Advanced Persistent Threats In Computer Networks

What you can not hear is the massive silent sucking sound of Western corporate secrets flowing into servers in China.

The scope of this is much larger than anybody has every conveyed, says Kevin Mandia, CEO and president of Virginia-based computer security and forensic firm Mandiant. There [are] not 50 companies compromised. There are thousands of companies compromised. Actively, right now.

Mandia claims these intrusions are persistent and used for industrial espionage on a massive scale.

Called Advanced Persistent Threats (APT), the attacks are distinctive in the kinds of data the attackers target, and they are rarely detected by antivirus and intrusion programs. Whats more, the intrusions grab a foothold into a companys network, sometimes for years, even after a company has discovered them and taken corrective measures.

I do not know whether the threat is this large. Are Chinese hackers really sucking massive amounts of proprietary design and business plan data from American, Japanese, and European corporations?

If the infiltrations really are persistent and on a large scale I have some practical suggestions on how to cut them down by orders of magnitude. Analogies with biological systems come to mind. Biological RNA and DNA viruses can only work because they use the same DNA codon mappings to amino acids. The same 3 letter DNA sequences and RNA sequences map in just about all living organisms on this planet. An organism that used a very different set of mappings would likely be immune to existing viruses.

This description is about to get too technical for most people who aren't computer architects or software developers. Sorry about that.

In computing the problem stems from the universal use of the same operating systems, scripting languages, networking protocols, and CPU op codes. The obvious solution: generate custom instruction set with different orderings of bits in op codes. The same compilers (e.g. gcc) could be used with back-end code generators that would read in tables for how to map to specialized bit orderings of existing processor instruction sets.

Take a microprocessor instruction set like some level of the ARM instruction set. Create a description of an ARM processor in, say, VHDL. Enhance the description so that as instructions get fetched their op code bits will get swapped around from the ordering out in memory to the ordering that the CPU understands. The CPU could execute op codes laid out like any conventional ARM processor. But it could fetch from memory in a secret format which the secret version of the gcc back-end would know how to generate for.

Alternatively, the CPU could execute the secret op code layout. At each site the VHDL (or Verilog or other logic description language) could be transformed into a different unique op code layout. Then the compiled processor architecture could be loaded into an FPGA for execution.

Each super-secure site would generate a different secret bit ordering. The odds of a binary code virus getting into the facility and invading servers would be extremely low because the virus writers wouldn't know how to generate legal op codes.

This same approach could be applied to interpreted scripting languages. Developers could still write and debug in, say, Python or Ruby or Perl. But their source code could be translated into a very different looking interpreted language using a secure (not on a network) computer that would read in, say, Python and split out a different secret scripting language whose interpreter could actually be derived from the open source public Python interpreter engine.

The key to this approach is to develop microprocessor descriptions and interpreted languages that lend themselves to automated transformation into functionally equivalent but different looking instruction execution machines.

In a nutshell: automate the generation of obscure execution languages and op code architectures.

Desktops are a harder nut to crack. One way to do it is to just make desktops as akin to X servers. Run the real word processor, spreadsheet, or browser on the secret server's instruction set architecture. Of course, then Open Office and Mozilla Firefox would need to be compiled for each server. This approach is easier to do with open source.