Informazioni personali

Cerca nel blog

Translate

Visualizzazione post con etichetta Cyberwarfare. Mostra tutti i post
Visualizzazione post con etichetta Cyberwarfare. Mostra tutti i post

martedì 12 novembre 2019

The IoT Files: the call for 5G

I have been recently interviewed on 5G issues and this made me realize how confusing is the knowledge and understanding about 5G.

Most of the time, when I heard on mainstream media comment about 5G I find form one side apologetic wonders of how this or that vendor with 5G can solve all human problems, form the other side fears related strictly to the fact that 5G today means Chinese or European vendors, for the first time in years the USA is not leading technologically a strategic sector.

even lesser I heard about the link between 5G and IoT and what this means.

Generally speaking, most of the discussions on IoT are focused on devices and not as a system, as well in most of the case I seldom find consideration related to 5G implementation and security. This is quite annoying from my point of view since security in IoT (I wrote about that on The IoT files) is more than the single device security and 5G security issues are not related to Huawei spying us.

And to say the truth from my point of view (Italian and European) would not make much difference if the spy comes from ChinaRussia, the USA, or the UK.

The first problem I to understand if there is a relationship between IoT and 5G. Well, the relationship is kind of simple: with the current technologies, the IoT is hardly limited due to connectivityIP and bandwidth issues. 5G aim is to overcome those limitations offering broadband connectivity that can support IoT needs. this will require investment, change of business models and…wait to read this go to my previous IoT articles, I called them the IoT files because there is so much thing to say an article can not cover everything.

Turning back to the point so, 5G is the technology that can glue IoT in terms of connectivity, but what does it mean? Well, when we listen to 5G we listen to how we can create smart cities, how we can connect cars together so they drive better and safer with autonomous drive and so on.

5G is exactly about this, allowing all this to happen.

All typos are because I never read slides back, lol forgive me

Almost everything you heard about IoT requires 5G to become reality because current mobile broadband would not be suited to cover those needs, we are not talking about a test with a few cars that can communicate over 4G but billion of devices somehow interconnected with different priority needs, bandwidth needs, security, and privacy needs.

Basically anything that is recently referred to as “SMART something” and IoT will be bound to a technology that will allow fast, secure and reliable data connections.

As of now, 5G is the answer but, there is a problem, the champions of 5G technology aren’t from the USA and the biggest player is Chinese (Huawei holds the highest number of patents on 5G technology).

All typos are because I never read slides back for proofreading, lol forgive me 😂

This thing that can be irrelevant is actually the big issue at the moment, so big that all serious consideration on 5G is demanded as an afterthought in a second-level line of consideration.

Geopolitical technology and economic issues are at the moment the rising stars, make enough rumor to cloud judgment and to move attention to serious issues.

I am not saying that those are no problems, and I agree nations should try to defend themselves, but targeting the wrong point on 5G will not help to address correctly “ab Initio” the complex problem that 5G will bring home. and the main reason behind this is that if you ask what is 5G, the answer is…just a faster mobile network.

If speed would be the only reason behind 5G I would kindly agree that geopolitical issues are the obstacles, but 5G is not just “speed” is way more and the 5G security issue goes beyond the specifics of the connectivity offered at broadband level but goes into the core of what 5G has been designed for: services.

All typos are because I never read slides back, lol forgive me

we use to think that broadband mobile develope was only more speed, but actually, speed has never been the only target, speed and services always have developed hand in hand.

from a mobile perspective, 1G was offering 2.4 kbps and was designed to allow mobile phones, it was no less, no more than an extension of your home wired phone. Basic voice services and an analog protocol, low bandwidth was all we needed. issues were more at the infrastructure level so no time to bare with things that were not even in customer imagination at that time.

the real revolution arrives with 2G, it’s broadband, it’s digital (GSM, CDMA), can carry data, more stable…a revolution. we were able to send text, see caller number who was not enjoying it? and some mobile phones start to offer even a graphic screen and games (like “snake”). who really care about speed, that actually moved from 2,4 kbps to an astonishing 64 kbps?

The nice thing about 2G is the introduction of the idea that mobile phones can be so much more than a simple device to phone, and text messaging was there to prove it.

You see when the consumer space sees the opportunity for cool kinds of stuff that can make the market big, the vendor will follow. With the pressure of the internet and the new services a new need for data rise up and here you have 3G.

3G was not only tremendously faster than the predecessor but was designed with the need to transfer data.no simple text messages, you can have internet in your phone now.

Again the real difference with 2G was not “speed” but the kind of services you were bringing on board. so as a natural evolution from the old internet we moved to the new one with video, streamingchatting and so on. A new class of services was required here the need for something more, something new 4G.

And as a matter of fact, besides the speed, the real need for 4G (or the not so cool but hey better than nothing 4.5G) was video capability.

The services drive the speed so the speed is just a consequence of the needs the technology has to address.

But if we limit to consider just the usual way we use the internet (facebook, youtubeYouPornLinkedIn, wechat-weixin, WhatsApp, Instagram, ticktock and so on) we could just add some megabytes more to our 4G (is what 4,5G does by the way) but here comes IoT.

IoT brings way more devices on the internet, with their needs in terms of bandwidth, connectivity, quality of services. all of this requires new technology, and being ambitious why then not thinking to make this technology able to address even the LAN\WAN realm?

This is not so stupid, the telcos have always tried to gain space in the LAN\WAN market, money can be a huge driver, the telco activities with the enterprise was related to offering connectivity to internet and voice service. The revenues for analog voice services were hight but VoIP lower dramatically the incomes since it was cheaper putting Telcos in a difficult position. If internet broadband services for home users have been a good business it requires substantial infrastructure investments that are not always covered by the revenues, hence the digital divide.

But 5G can turn all this upside down, justifying the investment that was not so cool, because 5G means all in telcos hands!

All typos are because I never read slides back, lol forgive me

If 5G is the backbone of IoT and Smart X this means an incredibly big market for telcos, since telcos will provide 5G connectivity. this is why telco vendors are so interested in 5G, alas this is a world also where security has always been a secondary issue if not a neglected one, so we cannot expect that security will be addressed correctly if other players will not put their nose in.

