Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: Reverse Deception

samzenpus posted about 2 years ago | from the read-all-about-it dept.

Books 43

benrothke writes "Advanced persistent threat (APT) is one of the most common information security terms used today and it is an undeniably real and dangerous menace. Wikipedia notes that APT's usually refer to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Every organization of size and scope is a target, and many of the world's largest firms and governments have been victims. In Reverse Deception: Organized Cyber Threat Counter-Exploitation, Dr. Max Kilger and his co-authors provide an effective counterintelligence approach in which to deal with APT. The good news is that the authors provide an effective framework. The bad news is that creating an effective defense is not an easy undertaking." Keep reading below for the rest of Ben's review.When it comes to APT, the de facto perpetrator is China. The book shows how to pursue and hopefully prosecute the perpetrator. But that begs the questions, how many firms can realistically defend themselves against an adversary like China, RBN or nation state?

In the introduction, the authors note that deception is about behavior, both induced in the adversary and undertaken by the deceiver to exploit it. To deceive, the authors write, it is not sufficient to induce belief in the adversary; it is necessary also to prepare and execute the exploitation of resultant behavior. Once again, preparation and execution against a nation state is not a small endeavor.

Chapter 1 (available free here) sets the stage for the rest of the book and provides an overview of the topic and some examples of advanced and persistent threats, including Stuxnet, Operation Aurora, the RBN and more.

Being the biggest of all APT, China takes center stage in chapter 2 – What is Deception? That is nothing new as China has successful used deception for the last 2,000 years. China is referenced heavily in the book due to their extreme confidence and success in executing deception.

Chapter 3 – Cyber Counterintelligence(CI) details how to use CI to find the cyber-adversaries. The chapter provides both the basic investigative and operational techniques and tools, in addition to detailing how to use legal counsel to ensure that what you are doing is legal.

Chapter 5 gets into much more of the details around the legal issues, and what you can and can't do to your adversary. The chapter provides an excellent overview of how to quantify which persistent threats are the most dangerous. It provides nine areas to rank, in order to use as a metric to weight each and every threat.

By the time the reader gets to chapter 4 on profiling, they will likely be overwhelmed by the amount of work necessary to implement an effective cyber CI program, which is indeed the case. The amount of time to develop an APT program is for the most part unfeasible for most organizations. While the book does not get into the budgetary issues; CIO's, CISO's and other IT managers will likely have a difficult time getting any sort of budget to fund an APT program.

Part of the issue is that many firms don't have an effective IPS in place to they won't even know they are being attacked. In the majority of cases, the APT intrusion is not even discovered by the firm, rather an outside entity who notifies them. What is worse is the fact that in many cases, APT malware has been on the victim network often for years undetected.

In addition, in the same way in which people who are scammed once are often repeatedly scammed again; companies that are victims of an APT will often be repeat victims since the perpetrators may share that information with others.

A few of the authors have military and law enforcement background, which adds to their expertise and insights.

The book is meant to be used to pursue and prosecute the perpetrators of APT. With the exception of the military and a few Fortune 50 companies, the odds of effectively prosecuting APT perpetrators is quite small. Notwithstanding that difficulty, organizations misunderstand that they are under attack, and at least have some plan to assess their vulnerabilities.

This book is mainly an introduction to the topic, but does not provide a comprehensive strategy on how to implement an APT program. Such a reference would need to be at least a few times larger than this work.

There is a web site for the book, but it does not really do more than redirect you to Amazon and Barnes and Noble. Matthijs Koot has a detailed review of the book where he took the time to detail the hyperlinks to source the books web page should have had.

Reverse Deception: Organized Cyber Threat Counter-Exploitation may be overkill for most organization, but is nonetheless a necessary read to truly understand the danger.

For anyone looking to understand what APT's are and how to deal with them, the book provides a comprehensive and unparalleled overview of the topic by experts in the field.

If nothing else, the book provides the reader with an appreciation for how dedicated the perpetrators behind APT are. They are smart, sophisticated, have governments and military agencies on their side and they are numerous. One of the many challenges of dealing with the Chinese APT is that China can easily throw tens of thousands of highly-trained and sophisticated attackers at a target in the US, while the target may only be able to muster a few people to provide a cyber-defense.

One of the most important things to take from the book is the third word in the title – organized. Those carrying out APT are highly organized, prepared and meticulous. They often do things in a slow methodical manner to avoid detection. The book provides a detailed methodology to deal with such adversaries.

