Book Review: Reverse Deception 43
benrothke writes "Advanced persistent threat (APT) is one of the most common information security terms used today and it is an undeniably real and dangerous menace. Wikipedia notes that APT's usually refer to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Every organization of size and scope is a target, and many of the world's largest firms and governments have been victims. In Reverse Deception: Organized Cyber Threat Counter-Exploitation, Dr. Max Kilger and his co-authors provide an effective counterintelligence approach in which to deal with APT. The good news is that the authors provide an effective framework. The bad news is that creating an effective defense is not an easy undertaking." Keep reading below for the rest of Ben's review.
When it comes to APT, the de facto perpetrator is China. The book shows how to pursue and hopefully prosecute the perpetrator. But that begs the questions, how many firms can realistically defend themselves against an adversary like China, RBN or nation state? | Reverse Deception: Organized Cyber Threat Counter-Exploitation | |
| author | Sean Bodmer, Dr. Max Kilger , Gregory Carpenter , Jade Jones |
| pages | 464 |
| publisher | McGraw-Hill Osborne Media |
| rating | 9/10 |
| reviewer | Ben Rothke |
| ISBN | 978-0071772495 |
| summary | Excellent reference in which to deal with advanced persistent threats |
In the introduction, the authors note that deception is about behavior, both induced in the adversary and undertaken by the deceiver to exploit it. To deceive, the authors write, it is not sufficient to induce belief in the adversary; it is necessary also to prepare and execute the exploitation of resultant behavior. Once again, preparation and execution against a nation state is not a small endeavor.
Chapter 1 (available free here) sets the stage for the rest of the book and provides an overview of the topic and some examples of advanced and persistent threats, including Stuxnet, Operation Aurora, the RBN and more.
Being the biggest of all APT, China takes center stage in chapter 2 – What is Deception? That is nothing new as China has successful used deception for the last 2,000 years. China is referenced heavily in the book due to their extreme confidence and success in executing deception.
Chapter 3 – Cyber Counterintelligence(CI) details how to use CI to find the cyber-adversaries. The chapter provides both the basic investigative and operational techniques and tools, in addition to detailing how to use legal counsel to ensure that what you are doing is legal.
Chapter 5 gets into much more of the details around the legal issues, and what you can and can't do to your adversary. The chapter provides an excellent overview of how to quantify which persistent threats are the most dangerous. It provides nine areas to rank, in order to use as a metric to weight each and every threat.
By the time the reader gets to chapter 4 on profiling, they will likely be overwhelmed by the amount of work necessary to implement an effective cyber CI program, which is indeed the case. The amount of time to develop an APT program is for the most part unfeasible for most organizations. While the book does not get into the budgetary issues; CIO's, CISO's and other IT managers will likely have a difficult time getting any sort of budget to fund an APT program.
Part of the issue is that many firms don't have an effective IPS in place to they won't even know they are being attacked. In the majority of cases, the APT intrusion is not even discovered by the firm, rather an outside entity who notifies them. What is worse is the fact that in many cases, APT malware has been on the victim network often for years undetected.
In addition, in the same way in which people who are scammed once are often repeatedly scammed again; companies that are victims of an APT will often be repeat victims since the perpetrators may share that information with others.
A few of the authors have military and law enforcement background, which adds to their expertise and insights.
The book is meant to be used to pursue and prosecute the perpetrators of APT. With the exception of the military and a few Fortune 50 companies, the odds of effectively prosecuting APT perpetrators is quite small. Notwithstanding that difficulty, organizations misunderstand that they are under attack, and at least have some plan to assess their vulnerabilities.
This book is mainly an introduction to the topic, but does not provide a comprehensive strategy on how to implement an APT program. Such a reference would need to be at least a few times larger than this work.
There is a web site for the book, but it does not really do more than redirect you to Amazon and Barnes and Noble. Matthijs Koot has a detailed review of the book where he took the time to detail the hyperlinks to source the books web page should have had.
Reverse Deception: Organized Cyber Threat Counter-Exploitation may be overkill for most organization, but is nonetheless a necessary read to truly understand the danger.
For anyone looking to understand what APT's are and how to deal with them, the book provides a comprehensive and unparalleled overview of the topic by experts in the field.