From this point of view governments and regulators could play a key role in leveraging security and privacy by design and by default in the 5G world design, alas at the moment all seems to be more focused on boring geopolitical issues than the real stuff

All typos are because I never read slides back, lol forgive me

In the 5G challenges, there are a few that are easy to spot if we understood that 5G is the IoT backbone. Without the lousy arrogance to think to be exhaustive here some that should, at least, taken into serious consideration:

1) fast connectivity between devices, this accordingly to the device\service need. not all IoT devices are born equal in terms of bandwidth, data processing, quality and sensitivity of data an so on, being able

2) segregation of traffic, that means every group of device that are under a specific service instance should have its traffic isolated and protected from the other ones. I would not enjoy my personal photo shared everywhere if the IoT device is my home HDD storage where I put them. segregation of traffic is the minimum level of security we have to think of when we plan a broadband multiservice environment.

3) Quality of service is a key factor here, even if the bandwidth is incredibly hudge this does not mean that there will be no latency or bandwidth bottlenecks, and some services have to be granted no matter what, telemedicine, telesurgery just to name a couple should be prioritized upon watching youtube.

4) authentication and authorization are not less important, we need in a heterogeneous environment bein able to authenticateand authorize with the correct level of permission every single device on every single service it needs to access and with its user ownership. failing this point will means access to anyone…

5) multivendor environment, this can seem a minor issue but in an ever-growing connected devices-users-services environment being able to reassure all the stuff will work seamlessly is not so easy. maybe someone remembers issues with a famous leading network gear vendor and the nic auto speed detection protocol? standard not always mean standard, but this can open a serious breach to operativity and security if not addressed correctly.

6) not all will be 5G at the beginning, and probably when the legacy world will end we will be on 6G (which will rid of part of the infrastructure leveraging peer to peer connection directly at the device level), 7G with 5G as the old stuff. so 5G will have to deal with ethernet as well as 4G as well as what will come in the future. A gateway between the different technologies is not so simple since service definition can differ.

7) in particular, the existing mobile environment and LAN/WAN battlefield should be carefully considered, form one side we still have 3G, form the other side LAN\WAN vendor will fight back to keep their domains intact. so will be an interesting battle where again, standards and regulators could drive a little light at the end of the tunnel (hoping it is not the train)

and more could be mentioned but if I want to continue better to stop with this list.

if you are here to read means you are interested in the subject, I am impressed and thankful 🙂

So the backbone for IoT will be, at least at the beginning, 5G network wich, just to be clear, is still on implementation. If we think of what is IoT definition:

The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

we can try to assume then that internet connectivity will be more and more 5G

All typos are because I never read slides back, lol forgive me

which should now clarify why speed is just one of the many issued of 5G and why 5G is not just bare connectivity but something should manage services. so now we should understand what this “service” word means here.

Basically a service is a mix of devices, connectivity, data, process and users that can be grouped somehow. There can be thousands, millions, billions of services under this simple definition (i know is mine but worth everyone to understand the point).

the main point is that services are not all the same: HTTP browsing can be a service under 5G and video broadcasting as well, the 2 are different in nature and in terms of requirements.

All typos are because I never read slides back, lol forgive me

different services require different needs and for once speed can be a good example to understand the point: what is speed?

the very concept of speed can vary from service to service, so consider the automotive and smart road ideas. In this scenario, we will have a small piece of critical data exchanged from one car to another and/or the infrastructure that has to be processed and transmitted as fast as possible. seems easy but we should consider that the cars are moving and the traffic can be largely unpredictable (I don’t know when someone will decide to get into the car to go somewhere, I can not predict if external issues will modify viability as crossing pedestrian, not in the dedicated areas, problems with the state of the road, holes, weather, flood, heartquake, superman vs batman and so on)

So here speed means very low latency, quick authentication and authorization, fast address resolution, and reliability at least. probably I should add geolocation and other critical missing point but I think we have an idea.

On the same hands if I have to move a big chunk of data, well speed means mainly bandwidth, QoS and conflict resolution if more agents/objects/users are trying to move the same os nearby data. so if you are trying to align your data center with your new cloud one and you want to move some Coperbyte of data and as well your neighborhood want to do this well we have to manage the bandwidth somehow…

Of course, if the need is just to browse and watch movies your needs are focused (remember we are in 5G) on DNS response and video-voice sync.

But since in a billion IoT devices there can be billions of services that at the moment do not exist, we need to create an environment able to define the need in advance (or wait for 6G for new services implementation).

so broadening the argument here 5G for IoT should, at least:

1)Segregate different services

A different class of services should be independent one to the other

Services should be arbitrary and the service set required should be one of the services definition parameters

2)Allow QoS for critical ones

Not all services are the same, internet browsing is not a running truck on a highway, a surgical operation is not like watching porn on your phone

3)Provide strong security and management featured for each service

Service should be identified

Authorization and authentication of service and users should be available and effective

4)Take into account security and privacy by design and default

and so on

Different scenarios on 5G require different analyses take as an example 3 easy to spot: your home environment, smart road, LAN\WAN substitution.

I love the home example because is something even not IT freak can understand. the photo depicts the world before and after 5G

if you have the internet at home you are probably in this scenario:

We have one router to connect to the internet

•All devices internally connect via wifi/LAN

•When devices need to talk one to the other they use their internal IP network on a private subnet

•When devices need to talk to the internet the call the router.

•Internet router interface through ISP to the internet offering some security services and NAT

•Smart devices like smartphones use a double connection wifi internal/sim external

•…

We know if we want to see what we have in our local storage we move data internally (At least we hope so) our gateway to the internet is our router which (should) provide some basic security stuff as firewalling and a minimum authentication at least for wifi internal connectivity. We live in a private network where connectivity is basically ethernet and wi-fi and we go on the internet with a natted address shared by all devices. Probably we have some devices that do not have a real internet exposition, other that goes just to search updates, some that connect to a web service to allow you to check and configure things and finally some that go to the internet by themselves for unknown reason (Alexa like, ROTFL). Ah, do not forget your smartphone that has both wi-fi and your 4G\4.5G connection with apps to manage both your internal LAN and the web interfaces of your LAN devices.

what 5G will change here? of course everything absolutely everything.