The downside is that the victim companies themselves lack that organization. Defending against APT requires much more than simply reading this invaluable text. It requires management support, budget, effective tools and a highly trained staff to correctly use those tools. The great advice in the book won't be of assistance if the team deployed does not know how to correctly use them.

While you will likely be outnumbered and outgunned when it comes to APT defense, Reverse Deception: Organized Cyber Threat Counter-Exploitation is a fascinating reference that ensures you won't go down without a fight.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Reverse Deception: Organized Cyber Threat Counter-Exploitation from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

43 comments

Sorry! There are no comments related to the filter you selected.

WAS HOPING FOR REVERSE DECAPITATION !! (0)

Anonymous Coward | about 2 years ago | (#41959781)

That would be useful !!

Re:WAS HOPING FOR REVERSE DECAPITATION !! (-1)

Anonymous Coward | about 2 years ago | (#41959819)

Your a real fucken faget. I bet the only APT you know about is Advanced Penis Touching.

Haha, fucken faget!

Faget.

Re:WAS HOPING FOR REVERSE DECAPITATION !! (0)

Anonymous Coward | about 2 years ago | (#41960011)

dear moderator: can u please remove 100% troll comments like the one above?

Re:WAS HOPING FOR REVERSE DECAPITATION !! (-1)

Anonymous Coward | about 2 years ago | (#41960171)

Haha, wittle faget mad about a wittle comment about fagets? Haha, free speech with the purchase of any happy meal, faget!

PS: your an faget.

HAHA, fucken faget!

Undeniably real and dangerous (1)

Anonymous Coward | about 2 years ago | (#41959821)

The least supported assertion is also the most contentious. Everyone I talk to in this industry rolls their eyes if you say "APT". Why even talk about the boogeyman when most institutions can't even withstand an anonymous raid without getting owned?

Re:Undeniably real and dangerous (1)

Anonymous Coward | about 2 years ago | (#41959971)

you been talking to the wrong people....

Re:Undeniably real and dangerous (1)

Anonymous Coward | about 2 years ago | (#41962497)

Maybe if this is what you consider to qualify as APT:
http://legionnet.nl.eu.org/post/16111014000/scada-idiots-fulldisclosure-by-ntisec

What makes it advanced or persistent if owned infrastructure is a commodity which requires no more effort than window shopping?

This is just the black eye of the minute. The scary thing is that the rogue individual scenarios depicted in "Skyfall" and "Live Free or Die Hard" are getting increasingly plausible, rather than to the contrary. At the rate we're going, cyber-terrorism is going to require as much sophistication and persistence as punching a baby.

Why is this? If I had to guess, I suspect the white hat mandate is equivalent to keeping "the herpes" off of Paris Hilton's cooter.

Re:Undeniably real and dangerous (0)

Anonymous Coward | about 2 years ago | (#41963929)

Heh. I think it's you that's been talking to the wrong people. APT is a buzzword, and like all buzzwords nobody really knows what it means, because it's intentionally ill-defined.

The real deal is nobody knows what's going on, but they just feel more comfortable if you give that big unknown thing a nice sounding name that people can show to their boss and say "SEEE.. it's china going after us, so see what we're up against". Nobody actually knows if it's China or just some brilliant 15 year old and his buddy with a lot of time on their hands.

Re:Undeniably real and dangerous (1)

khasim (1285) | about 2 years ago | (#41961941)

Why even talk about the boogeyman when most institutions can't even withstand an anonymous raid without getting owned?

That's why. "APT" really means "whatever we did not defend against".

If your defenses worked, it was not an APT.
If your defenses failed (or did not exist), it is okay because it was an APT.

100% marketing.

Re:Undeniably real and dangerous (0)

Anonymous Coward | about 2 years ago | (#41963675)

quite an oversimplification there....

Re:Undeniably real and dangerous (1)

Let's All Be Chinese (2654985) | about 2 years ago | (#41963997)

The IT security industry arguably is made out of oversimplification. It's like, cyber, you know?

Take, for example, the word "hacker". It's not enough to know you're one a them "hackers", you need to show what hat colour you wear. And even then it's not enough. Why? Because it's been so overused everyone got confused.

Do fishy things with computers? Hacker.
Filch some access codes over teh intarwebz? Hacker.
"Security researcher"? Hacker.
Script kiddie? Hacker.
Do fishy things while there's a computer tangentially involded somehow? Hacker.
Place keyboard logger (physical)? Hacker.
Do fishy things while there's a computer in the next room? Hacker. Obviously.

