and response capabilities, work with a security partner who does.
- Do the basics well. Modern security programs are complex, but we can reduce the noise by doing the basics effectively. Ensure your tools are up to date with the most recent IOCs, IOAs and signatures. Understand your own network, develop a detailed view of what normal looks like and develop capabilities that enable you to spot anomalous quickly.
- In terms of recovery, my advice is focus on rapid detection and response. The further to the left of the kill-chain we interdict the attacker, the easier and cheaper it is to recover and the more you are able to avoid business impact.
Would you agree that attribution is the most difficult part of infosec research?
Not really. Researchers shy away from attribution because it often impossible to be 100% certain. However, an intelligence comment by its very nature is a probability statement. When you speak to researchers, they are generally very confident about attribution, but when you read research papers and articles, they tend to be less concise.
If so, how do many companies attribute attacks to this nation or that with pinpoint accuracy, while at the same time saying the attacks were sophisticated and carried out by people with unlimited resources?
Again, [it is a] probability statement rather than pinpoint accuracy. Often you can see patterns in the execution of the attack, or the code that has been written, perhaps the target is a common one for a particular nation state. If the researcher can see a combination of these factors it will increase their confidence in attribution.
Of course the simple things are all obfuscated today and some nation states will copy the modus operandi of another, or reuse an evolved version of a previous attack, all of this sows seeds of doubt and will generally avoid public attribution.
Why is it that security firms fight shy of mentioning attacks carried out by the NSA? We hear plenty about other countries, but on the USA, everyone is tight-lipped?
Foreign researchers are much more likely to point fingers at the NSA, or any other government entity than a US-based company or researcher. Remember, many serious researchers and intelligence professionals learned their trades in those government organisations. That internal knowledge and relationships that are often maintained, play a part in the tendency to focus more on external threats.