Everything is already on the internet

•All devices are able to connect directly to the 5G network and have public addresses

•Providers of 5G connectivity can be different and bound to users and/or device

•Devices need to know their «internal» realm in order to understand which device can be trusted or not for internal communication

•Different 5G providers have to guarantee device interoperability, segregation and security as devices were in a segregated LAN

•Internet communication should be controlled and monitored as it was a single one

Autonomous driving and smart roads are actually as fun as home networks but for the opposite reason, here we are talking about something does not exist yet, and the few test and implementation, by all means, are not a serious example of what means interaction of IoT vehicles.

the reality at the moment is simple:

•Cars do not talk to each other

•Cars do not talk to the road infrastructure

•Roads use sensors for limited scope (traffic light, street light)

•Limited information is provided by broadband connectivity (as Radio Traffic where available)

•Internet connectivity provided by car SIM or smartphone

•Some app can connect to the internet and provide indications as navigators do

•Some apps can provide autonomous analysis of traffic

•…

while in a 5G world:

•All vehicles are 5G connected

•Different car-service interact with road infrastructure

•Cars and car devices are equipped with 5G capabilities from different 5G providers

•They need to be bound with the owner\owners

•They need to recognize trustable information data source

•They need to interoperate independently from the 5G provider

•They need to cover the services even when crossing country borders

•…

with 5G is clear the need for fast reliable ubiquitous and vendor\provider independent connectivity.

maybe we should expect virtual sim configured to comply driver need, but what if 2 or more people share the same car? and what kind of interaction with your smartphone and other smart devices?

let explore some consideration on the most slippery of the 3rd example, trying to move from LAN\WAN to 5G (the telcos’ dream)

What we have today (more or less):

•There is an internal (LAN) and an outside

•internal services are protected by firewalls and other security technologies

•Connectivity is provided through NIC or WI-Fi using TCP/IP protocol leveraging usually private addressing and natting to reach outside resources

•Internal resources are accessible directly internally or through a web service\web interface externally

•Resources external to the LAN are accessible trough router/firewall upon natting and authentication/authorization

•Users external to the LAN connect to the internet through mobile broadband or through Wifi

•To connect to internal resources users are identified and connected through VPN or other secure means to the LAN

•…

do I really need to describe what is the current situation? lol 🙂

what would change with 5G?

•Almost all devices are 5G connected

•Connectivity is provided by different 5G providers and can be public (using public infrastructure) or private (5G infrastructure is local)

•Interoperability has to be guaranteed regardless 5G provider or device manufacturer

•Interoperability has to be guaranteed with LAN/Ethernet previous environment

•Segregation of the internal devices has to be guaranteed as in a LAN

•Security devices should be able to work seamlessly regardless of the hybrid LAN/5G environment

•Mobile users should be able to be part of the internal network for the services in use even if they are using their own device

•…

this scenario requires a careful understanding since we have all the security problems we have in a normal network implementation plus the fact all devices can reach the internet directly and are directly exposed because of their addressing, segmentation requires multiple levels since some segment can be internally nested to others (something like we today use VLAN) and all this should communicate with the legacy world, since it is not credible an immediate takeover of 5G against LAN\WAN. Moreover, all legacy security world should be able to interoperate with the new one.

this kind of scenario is compatible with a full cloud adoption less agile with hybrid or full local implementations.

Here security and privacy issues rise up to the next level since the disintegration of the concept of LAN, started with the introduction of mobile users and BYOD, extend to almost every node but with less clear control of what is going on.

5G security, if we understand some of the implications I mentioned before, embrace a way larger concept than what people generally think. Here we are not just thinking how to secure an encrypted communication channel, which is, by the way, a clear basic requirement, but extend on how to broker, manage and control services that run on 5G.

I do not have an easy answer to this, I have seen different proposals to address such problems, as an example a central security service broker that takes into account all the request and, accordingly to rules, AI, magic and tricks solve everything.

Of course, this service broker, hypervisor or call it as you like should be able to communicate with external entities, demand part of its configuration to third parties and so on. we are entering the realm of the NFV security (if of any interest you can read my post on “NFV network function virtualization security considerations“) with some issues more. and the attack surface is way wider than a simple: I can no trust Chinese equipment.

time t go to sleep, if you read all this till here thanks, comments are very welcome

Antonio

On IoT I also wrote:

The IoT Files: Intro

The IoT Files: IoT and Security

The IoT Files – IoT and Privacy

The IoT Files – Infrastructure

The IoT Files – IoT Business Models

The IoT Files: Culture

The IoT Files: is a small OS good for security?

The IoT Files: The need for cryptography in IoT

The IoT Files: the call for 5G

I have been recently interviewed on 5G issues and this made me realize how confusing is the knowledge and understanding about 5G.

Most of the time, when I heard on mainstream media comment about 5G I find form one side apologetic wonders of how this or that vendor with 5G can solve all human problems, form the other side fears related strictly to the fact that 5G today means Chinese or European vendors, for the first time in years the USA is not leading technologically a strategic sector.

even lesser I heard about the link between 5G and IoT and what this means.

Generally speaking, most of the discussions on IoT are focused on devices and not as a system, as well in most of the case I seldom find consideration related to 5G implementation and security. This is quite annoying from my point of view since security in IoT (I wrote about that on The IoT files) is more than the single device security and 5G security issues are not related to Huawei spying us.

And to say the truth from my point of view (Italian and European) would not make much difference if the spy comes from ChinaRussia, the USA, or the UK.

The first problem I to understand if there is a relationship between IoT and 5G. Well, the relationship is kind of simple: with the current technologies, the IoT is hardly limited due to connectivityIP and bandwidth issues. 5G aim is to overcome those limitations offering broadband connectivity that can support IoT needs. this will require investment, change of business models and…wait to read this go to my previous IoT articles, I called them the IoT files because there is so much thing to say an article can not cover everything.

Turning back to the point so, 5G is the technology that can glue IoT in terms of connectivity, but what does it mean? Well, when we listen to 5G we listen to how we can create smart cities, how we can connect cars together so they drive better and safer with autonomous drive and so on.

5G is exactly about this, allowing all this to happen.

All typos are because I never read slides back, lol forgive me

Almost everything you heard about IoT requires 5G to become reality because current mobile broadband would not be suited to cover those needs, we are not talking about a test with a few cars that can communicate over 4G but billion of devices somehow interconnected with different priority needs, bandwidth needs, security, and privacy needs.

Basically anything that is recently referred to as “SMART something” and IoT will be bound to a technology that will allow fast, secure and reliable data connections.

As of now, 5G is the answer but, there is a problem, the champions of 5G technology aren’t from the USA and the biggest player is Chinese (Huawei holds the highest number of patents on 5G technology).

All typos are because I never read slides back for proofreading, lol forgive me 😂

This thing that can be irrelevant is actually the big issue at the moment, so big that all serious consideration on 5G is demanded as an afterthought in a second-level line of consideration.

Geopolitical technology and economic issues are at the moment the rising stars, make enough rumor to cloud judgment and to move attention to serious issues.

I am not saying that those are no problems, and I agree nations should try to defend themselves, but targeting the wrong point on 5G will not help to address correctly “ab Initio” the complex problem that 5G will bring home. and the main reason behind this is that if you ask what is 5G, the answer is…just a faster mobile network.

