From APT Reports to Cyber Blunders: A Masterclass in Undermining Security for Profit
Cybersecurity and cyber threat intelligence continue to throw good money after bad. Maintaining the same paradigm that has failed us, we are enamored with incremental gains using the same failed tech
As we start another cybersecurity awareness month, we decided to take a closer look at cybersecurity and cyber threat intelligence. As we looked at the industries, we discovered a perverse paradox emerging concerning cybersecurity and cyber threat intelligence: companies profit from disclosing sensitive information about Advanced Persistent Threats (APTs) while failing to protect against these threats adequately. We explore the lucrative business of APT reporting, highlighting how the drive for profits and publicity overshadows genuine security concerns. We also list the endemic failures in cybersecurity measures, from lax practices to poorly written code. These issues paint a bleak picture of an industry that undermines its mission. Far from enhancing security, the reckless unveiling of APT tactics and chronic inability to protect critical infrastructure expose vulnerabilities, compromise trust, and jeopardize national and global security.
The issue of cybersecurity's perceived failures to protect data and critical infrastructure is complex, involving a mix of technical, economic, and human factors. The following is a typical breakdown:
The technology landscape is evolving much faster than security measures can adapt, creating vulnerabilities.
Security often increases project costs and delays, discouraging organizations from prioritizing it. The focus is frequently on time-to-market rather than long-term security.
A shortage of skilled cybersecurity professionals leads to suboptimal implementation of security measures.
Many organizations still use outdated systems that are more vulnerable to attacks, but upgrading them is costly and time-consuming.
Modern systems are increasingly complex, making them harder to secure completely. A single mistake in one line of code can lead to a significant vulnerability.
Even the best security systems can be compromised due to human errors like weak passwords or clicking on malicious links.
Legislation and regulation often lag technological advancements, making it harder to enforce robust cybersecurity measures.
Adversaries also adapt and evolve, employing increasingly sophisticated methods to exploit weaknesses, making it a moving target to defend against.
Until a major breach happens, the abstract nature of cybersecurity risks can make them seem less immediate than other business concerns.
The global nature of the internet means that risks are not confined to any one jurisdiction, complicating enforcement, and protective measures.
Software is often not tested rigorously enough for security vulnerabilities before being deployed.
Despite these challenges, investment in cybersecurity technologies persists because the alternative—doing nothing—presents an even greater risk. The focus is increasingly shifting toward more proactive security measures, but the hurdles mentioned above ensure that this is a slow, uphill battle. Some other not so 'flattering' issues:
Companies often prioritize immediate financial gains over implementing robust security measures, seen as cost centers rather than investments.
A "it won't happen to us" mentality often prevents organizations from taking threats seriously until it is too late.
Some arrogant organizations believe their existing security measures are infallible, making them resistant to change or external advice.
Red tape within large organizations can slow down the implementation of vital security measures, sometimes purposefully.
Organizations frequently overlook the risks their employees pose, either due to malicious intent or simple incompetence.
The software industry is notoriously lax about security. Budget constraints, tight deadlines, and a focus on features over security contribute to poorly written code that is full of vulnerabilities that could be solved by writing proper code (there is no such thing a secure code – the onus is not on infosec but proper coding – accept the responsibility for what you write).
When breaches occur, penalties are often insufficient to encourage change. It is cheaper to take the fine than it is to implement security. The C-Suite is primarily economically driven.
State-sponsored actors from countries like Russia, China, and Iran are advancing cyber warfare, making it difficult for commercial entities to keep up.
A thriving underground economy for security exploits makes it financially lucrative for hackers to find and sell vulnerabilities rather than report them. Even security professionals have entered this market for profit.
The average user remains uninformed about best practices for cybersecurity, making them easy targets for attacks like phishing. Being a general user is more appealing than learning about what you use.
Criminal organizations are innovating faster than many security firms, employing AI and machine learning to develop new methods for breaching systems.
There is often poor communication and collaboration between governments, industry, and academia in developing and implementing cybersecurity measures.
