The Asset Trap
As we look at what's happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling.
An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don't want to pick on this article in particular — anyone can fall into this trap:
Some of America’s most deeply held secrets may have been stolen in a disciplined, monthslong operation being blamed on elite Russian government hackers. The possibilities of what might have been purloined are mind-boggling. Could hackers have obtained nuclear secrets? COVID-19 vaccine data? Blueprints for next-generation weapons systems?
This seems perfectly reasonable list, doesn't it?
But you know what? This is assets in the sense of things which are valuable to us. What are the Russians going to do with plans for our nuclear weapons? They have their own. What are they going to do with vaccine data? Save the lives of their citizens? Plans for our next generation weapons may, indeed, be useful to them for finding weaknesses in those systems or copying them. But there are also assets in the sense of things attackers want.
I have a bet for their top prize: DKIM keys. You know, the things which add digital signatures to email as they pass through mail servers? With those, they can craft fake emails from government officials, but which pass any validity check. Back in 2016, Robert Graham wrote:
Recently, in response to a leaked email suggesting Donna Brazile gave Hillary's team early access to debate questions, she defended herself by suggesting the email had been "doctored" or "falsified". That's not true. We can use DKIM to verify it.
Now, we have an adversary who has developed a broad and modern understanding of the use of information operations to amplify wedges in Western societies, and they've been particularly successfully in the United States and the UK. And that adversary can forge emails. Emails saying things like "We need to fake election results" or "we should bollox up the rollout of the President's plan." Such lies will have a life of their own. (These may be assets in the third sense of the term, which is stepping stones, but I think, here, that's a distinction without a difference.)
One important defense is to rotate DKIM keys regularly, but I'm pretty sure DKIM keys are not in your assets list.
I hope you're nodding along, believing this plausible, because I'm going to tell you again: assets are a trap. How I think I might abuse them is dependent on my background and orientation. That's probably different than what an attacker is going to do.
I have a perspective on what I'd do as an attacker. The reporter for the AP has a perspective, informed by national security officials. Am I right? Is he? I don't know. Focusing in on assets helps us tell stories about those assets. As we think about defenses being structured, systematic and comprehensive, it's important to focus in on what we understand - the things we're working on, and to defend those things. If we predicate our defenses on these stories, we may be lead astray. If we focus our defenses on the vaccine secrets, then we may mis-construe the attacker's tactics. These are avoidable mistakes.
It's early days in this story: I don't mean to criticize the defenders or distract from their forensic work. But for those whose work is threat modeling, the anticipation of future problems, there's already lessons we can bring back to our work.
Previously: Fireeye Hack & Culture, and the attacker-centricity version of this trap in Who Are We Kidding with Attacker-Centered Threat Modeling?, and links therein.