Where the word once indicated someone with great original skill, and in general ment moby technological creativity, requiring your respected fellows to give it to you, it now has become an epithet as easy as the FBI's "mail fraud" indictment: You get'em for free with whatever else you do. Notably "talk to a journalist", or even "be in the vague vicinity of a journalist hack's next piece".

That the term nevertheless got used in criminal legislation is telling of its devolution by overuse. And of legislators a bit too keen to not be seen as hopelessly behind the times.

APT is the latest way of this "IT security industry" full of "hackers" to show that they're down with the cyber, baby. Where "cyber" now-a-days is the clueless' way of saying intarwebbertoobz when they don't want to sound like complete hicks, or just sound officious, notably governments.

So I say the whole bunch of "hackers" is very cyber these days. Cyberhackers with their cyberwhite cyberhats. Selling us cyberprotection against cyberAPTs.

But hackers, they're not. Which is ironic, since hacking is just about the exact opposite of oversimplification. But then, these people don't do ironic. They're dead serious on selling you their definitions and their protection.

Re:Undeniably real and dangerous (1)

rubikscubejunkie (2664793) | about 2 years ago | (#41966459)

I think you are getting caught up in the semantics. Hackers, crackers, etc...whatever you want to call them. APT - really does not matter how we define it, focus on the outcome. Our systems are at risk.

Re:Undeniably real and dangerous (1)

Let's All Be Chinese (2654985) | about 2 years ago | (#42018305)

Honestly, no, I'm not. If you keep confusing petty theft and murder you're not going to do much about the crime rate.

The threats are being named to perpetuate an indulgence racket where we should've switched vendors ages ago. We keep on cheapening out in favour of quick fixes that never seem to end up fixing much of anything. The risk to our systems is irrelevant in the face of our unwillingness to do what really needs to be done.

Re:Undeniably real and dangerous (1)

rubikscubejunkie (2664793) | about 2 years ago | (#42026851)

::: The threats are being named to perpetuate an indulgence racket where we should've switched vendors ages ago So you are saying with the ‘right’ vendor, APT’s will stop? ::::The risk to our systems is irrelevant in the face of our unwillingness to do what really needs to be done. So what really needs to be done?

Re:Undeniably real and dangerous (1)

rubikscubejunkie (2664793) | about 2 years ago | (#41966423)

>>>If your defenses worked, it was not an APT. If the DoD and Amazon can't 100% defend against APT like China, can the 5,000,000 US SMB do that?

Re:Undeniably real and dangerous (1)

GrpA (691294) | about 2 years ago | (#41976853)

Actually, APTs are incredibly easy to defend against, but specifically, they are always undefended, in almost every instance, because;

a) Decisions about dealing with threats are not made by security specialists but by managers
b) APTs are relatively unimportant to most managers, because the board or otherwise senior managers have no visibility of them.
c) There is no budget for dealing with them,
d) There is no budget in any projects that introduce vulnerabilities as would be exploited by APTs to address them.
e) Most corporate and government decisions are driven by the logic that "if it hasn't happened to us, then it won't happen"

GrpA

Debian....I knew it! (1)

bigredradio (631970) | about 2 years ago | (#41959863)

I always suspected that those bearded villains [youtube.com] were behind this with their "apt-get" weapons of mass destruction.

Re:Debian....I knew it! (1, Funny)

TheGratefulNet (143330) | about 2 years ago | (#41959943)

# emerge romney
* ERROR: sys-douchebag/romney failed (prepare phase):
  * Failed Patch: head not present!

hey, I tried.

Re:Debian....I knew it! (0)

Anonymous Coward | about 2 years ago | (#41960229)

You probably don't have the Race War 2.0 dependency running. It isn't enough to have it installed, it must be running to get Romney installed.

SURVEY SAYS !! (0)

Anonymous Coward | about 2 years ago | (#41959873)

Don't let them in !!

The NUMEBER ONE answer !!

Reverse Deception? That's the long way to say... (1)

JoshDM (741866) | about 2 years ago | (#41959903)

Autbot

Slow news day (0)

Anonymous Coward | about 2 years ago | (#41960033)

Comon, seriously, cant we get something even slightly interesting?

Re:Slow news day (-1)

Anonymous Coward | about 2 years ago | (#41960369)

Faget cunt asscock motherfucker shit eating sex pervert ass hooker faget asshole.