The issues are systemic and deeply ingrained, requiring fundamental changes in mindset, cybersecurity companies, products and services, governance, and practices (defensive and after-the-fact) to combat ongoing and future cyber threats effectively.
Another issue related to cyber security is the cyber threat intelligence company's publishing of in-depth reports on APTs. The reports are incredibly detailed, laying out exactly how they discovered the APT to every DLL, TTP, and method used. Publicly disclosing information about Advanced Persistent Threats (APTs) should be counterintuitive from a traditional warfare perspective. However, there are several reasons why many try to justify the release of this information:
By disseminating information about APTs, organizations can collectively bolster their defenses. Given how interconnected and interdependent the digital landscape is, this communal approach is considered necessary. Public disclosure deters threat actors by clarifying that their activities are monitored and understood. Revealing the presence and nature of an APT pressures the entity behind it, especially if it is state-sponsored. Awareness of a state-sponsored APT leads to diplomatic actions or sanctions. In some jurisdictions, there may be legal obligations to disclose cyber incidents, especially if they involve compromising personal data. Educating the public about the existence and methods of APTs can create a more informed user base that is better prepared to assist in collective cybersecurity efforts. Transparency about cyber threats and their management is essential for maintaining stakeholder trust, particularly after a breach. Detailed reports can help cybersecurity firms and researchers collaborate more effectively, pooling resources and knowledge to develop better countermeasures. Regardless the rationale, there is no justification for revealing adversary details in this manner. What such a reveal does:
1. Tipping Off Adversaries: Disclosing techniques used to identify APTs enables them to change their tactics.
2. Data Validation: Public reports inadvertently validate the attackers' data, confirming its value or authenticity.
3. Revealing Capabilities: The level of detail in reports discloses the defensive capabilities of an organization or even a nation-state, which is valuable intelligence for adversaries.
4. Strategic Blunder: Publicly disclosing capabilities and intelligence sources used to identify APTs is a significant operational error, akin to revealing your hand in a high-stakes poker game.
5. Intelligence Leakage: These reports inadvertently serve as intelligence feedback loops for adversaries, helping them understand what was detected and how.
6. Eroding Tactical Advantage: Public disclosures diminish the tactical advantages of covert monitoring, allowing adversaries to adapt and develop countermeasures more rapidly.
7. Compromising Allies: Information sharing is crucial among allied nation-states and organizations. Spilling all the beans in a public report compromises your operations and those of allies who provided critical intelligence.
8. Undermining Covert Actions: Disclosures interfere with ongoing covert cyber operations to mitigate or monitor the threat.
9. Political Repercussions: Public finger-pointing has unintended diplomatic fallout, complicating nation-state relations.
10. Crying Wolf: Too many public reports about APTs desensitize the public and organizations, reducing the urgency to act and creating a sort of "alert fatigue."
11. Commercial Interests: Some companies rush to publish APT reports to demonstrate their perceived cybersecurity expertise, prioritizing commercial gain over national security concerns.
The full disclosure of APTs is a hazardous strategy that compromises short-term and long-term plans while providing adversaries valuable insights into defensive capabilities. Publishing detailed cyber threat intelligence is fraught with potential pitfalls and is a strategic misstep from a military standpoint. Why do we allow these practices to continue? Some of the reasons why this practice continues, despite its apparent risks, are typical:
Cybersecurity firms often publish these reports to demonstrate their expertise and gain a competitive advantage. The reports are marketing tools designed to attract clients. For some organizations, disclosing a threat and how it was managed is a way to control the narrative, particularly after a breach. The cybersecurity industry often champions transparency to improve collectively. However, this transparency can cross into areas that should remain confidential for national security reasons. Unlike the military, where disclosing sensitive information could lead to a court-martial, the civilian cybersecurity sector operates with considerably less oversight when releasing potentially sensitive data. Some organizations may believe that disclosing information about APTs would not significantly impact their ability to track and defend against them, underestimating the adaptability of these threat actors. There is a strong culture within cybersecurity circles to share threat intelligence. While this has benefits, it also has the downside of potentially giving away too much information to adversaries. By making public so many details about threats and breaches, the industry is inadvertently normalizing failure, allowing companies to escape the scrutiny and consequences they might otherwise face. Incompetence is okay! In contrast to the military, where a lapse in operational security could lead to strict penalties, there's limited accountability in the civilian sector for the potential fallout from these disclosures.
