Profile picture
Jake Williams @MalwareJake
, 16 tweets, 3 min read Read on Twitter
Let's talk a little about the CIA covert communication failure story. People (particularly not those in IR) idolize APT and their tradecraft. But it's not always that awesome. Remember that most APT are intelligence operatives. 1/n
yahoo.com/tech/cias-comm…
We can learn a lot about the way APT operates by extrapolating from this CIA failure.

1: OPSEC issues happen, even for intelligence operations.
2: People often identify the OPSEC issue before it rises to a catastrophe.

2/n
3. Even when lives are obviously at stake, action may not be taken by decision makers.

Momentum is a heck of a thing and bureaucracy can stand in the way of even the most important changes. 3/n
There are many more takeaways, but I'll handle those in a separate thread. I'll restrict this thread to issues with OPSEC and takeaways for APT tradecraft. 4/n
Individual APT attackers often know what they are doing doesn't demonstrate the best OPSEC. But resources are limited and management will often say "if we haven't been caught yet, it must be okay." Everything is fine until it isn't - then it all falls apart in an instant. 5/n
Iran effectively discovered a signature for the covert communication system. That they could Google other comms sites is interesting, but irrelevant. If noindex had been set, they still would have found the domains. We're talking about a motivated nation state here. 6/n
It's easy to say "duh, they should have varied the signature of the sites." Okay, I don't disagree.

I also recognize the OPSEC value in an attacker deploying a completely written from scratch malware sample to each domain. Or better yet, why not for each computer? 7/n
The answer to both is obviously resourcing. There's also operational usability to worry about. Each new tool requires testing and training. Imagine that a new contract is levied for each covert comms site. Suppose that one is vulnerable to SQLi and people die as a result. 8/n
In that case, wouldn't we be screaming for standardization? Of course we would. Even with infinite resources to test each independently developed site, there would still be issues. So there's no perfect solution here. 9/n
At a symposium this week, an attendee was incredulous when I said I'd seen APT use the same IP addresses for recon and exploit delivery. He was sure I was wrong (and told everyone so). 10/n
I've got countless examples of this and other poor OPSEC. His objection? If he knows how to "do it right" then APT must too. I don't disagree that many operators know how to "do it right." It's more a question of whether they have the resources, time, and discipline to do so. 11/
I actually introduced the issues around CIA covert communications in China as an example of intelligence/APT getting it wrong. I didn't know about Iran, though it doesn't surprise me. 12/n
Intelligence is results driven. Any time something gets results, you can bet that people will try to replicate that success. Paranoia is very real too. But desire for results often wins out over caution. It's how Ford screwed up SUVs and the Challenger exploded. 13/n
Every time you use a capability, you increase the risk of that capability being caught. This was no different. By increasing the number of agents using the capability, it was increasingly likely one would be caught. Ideally the system wouldn't unravel entirely, but it did. 14/n
TL;DR don't read this as a "CIA is dumb" story. Read this as a "all intelligence operations have OPSEC issues" story. Recognize your APT operators are human and will make mistakes. Ask what you can learn from the mistakes they make. 15/n
Is there a common thread? Like a resourcing issue? What other resourcing issues might they also be facing? In many cases, you can use these to predict additional issues you can capitalize on.

I realize this might have been better as a blog post than a thread. Oh well, YOLO
/fin
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jake Williams
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!