If speed would be the only reason behind 5G I would kindly agree that geopolitical issues are the obstacles, but 5G is not just “speed” is way more and the 5G security issue goes beyond the specifics of the connectivity offered at broadband level but goes into the core of what 5G has been designed for: services.

All typos are because I never read slides back, lol forgive me

we use to think that broadband mobile develope was only more speed, but actually, speed has never been the only target, speed and services always have developed hand in hand.

from a mobile perspective, 1G was offering 2.4 kbps and was designed to allow mobile phones, it was no less, no more than an extension of your home wired phone. Basic voice services and an analog protocol, low bandwidth was all we needed. issues were more at the infrastructure level so no time to bare with things that were not even in customer imagination at that time.

the real revolution arrives with 2G, it’s broadband, it’s digital (GSM, CDMA), can carry data, more stable…a revolution. we were able to send text, see caller number who was not enjoying it? and some mobile phones start to offer even a graphic screen and games (like “snake”). who really care about speed, that actually moved from 2,4 kbps to an astonishing 64 kbps?

The nice thing about 2G is the introduction of the idea that mobile phones can be so much more than a simple device to phone, and text messaging was there to prove it.

You see when the consumer space sees the opportunity for cool kinds of stuff that can make the market big, the vendor will follow. With the pressure of the internet and the new services a new need for data rise up and here you have 3G.

3G was not only tremendously faster than the predecessor but was designed with the need to transfer data.no simple text messages, you can have internet in your phone now.

Again the real difference with 2G was not “speed” but the kind of services you were bringing on board. so as a natural evolution from the old internet we moved to the new one with video, streamingchatting and so on. A new class of services was required here the need for something more, something new 4G.

And as a matter of fact, besides the speed, the real need for 4G (or the not so cool but hey better than nothing 4.5G) was video capability.

The services drive the speed so the speed is just a consequence of the needs the technology has to address.

But if we limit to consider just the usual way we use the internet (facebook, youtubeYouPornLinkedIn, wechat-weixin, WhatsApp, Instagram, ticktock and so on) we could just add some megabytes more to our 4G (is what 4,5G does by the way) but here comes IoT.

IoT brings way more devices on the internet, with their needs in terms of bandwidth, connectivity, quality of services. all of this requires new technology, and being ambitious why then not thinking to make this technology able to address even the LAN\WAN realm?

This is not so stupid, the telcos have always tried to gain space in the LAN\WAN market, money can be a huge driver, the telco activities with the enterprise was related to offering connectivity to internet and voice service. The revenues for analog voice services were hight but VoIP lower dramatically the incomes since it was cheaper putting Telcos in a difficult position. If internet broadband services for home users have been a good business it requires substantial infrastructure investments that are not always covered by the revenues, hence the digital divide.

But 5G can turn all this upside down, justifying the investment that was not so cool, because 5G means all in telcos hands!

All typos are because I never read slides back, lol forgive me

If 5G is the backbone of IoT and Smart X this means an incredibly big market for telcos, since telcos will provide 5G connectivity. this is why telco vendors are so interested in 5G, alas this is a world also where security has always been a secondary issue if not a neglected one, so we cannot expect that security will be addressed correctly if other players will not put their nose in.

From this point of view governments and regulators could play a key role in leveraging security and privacy by design and by default in the 5G world design, alas at the moment all seems to be more focused on boring geopolitical issues than the real stuff

All typos are because I never read slides back, lol forgive me

In the 5G challenges, there are a few that are easy to spot if we understood that 5G is the IoT backbone. Without the lousy arrogance to think to be exhaustive here some that should, at least, taken into serious consideration:

1) fast connectivity between devices, this accordingly to the device\service need. not all IoT devices are born equal in terms of bandwidth, data processing, quality and sensitivity of data an so on, being able

2) segregation of traffic, that means every group of device that are under a specific service instance should have its traffic isolated and protected from the other ones. I would not enjoy my personal photo shared everywhere if the IoT device is my home HDD storage where I put them. segregation of traffic is the minimum level of security we have to think of when we plan a broadband multiservice environment.

3) Quality of service is a key factor here, even if the bandwidth is incredibly hudge this does not mean that there will be no latency or bandwidth bottlenecks, and some services have to be granted no matter what, telemedicine, telesurgery just to name a couple should be prioritized upon watching youtube.

4) authentication and authorization are not less important, we need in a heterogeneous environment bein able to authenticateand authorize with the correct level of permission every single device on every single service it needs to access and with its user ownership. failing this point will means access to anyone…

5) multivendor environment, this can seem a minor issue but in an ever-growing connected devices-users-services environment being able to reassure all the stuff will work seamlessly is not so easy. maybe someone remembers issues with a famous leading network gear vendor and the nic auto speed detection protocol? standard not always mean standard, but this can open a serious breach to operativity and security if not addressed correctly.

6) not all will be 5G at the beginning, and probably when the legacy world will end we will be on 6G (which will rid of part of the infrastructure leveraging peer to peer connection directly at the device level), 7G with 5G as the old stuff. so 5G will have to deal with ethernet as well as 4G as well as what will come in the future. A gateway between the different technologies is not so simple since service definition can differ.

7) in particular, the existing mobile environment and LAN/WAN battlefield should be carefully considered, form one side we still have 3G, form the other side LAN\WAN vendor will fight back to keep their domains intact. so will be an interesting battle where again, standards and regulators could drive a little light at the end of the tunnel (hoping it is not the train)

and more could be mentioned but if I want to continue better to stop with this list.

if you are here to read means you are interested in the subject, I am impressed and thankful 🙂

So the backbone for IoT will be, at least at the beginning, 5G network wich, just to be clear, is still on implementation. If we think of what is IoT definition:

The Internet of Things (IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

we can try to assume then that internet connectivity will be more and more 5G

All typos are because I never read slides back, lol forgive me

which should now clarify why speed is just one of the many issued of 5G and why 5G is not just bare connectivity but something should manage services. so now we should understand what this “service” word means here.

Basically a service is a mix of devices, connectivity, data, process and users that can be grouped somehow. There can be thousands, millions, billions of services under this simple definition (i know is mine but worth everyone to understand the point).

the main point is that services are not all the same: HTTP browsing can be a service under 5G and video broadcasting as well, the 2 are different in nature and in terms of requirements.

