Skip to main content

Cybersecurity Canon Candidate Book Review: "Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats (2011)," by Will Gragido and John Pirc

Executive Summary

Cybercrime and Espionage, published in 2011, is a book that was ahead of its time. The authors were pushing the envelope in terms of how the security community should think about advanced threats. However, almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage, this is not it.

Introduction

Will Gragido and John Pirc published this book in February 2011 — the year after the commercial industry experienced its wake-up call in terms of cyber espionage: Operation Aurora. [1] Aurora refers to the adversary campaign launched at Google and other commercial organizations that was designed to steal intellectual property, collect information on human rights activists, and gather intelligence regarding on-going FBI wiretap operations. [2] What made Aurora notable was Google’s reaction to it. They went public and accused the Chinese government of being responsible for the attacks. Before Aurora, most commercial organizations would not admit that they had been breached, even though nation states had been targeting commercial organizations for at least a decade. Business leaders worried that admitting a breach would significantly affect the bottom line. After Aurora and Google’s public mea culpa, it became easier for other commercial entities to admit that they had been breached. Fast-forward to today, and public breach notifications are so common that it is difficult to keep up with them all.

But this was the beginning. Before Aurora, the only significant cyberthreat to the commercial world at the time was crime. After, cyber espionage became something that we all had to worry about. This is the context for the book: defining cybercrime and cyber espionage as motivations — what makes them different and what makes them the same.

Impressions

The two authors, Will Gragido and John Pirc, are experienced cybersecurity professionals, and it is clear that they know what they are talking about; but the book is a bit disorganized in terms of who the target audience is. The content is a mix of introductory and advanced material. However, I did not see that the book had a through line. The authors’ analysis of the cybercrime world is at the introductory level. If you want a more in-depth book on the same topic that was published around the same time, consider Kingpin, written by Kevin Poulsen. [3] If you are looking for something a little more recent, consider Spam Nation by Brian Krebs. [4] The espionage material is more advanced, but if you want to go deeper, consider Kim Zetter’s Countdown to Zero Day [5] or Richard Bejtlich’s The Practice of Network Security Monitoring. [6]

I do give the Gragido and Pirc credit though for covering some advanced ideas ahead of their time that have not really become popular until just recently. One idea that I really like is that commercial organizations should build their own intelligence teams to track adversary campaigns. They published the book almost five years ago, and this was not universally accepted at the time. It is not universally accepted today either, but more and more organizations are starting to understand the value of such teams. As an aside, this is one of the reasons I got hired at Palo Alto Networks: to build an intelligence team that we eventually called Unit 42.

Gragido and Pirc push their own intelligence model called MOSAIC: Motive, Awareness, Open Source Intelligence Collection, Study, Asymmetrical Intelligence Correlation, Intelligence Review and Interrogation and Confluence. It is a good framework for an intelligence analyst; unfortunately, the model has not really caught on. Most intelligence organizations — the CIA, the FBI, and the NSA, as well as Unit 42 — use a model called The Intelligence Cycle. [7][8] They are basically the same thing, but the MOSAIC model has more detail.

The authors introduce a new phrase called Subversive Multivector Threats (SMTs), a sort of superset to what the cybersecurity community used to call the Advanced Persistent Threat (APT). They even explain the origin of the APT phrase, a phrase the military had been using for almost a decade in an UNCLASSIFIED setting to mean anything that involved Chinese government-sanctioned cyber espionage. Gragido and Pirc were ahead of their time, understanding that the community needed another name to label similar attacks that did not originate from China. Thus, they came up with SMTs, but the community has not embraced that term. We have evolved the APT phrase to include everything instead. 

Another advanced idea presented that I really liked was the concept that there are humans behind these attacks. Tools do not attack our systems. Humans — often organized into groups — attack our systems, and they use tools to accomplish some goal. These adversary groups can be rated in skill level from novice to expert and have motivations like cybercrime and cyber espionage; and it helps defenders do a better job by understanding that context, according to the authors. I wholeheartedly agree. But today, I think we can expand that motivation list to include hacktivism, cyberterrorism and cyberwarfare, and I thought their definitions of hackers’ maturity levels were not definitive enough to be useful. 