If nothing else, the book provides the reader with an appreciation for how dedicated the perpetrators behind APT are. They are smart, sophisticated, have governments and military agencies on their side and they are numerous. One of the many challenges of dealing with the Chinese APT is that China can easily throw tens of thousands of highly-trained and sophisticated attackers at a target in the US, while the target may only be able to muster a few people to provide a cyber-defense.
One of the most important things to take from the book is the third word in the title – organized. Those carrying out APT are highly organized, prepared and meticulous. They often do things in a slow methodical manner to avoid detection. The book provides a detailed methodology to deal with such adversaries.
The downside is that the victim companies themselves lack that organization. Defending against APT requires much more than simply reading this invaluable text. It requires management support, budget, effective tools and a highly trained staff to correctly use those tools. The great advice in the book won't be of assistance if the team deployed does not know how to correctly use them.
While you will likely be outnumbered and outgunned when it comes to APT defense, Reverse Deception: Organized Cyber Threat Counter-Exploitation is a fascinating reference that ensures you won't go down without a fight.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Reverse Deception: Organized Cyber Threat Counter-Exploitation from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Undeniably real and dangerous (Score:1)
The least supported assertion is also the most contentious. Everyone I talk to in this industry rolls their eyes if you say "APT". Why even talk about the boogeyman when most institutions can't even withstand an anonymous raid without getting owned?
Re: (Score:1)
you been talking to the wrong people....
Re: (Score:1)
Maybe if this is what you consider to qualify as APT:
http://legionnet.nl.eu.org/post/16111014000/scada-idiots-fulldisclosure-by-ntisec
What makes it advanced or persistent if owned infrastructure is a commodity which requires no more effort than window shopping?
This is just the black eye of the minute. The scary thing is that the rogue individual scenarios depicted in "Skyfall" and "Live Free or Die Hard" are getting increasingly plausible, rather than to the contrary. At the rate we're going, cyber-terroris
Re: (Score:2)
That's why. "APT" really means "whatever we did not defend against".
If your defenses worked, it was not an APT.
If your defenses failed (or did not exist), it is okay because it was an APT.
100% marketing.
Re: (Score:1)
The IT security industry arguably is made out of oversimplification. It's like, cyber, you know?
Take, for example, the word "hacker". It's not enough to know you're one a them "hackers", you need to show what hat colour you wear. And even then it's not enough. Why? Because it's been so overused everyone got confused.
Do fishy things with computers? Hacker.
Filch some access codes over teh intarwebz? Hacker.
"Security researcher"? Hacker.
Script kiddie? Hacker.
Do fishy things while there's a computer tangentiall
Re: (Score:1)
Re: (Score:1)
Honestly, no, I'm not. If you keep confusing petty theft and murder you're not going to do much about the crime rate.
The threats are being named to perpetuate an indulgence racket where we should've switched vendors ages ago. We keep on cheapening out in favour of quick fixes that never seem to end up fixing much of anything. The risk to our systems is irrelevant in the face of our unwillingness to do what really needs to be done.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Actually, APTs are incredibly easy to defend against, but specifically, they are always undefended, in almost every instance, because;
a) Decisions about dealing with threats are not made by security specialists but by managers
b) APTs are relatively unimportant to most managers, because the board or otherwise senior managers have no visibility of them.
c) There is no budget for dealing with them,
d) There is no budget in any projects that introduce vulnerabilities as would be exploited by APTs to address them.
Debian....I knew it! (Score:2)
Re: (Score:2, Funny)
# emerge romney
* ERROR: sys-douchebag/romney failed (prepare phase):
* Failed Patch: head not present!
hey, I tried.
Reverse Deception? That's the long way to say... (Score:2)
Autbot
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Words that show that you have no idea you know what you are talking about:
Yes. there are people that try to extort you for money or try to steal your secrets. But it is a matter of IT security to look anybody out that is not allowed on your system; no matter if it is the teenager next door or some attacker living in china. So called APT are no more a problem than any other issue with IT security.
Re: (Score:1)
Cyber Bullshit .. (Score:2)
Stuxnet: US/Israeli malware
Operation Aurora [cnn.com] only worked because the US government put a backdor in gmail and RBN wouldn't be in business if it wasn't for Windows.
First paragraph of review and I stopped reading (Score:2)
No, it prompts or suggests the fucking question.