All typos are because I never read slides back, lol forgive me

different services require different needs and for once speed can be a good example to understand the point: what is speed?

the very concept of speed can vary from service to service, so consider the automotive and smart road ideas. In this scenario, we will have a small piece of critical data exchanged from one car to another and/or the infrastructure that has to be processed and transmitted as fast as possible. seems easy but we should consider that the cars are moving and the traffic can be largely unpredictable (I don’t know when someone will decide to get into the car to go somewhere, I can not predict if external issues will modify viability as crossing pedestrian, not in the dedicated areas, problems with the state of the road, holes, weather, flood, heartquake, superman vs batman and so on)

So here speed means very low latency, quick authentication and authorization, fast address resolution, and reliability at least. probably I should add geolocation and other critical missing point but I think we have an idea.

On the same hands if I have to move a big chunk of data, well speed means mainly bandwidth, QoS and conflict resolution if more agents/objects/users are trying to move the same os nearby data. so if you are trying to align your data center with your new cloud one and you want to move some Coperbyte of data and as well your neighborhood want to do this well we have to manage the bandwidth somehow…

Of course, if the need is just to browse and watch movies your needs are focused (remember we are in 5G) on DNS response and video-voice sync.

But since in a billion IoT devices there can be billions of services that at the moment do not exist, we need to create an environment able to define the need in advance (or wait for 6G for new services implementation).

so broadening the argument here 5G for IoT should, at least:

1)Segregate different services

A different class of services should be independent one to the other

Services should be arbitrary and the service set required should be one of the services definition parameters

2)Allow QoS for critical ones

Not all services are the same, internet browsing is not a running truck on a highway, a surgical operation is not like watching porn on your phone

3)Provide strong security and management featured for each service

Service should be identified

Authorization and authentication of service and users should be available and effective

4)Take into account security and privacy by design and default

and so on

Different scenarios on 5G require different analyses take as an example 3 easy to spot: your home environment, smart road, LAN\WAN substitution.

I love the home example because is something even not IT freak can understand. the photo depicts the world before and after 5G

if you have the internet at home you are probably in this scenario:

We have one router to connect to the internet

•All devices internally connect via wifi/LAN

•When devices need to talk one to the other they use their internal IP network on a private subnet

•When devices need to talk to the internet the call the router.

•Internet router interface through ISP to the internet offering some security services and NAT

•Smart devices like smartphones use a double connection wifi internal/sim external

•…

We know if we want to see what we have in our local storage we move data internally (At least we hope so) our gateway to the internet is our router which (should) provide some basic security stuff as firewalling and a minimum authentication at least for wifi internal connectivity. We live in a private network where connectivity is basically ethernet and wi-fi and we go on the internet with a natted address shared by all devices. Probably we have some devices that do not have a real internet exposition, other that goes just to search updates, some that connect to a web service to allow you to check and configure things and finally some that go to the internet by themselves for unknown reason (Alexa like, ROTFL). Ah, do not forget your smartphone that has both wi-fi and your 4G\4.5G connection with apps to manage both your internal LAN and the web interfaces of your LAN devices.

what 5G will change here? of course everything absolutely everything.

Everything is already on the internet

•All devices are able to connect directly to the 5G network and have public addresses

•Providers of 5G connectivity can be different and bound to users and/or device

•Devices need to know their «internal» realm in order to understand which device can be trusted or not for internal communication

•Different 5G providers have to guarantee device interoperability, segregation and security as devices were in a segregated LAN

•Internet communication should be controlled and monitored as it was a single one

Autonomous driving and smart roads are actually as fun as home networks but for the opposite reason, here we are talking about something does not exist yet, and the few test and implementation, by all means, are not a serious example of what means interaction of IoT vehicles.

the reality at the moment is simple:

•Cars do not talk to each other

•Cars do not talk to the road infrastructure

•Roads use sensors for limited scope (traffic light, street light)

•Limited information is provided by broadband connectivity (as Radio Traffic where available)

•Internet connectivity provided by car SIM or smartphone

•Some app can connect to the internet and provide indications as navigators do

•Some apps can provide autonomous analysis of traffic

•…

while in a 5G world:

•All vehicles are 5G connected

•Different car-service interact with road infrastructure

•Cars and car devices are equipped with 5G capabilities from different 5G providers

•They need to be bound with the owner\owners

•They need to recognize trustable information data source

•They need to interoperate independently from the 5G provider

•They need to cover the services even when crossing country borders

•…

with 5G is clear the need for fast reliable ubiquitous and vendor\provider independent connectivity.

maybe we should expect virtual sim configured to comply driver need, but what if 2 or more people share the same car? and what kind of interaction with your smartphone and other smart devices?

let explore some consideration on the most slippery of the 3rd example, trying to move from LAN\WAN to 5G (the telcos’ dream)

What we have today (more or less):

•There is an internal (LAN) and an outside

•internal services are protected by firewalls and other security technologies

•Connectivity is provided through NIC or WI-Fi using TCP/IP protocol leveraging usually private addressing and natting to reach outside resources

•Internal resources are accessible directly internally or through a web service\web interface externally

•Resources external to the LAN are accessible trough router/firewall upon natting and authentication/authorization

•Users external to the LAN connect to the internet through mobile broadband or through Wifi

•To connect to internal resources users are identified and connected through VPN or other secure means to the LAN

•…

do I really need to describe what is the current situation? lol 🙂

what would change with 5G?

•Almost all devices are 5G connected

•Connectivity is provided by different 5G providers and can be public (using public infrastructure) or private (5G infrastructure is local)

•Interoperability has to be guaranteed regardless 5G provider or device manufacturer

•Interoperability has to be guaranteed with LAN/Ethernet previous environment

•Segregation of the internal devices has to be guaranteed as in a LAN

•Security devices should be able to work seamlessly regardless of the hybrid LAN/5G environment

•Mobile users should be able to be part of the internal network for the services in use even if they are using their own device

•…

this scenario requires a careful understanding since we have all the security problems we have in a normal network implementation plus the fact all devices can reach the internet directly and are directly exposed because of their addressing, segmentation requires multiple levels since some segment can be internally nested to others (something like we today use VLAN) and all this should communicate with the legacy world, since it is not credible an immediate takeover of 5G against LAN\WAN. Moreover, all legacy security world should be able to interoperate with the new one.

this kind of scenario is compatible with a full cloud adoption less agile with hybrid or full local implementations.

Here security and privacy issues rise up to the next level since the disintegration of the concept of LAN, started with the introduction of mobile users and BYOD, extend to almost every node but with less clear control of what is going on.

5G security, if we understand some of the implications I mentioned before, embrace a way larger concept than what people generally think. Here we are not just thinking how to secure an encrypted communication channel, which is, by the way, a clear basic requirement, but extend on how to broker, manage and control services that run on 5G.

