Disclaimer: I am unemployed as I'm writing these words. They reflect my opinion and mine only.
The existential crisis
Have you noticed it? There’s a strange melancholy floating about. Maybe it’s because major brands are being traded like Pokémon cards. Because some friends are being laid off. Or even because the cybersecurity industry, in a single stroke, might have caused more damage than it ever prevented. When I go to the conferences I’ve attended for almost a decade, I get a feeling that we’re just going through the motions now, pushing out varying shades of the same research – myself included.
This is a blog post I’ve been meaning to write for some time, although not an easy one to articulate for fear of sounding too negative. I should state right off the bat that after 15 years, I still couldn’t see myself working in any other field; this is not one of those burnout-type, ripping-out-ethernet-cables-to-go-raise-goats blog posts. Yet my love for this field isn’t entirely blind and it feels only right to share (somewhat) constructive criticism from time to time… even when it’s obvious we’re all on a ship that couldn’t steer to save its life. In the end, I chose to construct this post as a series of realizations punctuated with their implication for my personal future. You may draw entirely different conclusions, and that’s fine.
I know I’m not the only one in the threat intelligence industry experiencing uneasiness. Juan Andres Guerrero-Saade shared similar sentiments in this year’s LABSCon keynote. For me, ground zero was probably Russia’s invasion of Ukraine, in part due to how it affected my professional life but also beyond that. I remember thinking: “where’s that cyber-Pearl Harbor we’ve been promising everyone?” It’s a controversial subject in the industry: some insist (with reason) that the KA-SAT attack was hugely significant, others point out that tragic outcomes were only prevented thanks to unprecedented cooperation efforts – in other words, cyber-Pearl Harbor did take place, only secretly, and it was a fierce battle. I do not intend to settle this debate and in the context of this conversation it doesn’t really matter; what matters is this sobering feeling that befell me and stayed with me ever since.
The notion that what we do doesn’t matter that much.
Admittedly, when missiles start falling, what does? It’s less of a nihilistic outburst and more of an acknowledgement of my then-inflated perception of self-worth. It’s good to be aware of the responsibilities that behoove us. It’s also good to remember that when things get real, we’re at best confined to the sidelines. It might not have been true in peace time, but that’s not where we are nor where we’re headed.
The point of what we do
A couple of weeks ago, at a round-table, I was called-out by one of the participants on the lack of research on Western APTs. “Where are the articles on DGSE activities?” she asked, “Your role is to shine light on what our government is doing in our name and you’re failing.” I went on to explain that attribution is hard: for all we know we could be tracking DGSE and just not know it; Western actors tend to be stealthier and typically not the low-hanging fruit most research focuses on, and so on. A more profound aspect of my defense involved suggesting there might have been a misunderstanding as to what the cybersecurity field does. Our corporate masters have kept threat intelligence on such a long leash that most people, us included, are now confused as to what we’re trying to accomplish.
Some will tell you that we’re here to disrupt intelligence operations (foreign intelligence operations, when they’re being honest). I hope they're wrong because if they aren’t, boy do we suck at our jobs. Ask your local government IR folks what the trend looks like from their perspective. Last I had such a talk, a despondent analyst shared that Chinese APTs were hitting us harder every year and that cases were piling up faster than they could handle. A more modest aim is to “impose cost” (usually followed by an unreasonable number of exclamation points). Even then I think we’re mostly falling short, which becomes apparent when we take into consideration our main retaliation avenues against APTs as private actors:
- Naming and shaming. We write an extensive report about an actor’s activities and expect that they will commit seppuku to wash away the great shame of having been caught. They don’t. Accused governments deny their involvement 100% of the time before paradoxically noting that we’re doing the exact same to them, so fair’s fair[1]. Maybe our work is used to support diplomatic processes outside our purview, it’s hard to say.
- Destroying capabilities. Discovering new malware, we write signatures and IOCs and disseminate them. It’s unclear that many people are ever using those Yara rules we lovingly design, but in any case APT groups have learned to live with it. Stagers have become the basic commodity that any actor worth its salt is able to churn out, and in many cases using burned tooling works well enough. We never killed PlugX. Getting exploits patched, or documenting huge malware platforms is however very costly for attackers.
- Disabling infrastructure. The cat and mouse game where we take down C2s and they reappear somewhere else. Most vendors don’t even bother due to the limited impact.
Long story short, most security research doesn’t in fact affect the real world in a meaningful way, and I’ve grown to see myself as a chronicler of cyberspace’s slow descent into chaos. The chronicle itself has value by the way, otherwise nobody would pay us for maintaining it – but it mostly lies in the realm of secondary benefits: media exposure, institutional relations, etc. This comes with strings attached, we’re only tolerated insofar as the value we bring is greater than the friction we cause. And since said value is quite hard to quantify, our number one KPI has become to avoid friction.