The practice is indeed contentious and likened to providing "aid and comfort" to the enemy in a military context. The decision to publish such reports should undergo rigorous evaluation, considering the broader implications for national and global cybersecurity.
The above is a gentle listing of why this occurs. We take a more brutal look below:
Profit Over Prudence: For some companies, the goal is not collective security but revenue. Detailed reports on APTs are prime marketing material and drive sales, even if they compromise broader security efforts.
Fear Sells: The industry often leverages the fear and urgency around cybersecurity to sell services and solutions. The more alarming the published intelligence, the more likely potential customers will buy into a perceived need for protection.
No Legal Consequences: Unlike in the military, where leaking operational details leads to legal ramifications, there is currently little to no regulation preventing private companies from disclosing whatever they want if it does not violate existing contracts or laws since these would have an economic impact.
Ethical Blindspots: The focus on short-term profits and market competitiveness overshadows ethical considerations about the negative long-term impact of these disclosures.
Industry Ego: The race to be the first to identify and disclose a new threat or APT is driven by ego and the desire for recognition within the cybersecurity community rather than by a sober assessment of the potential consequences.
Lack of Oversight: No governing body is specifically mandated to oversee the ethical considerations of publishing such sensitive information. The responsibility lies solely with the company making the disclosure, creating a significant conflict of interest.
Creating a Target: Publicly identifying APTs and their methods makes those who publish the information a target for future cyberattacks, which cascade effects on all their clients and partners.
Complicating Diplomacy: Detailed public reports force the hand of governments, potentially affecting delicate diplomatic efforts to counter state-sponsored cyber activities.
Destabilizing National Security: By publicizing APT strategies, companies unwittingly undermine their country's security, potentially aiding foreign adversaries in cyber warfare.
Corruption of Trust: Publicizing this information damages trust within the intelligence community. Allies are less willing to share information if they think it will be disclosed to the public or exploited for commercial gain.
Turning a Blind Eye: Governments and regulatory bodies tolerate this practice, indicating a systemic failure to grasp its gravity or a reluctance to stifle a profitable industry.
Arming Adversaries: By dissecting and explaining the methods of APTs, these reports serve as tutorials for less sophisticated actors, essentially democratizing advanced tactics for a broader range of potential adversaries.
Short-Term Gains, Long-Term Losses: Even if threat intelligence firms see bumps in their stock prices or client base, these short-term financial gains pale compared to the long-term strategic losses that such disclosures could precipitate.
Distracting from Root Causes: The spectacle surrounding these reports distracts from systemic problems like poor security culture, inadequate regulation, or insufficient investment in cybersecurity, which remain unaddressed.
Reputation Over Responsibility: Some companies believe that the prestige gained from outing an APT outweighs any ethical or security considerations. This kind of reputation-based decision-making further pollutes the cybersecurity landscape.
The hard truth is that publishing detailed information about APTs is driven more by profit motives and market competition than by a principled strategy for enhancing cybersecurity. It is a risky approach that jeopardizes not just national but global security. In essence, the unregulated, for-profit disclosure of cyber threat intelligence is profiteering in war. It risks immediate and future security for commercial gain, with little to no accountability. It is a severe issue that calls for immediate reconsideration and regulatory intervention since the industry has no desire to self-regulate.
The cybersecurity and cyber threat intelligence industry finds itself in a self-defeating cycle: profiting from revealing APT strategies while failing to safeguard the fortresses it purports to protect. We try not to pull punches in laying bare the commercial greed and ineptitude that imperil national and global security. By unmasking APTs for public consumption, companies squander tactical advantages and arm potential adversaries with valuable intelligence. Meanwhile, shoddy cybersecurity practices continue to leave critical infrastructure exposed. It is high time we confront this disconcerting reality: the industry tasked with safeguarding our digital world poses one of the greatest risks to it.