I do not have an easy answer to this, I have seen different proposals to address such problems, as an example a central security service broker that takes into account all the request and, accordingly to rules, AI, magic and tricks solve everything.

Of course, this service broker, hypervisor or call it as you like should be able to communicate with external entities, demand part of its configuration to third parties and so on. we are entering the realm of the NFV security (if of any interest you can read my post on “NFV network function virtualization security considerations“) with some issues more. and the attack surface is way wider than a simple: I can no trust Chinese equipment.

time t go to sleep, if you read all this till here thanks, comments are very welcome

Antonio

On IoT I also wrote:

The IoT Files: Intro

The IoT Files: IoT and Security

The IoT Files – IoT and Privacy

The IoT Files – Infrastructure

The IoT Files – IoT Business Models

The IoT Files: Culture

The IoT Files: is a small OS good for security?

The IoT Files: The need for cryptography in IoT

sabato 8 novembre 2014

Advanced Persistent Threat

ict

Advanced Persistent Threat: come muoversi tra il marketing e la realtà?

Slide1

Questo post riporta le immagini della presentazione che ho tenuto al Festival ICT il 6 di novembre. oltre al post metterò su slideshare a disposizione anche l’intera presentazione in visione sperando di fare cosa gradita.

Slide2

Ovviamente le prime due slide sono introduttive, la prima rappresenta il titolo, l’orario ed il numero della sala 🙂 nella seconda abbiamo la grande opportunità di vedere anche la mia foto e la mia e-mail come referenza per chi fosse interessato.

Vi tralascio la descrizione della animazione di transizione tra una slide e l’altra (per gli interessati, origami) e passiamo a cose più serie 🙂

Slide3La domanda che ho posto è: ma noi sappiamo, o abbiamo capito esattamente cosa significhi APT? Di APT si parla molto sul mercato ed i vendor di sicurezza ne fanno ultimamente uno dei loro cavalli di battaglia , ma abbiamo realmente capito di cosa si tratta? APT come sigla in realtà può significare tantissime cose, e ne avete sulla destra breve elenco.

Per prima cosa occorre quindi capire cosa significhi relamente APT e da questo punto possiamo partire ad analizzare l’offerta di mercato.

Slide4

Se prendiamo la definizione di APT come Advance Persistent Threat scopriamo che è una cosa ben precisa. le tre parole significano:

Advanced: si tratta di un attacco dove l’attaccante utilizza tutte le tecnologie utili al risultato: da un semplice uso di vulnerabilità note alla creazione o scoperta di vulnerabilità specifiche, si tratta quindi di una forma di attacco estremamente sofisticata che utilizza risorse e tecnologie coerenti con lo scoppo dell’attacco e la struttura dell’attaccato:

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target’s posture.

Persistent: significa che l’attacco è un attacco motivato, e non un attacco casuale su un bersaglio randomico. il significato di “persistent” non è quindi che si tratta di un attacco ripetitivo, ma di un attacco ove l’attaccante insiste con le tecnologie opportune per arrivare al suo obiettivo.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat: significa che l’attacco non è un atto meccanico o casuale, ne un malware generico ma un soggetto determinato con un piano e risorse.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn’t degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple “groups” consisting of dedicated “crews” with various missions.

 

Slide5

 

Il target di un APT può essere in realtà qualsiasi, non esiste un mercato specifico, obiettivi militari, politici, economici anche in senso lato possono giustificare un APT. va anche considerato che un APT è può prevedere anche attacchi multipli su soggetti diversi, per motivi che possono essere i più diversi, dal aumentare il “rumore di fondo”, a distrazione o copertura del vero bersaglio.

Già dalla definizione è quindi chiaro capire come sia poco plausibile che esistano prodotti specifici contro gli APT, in quanto un APT non definisce a priori un attacco specifico, ma una tipologia di attacchi che utilizza tecnologie multiple e complesse.

Slide6

Un APT è quindi più correttamente espresso come un processo, una successione di passi che partono dalla definizione di un bersaglio allo sviluppo di uno o più attacchi veri e propri.

Slide7

Visto che non tutti masticano l’inglese ho riportato la definizione di APT data dal NIST, ma tradotta in italiano:

“La minaccia avanzata persistente è un avversario con livelli sofisticati di competenza e risorse significative, che gli consentono, attraverso l’utilizzo di vettori di attacco multipli (come frode e metodi informatici e fisici), di generare opportunità per raggiungere i propri obiettivi: questi consistono tipicamente nello stabilire e ampliare punti di appoggio all’interno dell’infrastruttura informatica delle organizzazioni, allo scopo di derivarne informazioni in modo continuativo e/o di compromettere o ostacolare aspetti critici di una missione, programma o organizzazione, o di mettersi in condizione di farlo in futuro. Inoltre, la minaccia avanzata persistente persegue i propri obiettivi ripetutamente per un periodo di tempo prolungato, adattandosi agli sforzi di un difensore per resisterle, e con lo scopo di mantenere il livello di interazione necessario per eseguire i propri obiettivi”.

Slide8

Essendo quindi un APT più propriamente un processo, occorre quindi capire quali siano gli step principali per riuscire a comprendere quali tecnologie, eventualmente, possano essere di supporto alla difesa di attacchi simili.

Il primo passo di un APT è sicuramente la definizione del bersaglio, con definizione si intende la identificazione del soggettoi da attaccare, le linee guida dell’attacco e gli obiettivi. Esattamente quello che faremmo per la definizione di  un progetto 🙂

Slide9

La definizione di un bersaglio quindi  richiede che siano fissati obiettivi e strategie che sono dipendenti dalla natura del bersaglio stesso e dagli scopi che spingono l’attaccante. Abbiamo detto prima che esiste una moltitudine di bersagli, mercati e scopi, le considerazioni tattiche e strategiche sono quindi molteplici ed afferiscono in larga parte a questa fase.

Slide10

 

In linea di massima però possiamo suddividere questo processo in almeno tre fasi chiave:

identificare il soggetto o i soggetti target, o le motivazioni degli attacchi

definire gli obiettivi in termini di cosa colpire, come e perchè

definire una strategia, compreso il tempo entro cui effettuare la operazione, le risorse da impegnare, il gruppo di lavoro e via dicendo.

 

Slide11

Una volta definito il bersaglio inizia la attività di analisi. questa attività serve ad evidenziare tutti gli aspetti utili all’attacco e si svolge non solo in aree strettamente informatiche, ma a seconda del tipo di attacco possono comprendere anche analisi di tipo diverso, fino a vere e proprie ricognizioni fisiche, in quanto l’attacco stesso potrebbe richiedere attività dirette sul soggetto oggetto di attacco.