Where I go from here: the most important aspect for me is coming to terms with the fact that threat intelligence matters less than we figured, and that the point of what I do is to be found in the enjoyment I take in doing it. If possible, I ought to refocus my research on discovering exploits and spend less time on throwaway malware.
Leaving the endpoint space
Another aspect of the job that has been gnawing at me for some time is the fact that I’m losing faith in the potential of endpoint-based security research. Obviously, the major vendors out there still have a good enough visibility that they’re bound to stumble on the good stuff on a regular basis; I’m also not disputing that endpoint security is useful, at the very least where cybercrime is concerned. Circling back to my earlier mention of not publishing much about Western APTs, one key point I left out is that we’re sort of lagging behind.
One of infosec’s open secrets is that we actually have a vague idea of what Western APTs are doing. Everyone knows a guy who knows a guy, heard someone oversharing at a private Defcon side-event or met a researcher who was gently asked to bury a promising lead or give up on ever getting a clearance. We sort of know that the truly sophisticated actors have moved on: they’re burying themselves in routers, unmonitored appliances, printers, telco networks – where nobody has any visibility. If for some reason they need to take action on some user machine, they can finish the job by living off the land or via in-memory scripts. Enjoy clustering those certutil.exe invocations! I’m sure there are still many out there, but I can’t imagine why in 2024 you would ever feel the need to spend thousands of man-hours developing a new DanderSpritz-like modular platform for PCs. Like dynamite fishing, it just feels too expensive, too risky, plain overkill.
Long story short, I don’t want to spend the next 10 years of my life perfecting detection capabilities in the desktop world when the smart kids spent their last 10 years exiting it.
Long story short, I don’t want to spend the next 10 years of my life perfecting detection capabilities in the desktop world when the smart kids spent their last 10 years exiting it. This becomes exceedingly apparent when I think about noteworthy research from these past years: the cases that spring to my mind are Amnesty on Pegasus/NSO, Mandiant’s discovery of the SolarWinds supply-chain attack and Kaspersky’s work on Triangulation. Two patterns worth noticing here:
- None of those findings stemmed directly from endpoint solutions. For Mandiant and Kaspersky, they resulted from internal incident response engagements[2], and Amnesty is providing similar services to at-risk individuals. The fact that Kaspersky’s most significant discovery in recent history didn’t come from its telemetry is a sign I take very seriously[3].
- Two out of the three cases, which also happen to be the most advanced from a technical standpoint, involve mobile devices.
Where I go from here: it seems clear to me that if I want to keep doing exciting research, I need to leave the desktop world sooner rather than later – and to some extent, leave the endpoint defense space as well. The main issue with the mobile world is that vendors essentially lock you out of meaningfully inspecting your devices. Mid-2023 I tried writing an Android app that would provide the most basic security feature known to man: keeping your logs[4]. You can’t do it. The security model won’t let you, apps could store sensitive information in there. Better to let any trace of compromise disappear forever, that’s the world we live in. If you’re interested in doing mobile research, you have very few options beyond applying at Google or Apple, maybe constructors like Samsung or Huawei too.
Starting November 4, 2024, I’ll be joining Meta’s security team, with a focus on WhatsApp. I’m getting closer to the action.
Random parting thoughts
This post is long enough as it is, and the ramifications of the few tidbits I have left have already been developed elsewhere, so I will contend myself with glossing over those ideas.
- No matter how much effort we expend staying relevant and bettering ourselves as an industry, threat intelligence will never amount to anything if we keep letting the Ivantis of the world push version after version of their trivially insecure software on the market with no consequences. We'll only ever get the attackers we deserve.
- We’re heading into a multipolar world where multilateralism doesn’t work. I expect that as we devolve into us-versus-them world visions, doing research on “friendly” operations will become more and more difficult, possibly even openly forbidden. I'm not happy with this. The hand that tastes best is the one that feeds you.
Where I go from here: not much to do about all that. I’ve said for a long time that we should hope our peers from other regions will document Western APT activities, yet as I write these words I can’t help but notice there are very few such vendors tracked in my RSS feeds. So, at the very least, I need to invest time figuring out who is releasing threat intelligence material in China and start curating good sources.
That’s it! I hope those few ideas made sense to you, and possibly brought some clarity to some who might have been sharing my recent feelings. While the process can be unpleasant, I think it’s important to take a step back once in a while to look at how we’re doing.
I'm not unhappy, never was. I just want to do better.
[1] In some cases, we’re aware of some APT groups using coverage of their activities for their reporting, or internally adopting the APT name given by the industry. So they’re not choking on shame by any stretch.
[2] Friends in other companies have confirmed to me that incident response is the starting point of all their best cases.
[3] My I-Soon article, which I consider to be my most interesting work this year, also didn’t involve any telemetry. It was based entirely on publicly leaked data.
[4] On my Android device, the “logcat” is a rolling buffer of 256KB. It can be extended to 16MB, but it’s unclear even that would be enough to keep possible traces of exploitation from last quarter.