Also, Gragido and Pirc introduce a two-tiered categorization scheme for adversary campaigns, where Tier – 1 campaigns target 

… air-gapped networks or networks that would be considered highly secured, such as those of power companies (supervisory control and data acquisition or SCADA networks), governments, and defense organizations. [9]

Tier – 2 adversary campaign plans are all other APT campaigns. This two-tiered system seems ill-conceived today. The security community considers SCADA networks in general, and power companies in particular, as being at least 10 years behind the rest of the community [10]. And government networks have proven to be even less secure than most commercial organizations, except for maybe the intelligence community’s networks and some select defense networks. [11] I do not see a need for this two-tiered system in today’s threat environment.

One last advanced idea that I really liked was that threat prevention is possible. There has been a trend in the industry these past five years where security leaders have thrown their hands in the air saying they cannot possibly stop the APT, and that it is better to concentrate their precious resources solely on detection and mitigation. This is just plain wrong, and Gragido and Pirc do well to point that out. If I can prevent 90 percent of all attack campaigns because most adversaries use known techniques, why not do it? That lets me concentrate my resources on finding the unknown techniques. Detection and mitigation is important, but these activities should be balanced with a robust threat prevention program. Even in 2011, Gragido and Pirc asserted this philosophy.

Conclusion

Cybercrime and Espionage is a book that was ahead of its time. I give the authors credit for pushing the envelope as to how the security community’s thinking around advanced threats should evolve. If you read it when it was published, it would have stimulated your thought process around your own security program. But almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage that will stand the test of time, this is not it.

Note: 

Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats, is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.





Sources

[1] "Google Hack Attack Was Ultra Sophisticated, New Details Show," by KIM ZETTER, Wired Magazine, 14 January 2010, Last Visited 5 July 2015,

[2] "Google Aurora Hack Was Chinese Counterespionage Operation," by Mathew J. Schwartz, Information Week: Dark reading, 21 May 2013, Last Visited 5 July 2015

[3] "The Cybersecurity Canon: Kingpin," by Rick Howard, Palo Alto Networks, 11 February 2014, Last Visited 9 July 2015,

[4] "The Cybersecurity Canon: Read Rick Howard’s First-Look Review of SPAM Nation by Brian Krebs," by Rick Howard, Palo Alto Networks, 17 November 2014, Last Visited 9 July 2015,

[5] "The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon," by Rick Howard, Palo Alto Networks, 28 January 2015, Last Visited 9 July 2015

[6] "The Cybersecurity Canon: The Practice of Network Security Monitoring," by Rick Howard, Palo Alto Networks, 10 November 2014, Last Visited 9 July 2015,

[7] "The Intelligence Cycle," Central Intelligence Agency: Kids Zone, Last Visited 9 July 2015,

[8] "The Intelligence Cycle," Federation of American Scientists, Last Visited 9 July 2015

[9] "Cyber Crime and Espionage: An Analysis of Subversive Multi-Vector Threats," by Will Gragido & John Pirc, Syngres Publishing, 7 January 2011, Last Visited 10 July 2015

[10] "SCADA systems: Riddled with vulnerabilities?" by Doug Drinkwater, SC Magazine, 26 August 2014, Last Visited 10 July 2015,

[11] "4 Worst Government Data Breaches Of 2014," by Jai Vijayan, InformationWeek: Government, 12 November 2014, Last Visited 10 July 2015
http://www.informationweek.com/government/cybersecurity/4-worst-government-data-breaches-of-2014/d/d-id/1318061

References

"APT1 Three Months Later – Significantly Impacted, Though Active & Rebuilding," by Dan Mcwhorter 21 May 21 2013, Last Visited 9 July 2015

"EU Data Protection Directive (Directive 95/46/EC)," by TechTarget, Last Visited 10 July 2015,

"Internet Crime Complaint Center (IC3)," The Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), Last Visited 5 July 2015

"SAFE HARBOR PRIVACY PRINCIPLES," by export.gov, Last Visited 10 July 2015,

Popular posts from this blog

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has been very exciting.

This i…

Book Review: Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground by Kevin Poulsen (2011)

Executive Summary
Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the highlights of…

Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

Executive Summary

This book is a part of the cyber security canon. If you are a cyber security professional, you should have read this by now. Twenty years after it was published, it still has something of value to say on persistent cyber security problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. If you are not a cyber security professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful.



Introduction

The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their …