Slide12

 

Possiamo quindi definire almeno die macro aree generali legate alla attività di analisi del bersaglio:

una attività di profilazione ed una di ricognizione.

Entrambe le attività possono usare tecniche comuni, ma la ricognizione è comunque una cosenguenza della esigenza di profilazione.

Slide13

La profilazione richiede la costruzione di una scheda del bersaglio che contenga la maggior parte delle informazioni possibili utili allo svolgimento delle attività prevista, questa profilazione fa riferimento anche a caratteristiche “umane” del bersaglio quali struttura societaria, interfacce pubbliche, impiegati, competition, vicini, asset, distribuzione geografica…

Slide14

I tools che si usano nella profilazione sono generalmente comuni attività di social engineering, talvolta phishing, sicuramente prevedono l’analisi di dati pubblici quali siti web, blog, forum sino ad arrivare talvolta a sopralluoghi fisici del sito.

Slide15

Analogamente le attività di ricognizione, possono richiedere una serie di attività che portino alla definizione della topologia di rete del bersaglio, compresa la struttura dei routing, OS fingerprinting, l’analisi dei DNS e tutte quelle attività che possano ortare dati di definizione almeno della struttura esterna delle rete del bersaglio.

  • —Social Engineering

  • —Spear Phishing

  • —DNS

  • —External Network Topology

  • —Port scanning

  • —Service Discovery

  • —Directory Harvesting

  • —O.S. fingerprinting

  • —Network Topology

  • —Route Topology

  • —Vulnerability analisys

  • —…

Slide16

Una volta definito il dettaglio del bersaglio è possibile passare al primo passo della aggressione: l’ingresso iniziale.

Slide17

Sebbene nella convinzione comune l’ingresso iniziale sia l’attacco vero e proprio, questo passaggio ha invece uno scopo specifico che è quello di testare gli strumenti di attacco, definire il perimetro difensivo del bersaglio, trovare i punti di attacco disponibili e soprattutto iniziare a disegnare la topologia interna della rete bersaglio.

Slide18

l’ingressoiniziale di solito si compone di sottoattività descritte nella slide, le più diffuse e comuni sono ovviamente:

  • —Test vulnerabilità utilizzabili

  • —Test riconoscimento attacchi e risposte

  • —Definizione strategie multiple di copertura

  • —Weaponization (prima infezione)

  • —Exploitation

  • —Topology

  • —…

è interessante osservare come spesso le attività legate al primo ingresso sono comuni a molti tipi di attacchi, e spesso confusi col “rumore di fondo” degli eventi che accadano nelle nostre reti.

punti chiave del primo ingresso sono ovviamente la parte di utilizzo delle eventuali vulnerabilità scoperte per la prima infezione meglio chiamata, in letteratura anglofona, come weaponization che indica come si sia trasformato qualcosa in una arma.

Slide19

Una volta effettuato il primo ingresso si dovrebbero avere indicazioni e strumenti sufficienti ad effettuare un livello di penetrazione più profondo che preveda il deployment di “qualcosa” che possa portare avanti le fasi successive dell’attacco.

Slide20

Vale la pena di osservare che la fase di deployment può essere Remota, Fisdica o un mix di entrambe (Ibrida).

Un classico esempio di deployment fisico è l’introduzione di chiavette USB con payload malevoli, o l’attacco diretto ad una presa di rete di un device.

Si pensi ad esempio a quanto accaduto in Iran con l’affair SCADA, la fase di deployment era stata di tipo fisico con la “distribuzione” di chiavette USB infette in luoghi pubblici frequentati dagli operatori delle centrali nucleari.

Slide21

A seguito del deployment vi è generalmente una fase di espansione i cui ci si attesta su alcune “teste di ponte” e si inizia ad analizzare quali siano i migliori punti di attacco, se non ancora noti, o ad attaccare bersagli diversi.

Slide22

La fase di espansione può ancora contenere notevoli fasi di analisi ed esplorazione, ma essenzialmente si incentra con la creazione del network di attacco vero e proprio. Una parte di analisi fondamentale in fase di espansione è l’analisi dei processi del bersaglio. A seconda infatti di quello che che sono gli obiettivi l’analisi dei processi può dare indicazioni su come effettuare in concreto l’attacco.

Immaginiamo, ad esempio, che l’obiettivo sia di modificare codice o alcuni dati di un progetto. Queste modifiche avrebbero senso dopo eventuali fase di controllo e validazione, l’analisi del processo è quindi fondamentale per il successo della operazone.

Slide23

Passi fondamentali della fase espansiva sono ovviamente l’infezione di hosts, movimenti laterali, azioni di copertura ed interferenza. In particolare la creazione di una o più reti di attacco e il test dei canali di comunicazione con l’esterno.

Slide24

La fase successiva alla fase di espansione è, ovviamente, la fase di consolidamento.

Slide25

In questa fase vi è la attivazione delle reti di attacco e la attivazione delle misure di copertura, questa fase può essere relativamente piccola in termini di azioni, ma può avere una notevole espansione temporale per rendere difficilmente riconoscibile e correlabile l’insieme delle attività

Slide26

Alla fine finalmente possiamo finalizzare le nostre fini attività (ok ok sto giocando) in un attacco.

Slide27

La fase di attacco vero e proprio non è descrivibile neanche in termini generici, perchè dipende dalla natura dei goals che si sono definiti in fase di definizione del bersaglio. tutto quello che possiamo dire che finalmente va a frutto il lavoro svolto in precedenza.

Slide28

Alla fine della attività di attacco ci sono generalmente quelle di copertura, che servono a nascondere le tracce e le prove di quanto successo.

Slide29

Ancora una volta vale la pena di stressare che gli APT hanno una fine, persistent non significa che vanno avanti in maniera illimitata. la fine dell’attacco generalmente porta alla cancellazione o alterazione  delle eventuali prove che possano ricondurre all’attaccante.

Slide30

Una volta descritto il processo relativo ad un APT possiamo chiederci dove possiamo intervenire. a seconda della fase di un APT possiamo fare delle considerazioni generiche:

fase1: definizione bersaglio.