Fuck you and your fucken faget negativity. You'll read the fucken faget article and you'll like it, faget.

Fucken faget.

you might be a victim of financial exploitatio if: (-1)

Anonymous Coward | about 2 years ago | (#41960093)

You're stupid enough to dole out cash for this sensationalistic meritless drivel.

Re:you might be a victim of financial exploitatio (1)

rubikscubejunkie (2664793) | about 2 years ago | (#41960457)

The Chinese are behind many APT attached. this is documented. not sure why u call that 'sensationalistic meritless drivel.

Re:you might be a victim of financial exploitatio (0)

Anonymous Coward | about 2 years ago | (#41960541)

Thank you financial deception victim.

Re:you might be a victim of financial exploitatio (1)

rubikscubejunkie (2664793) | about 2 years ago | (#41960611)

No idea what you mean.

Re:you might be a victim of financial exploitatio (0)

Anonymous Coward | about 2 years ago | (#41961991)

I didn't think so.

Re:you might be a victim of financial exploitatio (1)

rioki (1328185) | about 2 years ago | (#41966635)

Words that show that you have no idea you know what you are talking about:

  • APT
  • Cyber
  • Hacker (!= late night coder)
  • Cloud
  • Tubes
  • Enterprise Software
  • Patterns
  • XML
  • etc.

Yes. there are people that try to extort you for money or try to steal your secrets. But it is a matter of IT security to look anybody out that is not allowed on your system; no matter if it is the teenager next door or some attacker living in china. So called APT are no more a problem than any other issue with IT security.

Re:you might be a victim of financial exploitatio (0)

Anonymous Coward | about 2 years ago | (#41968567)

Sorry dude, you're looking for the General Petraeus sex tape thread.
We're talking about cybersecurity here.

Re:you might be a victim of financial exploitatio (0)

Anonymous Coward | about 2 years ago | (#41977031)

>>>So called APT are no more a problem than any other issue with IT security.

i pity the company u work for

Approved by consultants! (0)

Anonymous Coward | about 2 years ago | (#41961493)

The military-industrial complex must love this counter cyberintelligence stuff - "overwhelmed by the amount of work necessary to implement an effective cyber CI program" - sounds like long-term expensive consulting to me.

APT: The only solution .. (0)

Anonymous Coward | about 2 years ago | (#41963585)

The only solution is to not use Microsoft Windows ..

Re:APT: The only solution .. (0)

Anonymous Coward | about 2 years ago | (#41963719)

also a silly anti msft comments....

Cyber Bullshit .. (1)

dgharmon (2564621) | about 2 years ago | (#41963749)

"When it comes to APT, the de facto perpetrator is China .. some examples of advanced and persistent threats, including Stuxnet, Operation Aurora, the RBN and more".

Stuxnet: US/Israeli malware

Operation Aurora [cnn.com] only worked because the US government put a backdor in gmail and RBN wouldn't be in business if it wasn't for Windows.

Re:Cyber Bullshit .. (0)

Anonymous Coward | about 2 years ago | (#41964367)

Does cnn have a source for this? Besides Bruce Schneier?

Re:Cyber Bullshit .. (0)

Anonymous Coward | about 2 years ago | (#41966031)

u r sooo jealous of schnier....

Re:Cyber Bullshit .. (0)

Anonymous Coward | about 2 years ago | (#41965953)

what is your source for that?

First paragraph of review and I stopped reading (1)

tehcyder (746570) | about 2 years ago | (#41965723)

"But that begs the questions, how many firms can realistically defend themselves against an adversary like China, RBN or nation state?"

No, it prompts or suggests the fucking question.

Re:First paragraph of review and I stopped reading (0)

Anonymous Coward | about 2 years ago | (#41966007)

42,,,and u know wehere that # is from

Indictment Of Windows And Ecosystem (0)

Anonymous Coward | about 2 years ago | (#41972603)

Reading the review in one of the links really demonstrates that software from M$, Adobe, Oracle can't be trusted with anything important. These companies don't understand security and they don't want to learn security. They want to collect money in large quantities and they do that by selling nice-looking crap.

Apparently all of American industry has been pwned (including the defense industry) - and almost always by means of IE, Adobe PDF, Adobe Flash or Oracle Java.

Re:Indictment Of Windows And Ecosystem (0)

Anonymous Coward | about 2 years ago | (#41977023)

and what high skool u go to?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?