Lessons from Kudankulam – I: Recreating the target context3 minutes read

I may (or may not) do a series of quick posts highlighting the strategic challenges encountered while investigating a cyberattack like Kudankulam. They would be filed under the ‘lessons-from-kudankulam‘ tag. Since our agencies were literally caught napping, this is a good primer for understanding what nation-state-level cyber capabilities entail:

As I mentioned, the disclosure by IssueMakers Lab is one of the most spectacular cases of public attribution that I have encountered in my career.

There are basically two broad ways to profile an adversary, post-incident.

You seize the target environment and painstakingly preserve the forensics artifacts. Or you do forward area operations — build a counterintelligence capability using active defence or offensive means.

I am not even mentioning augmentary capabilities like situational awareness or intelligence fusion as they simply do not exist in our case.

IssueMakers Lab is a telltale counterintelligence operator.

The first option relies on jurisdictional control which is hampered by space. Your scope of observation is too narrow and the target environment is perpetually in a state of violent flux.

Re-creating an environment in cyber spacetime — which the adversary exploited at a specific point — is close to impossible. Configurations change, users log-out, patches get applied, trust relationships alter, applications get updated — and even pinpointing the exact timeline of an intrusion remains a challenge. A complex offensive toolchain marrying volatile target architecture is a moment which simply cannot be re-lived.

The second option is hampered by time. A good counterintelligence capability requires tracking adversarial tooling, techniques and procedures over elongated periods. It necessitates training, skill, persistence, money, manpower, patience — and institutional will. And it is mostly preemptive, so may not be applicable to our case.

Your situational awareness, too, driven by point solutions is limited by the unknown unknowns, and the boundary conditions around time and space. It does not go well when dealing with determined and well-funded state actors.

However, nation states have an invaluable tool for re-creating the target context: an out-of-band network tap. Yep.

Rob Joyce hinted at that in his legendary know-your-enemy talk.

Juan Andres Guerrero-Saade was kind enough to remind us of that:

Attack replication is an advanced defence measure alluded to by Rob Joyce in an illuminating talk describing measures that would make the work of TAO hackers more difficult. He refers to it as the ‘out-of-band tap’, a defensive device set up to fully mirror and record network traffic within a perimeter and store it in a way that is not integrated with the rest of that network. This allows particularly cautious defenders to move beyond event logs and second-order indicators of infection to a complete replay of the actions undertaken by the attacker, the tools transferred, and commands communicated during the actual attack. This is one of the most powerful (and least adopted) tools in the advanced defender’s arsenal.

https://www.virusbulletin.com/blog/2019/01/vb2018-paper-draw-me-one-your-french-apts-expanding-our-descriptive-palette-cyber-threat-actors/

It is not exactly a blindingly new concept but most effectively suits the imperatives of a government, especially for attacks crossing a certain threshold or targets above a certain factor of criticality.

Dan Geer, too, has extensively philosophised about it for years:

Unless you fully instrument your data handling, it is not possible for you to say what did not happen. With total surveillance, and total surveillance alone, it is possible to treat the absence of evidence as the evidence of absence. Only when you know everything that did happen with your data can you say what did not happen with your data.

http://geer.tinho.net/geer.uncc.9×13.txt

It is so effective that you can even catch zero days (Dirty Cow and EternalRomance).

Of course, it is cost-prohibitive but still remains the most potent tool in governments’ arsenals. Such a setup is only possible for a handful of critical organisations.

Many nation states do field such systems. The trick is to balance between “how long” and “how much.” And the only antidote to surveillance is the emerging avenue of metadata-level collaboration. For more, read: What does a ‘national cyber shield’ look like?