Questa fase non è rilevabile in quanto implica solo un uso marginale e non necessariamente illegale di strumenti di raccolta delle informazioni, ad esempio si pensi ad una analisi osint.

fase2: Analisi bersaglio

questa fase è parzialmente rilevabile, ma difficilmente associabile ad un APT o un attacco specifico. Viene di solito coperta ne “rumore di fondo” che gira attorno alle nostre reti.

fase3: primo ingresso

Le attività in questa fase sono rilevabili (Early External Detection) come attività esterne. Possono essere associate ad un attacco, ma difficilmente ad un APT l’eventuale blocco di questa fase è, se si tratta di un vero APT, solo apparente, perchè l’essere “scoperto” serve a testare la qualità dei sistemi difensivi e comunque una fase di primo ingresso in termini APT prevede una quantità notevole di tentativi diversi, di cui alcuni presumibilmente andranno a segno.

fase4: Deployment

Rilevabile (External Detection), questa è una delle fase critiche di un APT perchè è rilevabile, associabile ad un attacco esterno e, in presenza di una analisi storica degli eventi (ad esempio utilizzando correlazioni SIEM con una certa espansione temporale) può essere identificata come componente di un APT facendo alzare di conseguenza il livello di attenzione.

fase5: Espansione

Rilevabile (Early Internal Detection), in termini di rilevamento questa fase di attacco è ancora più critica della precedente in quanto si agisce già in maniera pesante all’interno del network target.

Va anche però osservato che le fasi interne hanno il vantaggio di vivere in aree dove il livello di attenzione è generalmente più basso, come a dire una volta entrati il più è fatto perchè si tende generalmente a concentrare le difese a livello perimetrale.

fase6: Consolidamento

Rilevabile (Internal Detection), per la fase di consolidamento valgono considerazioni analoghe al punto 6, con la considerazione che in fase di consolidamento vi sono, probabilmente, piu reti di attacco che si possono attivare con tempistiche diverse, il rilevamento quindi non necessariamente significa l’aver bloccato l’attacco. Come anche nelle fasi precedenti si ricordi che possono esserci attività di disturbo o decoy che servono a distrarre le difese.

fase7: Sviluppo attacco

Rilevabile (Late Internal Detection), la considerazione base da fare è che in questa fase siamo già in presenza di un attacco conclamato e quindi le attività da svolgere sono di contenimento danni.

fase8: copertura

Rilevabile (Post Mortem) tutto ciò che avviene dopo la  fase di attacco è una rilevazione di tipo post mortem, in qunato l’attacco oramai è andato in porto.

fase9: …

comunicazione esterna, ci avvertono che è avvenuto qualcosa

Slide31

Cosa possiamo fare contro gli APT? in realtà molto poco, e molto.

Lo strumento più efficace contro un APT è la messa in piedi di una serie di processi coordinati di sicurezza, in cui tecnologie e processi aziendali siano disegnato con la sicurezza in mente.

come suggerimenti generali, validi non solo in ambito APT ma in generale in ambito sicurezza

  1. —Complicare l’accesso iniziale (Firewall, Sandbox, Antimalware, gestione DNS e DHCP, IPS …)

  2. —Monitorare constantemente le risorse (SIEM deployment, Vulnerability assessment, …)

  3. —Ridurre il rischio di escalation dei privilegi in caso di compromissione di un account (NAC, IAC, DLP, …)

  4. —Rilevare precocemente account compromessi e attività sospette (SOC, NOC…)

  5. —Raccogliere informazioni utili a un’indagine forense, per poter determinare quali danni si sono verificati, quando e a opera di chi

una particolare raccomandazione è di tenere bene a mente il èpunto 5, solo una indagine forenze può darci da un lato gli strumenti legali per rifarci contro l’eventuale colpevole e le informazioni corrette per l’implementazione di misure correttive.

Slide32

infine Ã¨ importante ricordare che:

—Gli APT sono difficili da individuare. Secondo il Verizon 2012 Data Breach  Investigations Report, il 92% di tutte le organizzazioni e il 49% delle grandi organizzazioni è venuta a conoscenza di una violazione della sicurezza perché informata da un soggetto esterno.

Slide33

un po di reference:

—Advanced volatile threat

https://www.academia.edu/6309905/Advanced_Persistent_Threat_-_APT

Anatomy of an Advanced Persistent Threat (APT)”. Dell SecureWorks. Retrieved 2012-05-21.

Are you being targeted by an Advanced Persistent Threat?”. Command Five Pty Ltd. Retrieved 2011-03-31.

Search for malicious files”. Malicious File Hunter. Retrieved 2014-10-10.

The changing threat environment …”. Command Five Pty Ltd. Retrieved 2011-03-31.

—Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, Ph.D. “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. Lockheed Martin Corporation Abstract. Retrieved March 13, 2013.

Assessing Outbound Traffic to Uncover Advanced Persistent Threat”. SANS Technology Institute. Retrieved 2013-04-14.

Introducing Forrester’s Cyber Threat Intelligence Research”. Forrester Research. Retrieved 2014-04-14.

—Olavsrud, Thor. “Targeted Attacks Increased, Became More Diverse in 2011”. PCWorld.

An Evolving Crisis”. BusinessWeek. April 10, 2008. Archived from the original on 10 January 2010. Retrieved 2010-01-20.

The New E-spionage Threat”. BusinessWeek. April 10, 2008. Archived from the original on 18 April 2011. Retrieved 2011-03-19.

Google Under Attack: The High Cost of Doing Business in China”. Der Spiegel. 2010-01-19. Archived from the original on 21 January 2010. Retrieved 2010-01-20.

Under Cyberthreat: Defense Contractors”. BusinessWeek. July 6, 2009. Archivedfrom the original on 11 January 2010. Retrieved 2010-01-20.

Understanding the Advanced Persistent Threat”. Tom Parker. February 4, 2010. Retrieved 2010-02-04.

Advanced Persistent Threat (or Informationized Force Operations)”. Usenix, Michael K. Daly. November 4, 2009. Retrieved 2009-11-04.

—Ingerman, Bret. “Top-Ten IT Issues, 2011”. Educause Review.

—Bodmer, Kilger, Carpenter, & Jones (2012). Reverse Deception: Organized Cyber Threat Counter-Exploitation. New York: McGraw-Hill Osborne Media. ISBN 0-07-177249-9ISBN 978-0-07-177249-5

Advanced Persistent Threats: Higher Education Security Risks”. Dell SecureWorks. Retrieved 2012-09-15.

APT1: Exposing One of China’s Cyber Espionage Units”. Mandiant. 2013.

China says U.S. hacking accusations lack technical proof”. Reuters. 2013.

What’s an APT? A Brief Definition”. Damballa. January 20, 2010. Archived from the original on 11 February 2010. Retrieved 2010-01-20.

Slide34

grazie 🙂