M-unition -

Part 2: Understanding State-Serving Adversaries

By on August 8, 2012

My previous post explained the rationale for better understanding adversaries. In this post I will provide an overview of one type of adversary. Subsequent posts will examine a few others.

Adversaries who conduct espionage against a target organization are the subject of this post. Some intelligence professionals label these adversaries as “state-sponsored.” Although that is often true, I prefer to think of these adversaries as “state-serving.” They are meeting the needs of a foreign intelligence service (FIS), or perhaps the national agencies or decision-makers who task the FIS to gather intelligence or take more aggressive actions at a later date. In some cases these state-serving groups are FIS operatives themselves, while in other cases they are fulfilling FIS needs or operating according to FIS training and tactics.

The state-serving adversary operates against target organizations to collect intelligence valued by the FIS and by extension the foreign state.  Actions beyond intelligence collection involve preparing the battlespace for “cyber war,” although thus far those sorts of actions appear exceptionally rare. Intelligence professionals call collecting intelligence “computer network exploitation” (CNE), but they label inflicting physical damage via the network “computer network attack” (CNA). A real-life example of CNE includes Flame and Duqu; Stuxnet is an example of CNA.

The nature of the mission means that this type of adversary is likely to value persistent access to the target.  Few FIS taskings involve acquisition of only a single piece of information at a discrete point in time. Rather, once a state identifies a target organization as being of interest, that target will likely remain of interest for the medium or long term. This translates into intrusions that may persist for months or years.

Because the state-serving adversary is often state-sponsored, they typically have access to funding and resources not known to some other intruders. This sort of adversary will either develop novel means to penetrate and persist against a target, or will be able to request or purchase new tools and techniques to achieve their goals. A hallmark of a disciplined adversary, however, is to only use the level of “force” required to accomplish the mission, only escalating when the minimum fails to get the desired result. This is the true definition of “advanced,” because it means the adversary knows how to properly deploy resources against a target.

Victim organizations suffering the attention of state-serving actors are likely to find themselves fighting protracted campaigns, to the extent that the target even knows that they have been compromised. Because the data that these foes steal, or the systems they penetrate, are not exploited in an open marketplace (for money or fame), victims find it a challenge to properly scope the impact of state-serving intrusions. Third-party notification is the most popular means of identifying a state-serving compromise, with the intelligence-focused teams in the Federal Bureau of Investigation, the Naval Criminal Investigative Service, or Air Force Office of Special Investigations being the bearers of bad news.

In the next two blog posts I will discuss other types of adversaries, namely “self-serving” and “public-serving.”

Category: The Suite Spot

Comments

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.