Espionage2This blog will suggest a change of strategy in how we address the threat of cyber espionage. One which leverages traditional tactics of counter-intelligence and uses a new approach different than the Lockheed Martin Cyber Kill Chain approach to security, which seeks to disrupt the chain of attack as quickly as possible. Rather than simply cut off an attack, a method of intelligence gathering before stopping the event is proposed, without leaking sensitive information. Often these same approaches can discover yet unknown activities.

The Situation

Nation-States, with large war chests, take part in aggressive online activities around the world to further their national interests. For example, in 2011, MI6 hacked and then swapped bomb making instructions on an Al-Qaeda website with a recipe for Mojito Cupcakes and Rocky Road cupcakes from the Ellen DeGeneres Show and warned of a very dangerous sugar rush. More seriously, the MIT Technology Review, 117(3), p 70, cited the Russian-based “Energetic Bear,” identified first by Cisco’s TRAC team member, Emmanuel Tacheau (see his blog posted below), which launched malware campaigns to capture passwords of U.S. Energy companies.


In Andrew Brown’s 2011 book, “The Grey Line,” he states that state sponsored corporate espionage is business as usual, and while it might create in outcry in some cultures, it comes as no surprise in many parts of the world. Brown cites companies in most parts of the world expect and welcome assistance by state actors.

Why should cyber espionage be different? Independent findings in the recent 2014 Verizon Data Breach report identified 87% of cyber espionage activities to have state sponsorship. With over a decade of data and an international footprint, Verizon identified the largest espionage victim as the United States with 54% of all worldwide reported events, and South Korea second at 6%, while actors in North America constitute less than 1% for this type of activity. This is consistent with Brown’s assessment of victims and actors.


Brown identifies that espionage can save years of research and expenses.

The book cites conservative estimates at over a 100 billion a year in losses, which is in line with estimates provided by independent analysis from additional sources such as McAfee who also add cyber espionage cost the U.S. 508,000 jobs and $24 to $120 billion dollars a year, and nearly half a trillion worldwide. They point out these values may be understated.

In addition to the primary loss of intellectual property, several secondary losses are experienced. These secondary losses include: information which can lead to market manipulations, future innovation opportunities and markets, and reputation losses. However, it is not only defense related activities that come under fire. Information technology, manufacturing, education, public sector, transportation, and finance also experience theft of IP as a result of cyber espionage.

Brown highlights that corporate espionage is a recession proof activity. This puts companies at risk even while their resources to battle these threats are stretched thin. This is especially compounded when considering a recent report by Damballa, companies are facing 10,000 alerts a day. This means that companies need to address the threat in an automated fashion.

Cyber espionage piles on. The Verizon 2014 Data Breach Report points out two trends over the course of 10 years and 100,000 data points. The rate of decline of financial motivated data breaches, and the rise of espionage data breaches. Should this trend continue as it has for the past decade, interestingly enough, the theft for knowledge will out pace the theft for money.

What Can Be Done?

Step 0
An important step is to determine what information, or trade secrets are most valuable to the business. This should be rated. Stanford has a 4 tier approach which provides an example to see a real world system at play:


Also NIST provides a framework to conduct a risk impact assessment (See FIPS199, FIPS200, NIST800-53, and NIST800-60 to get you started).


Alternatively, services are available to perform this function. Bottom line, as a first step, it is vital to identify what’s important and what are the risks.

Traditional security strategies today are based on the Lockheed Martin’s Cyber Kill Chain. The goal is to quickly and judiciously break the chain and stop the attack. This approach brought many years of success, but cyber espionage in particular requires taking a book from traditional counter-intelligence playbook.

An immediate goal of cyber espionage is to collect information from a competitor to gain an advantage. Also, most of these events are difficult to detect and take a long time to discover.

Jason S. Alexander, Thomas Dean, and Scott Knight in their 2011 study, “Counter-intelligence methods for Backtracking Malicious Intrusions,” suggest leaving an intrusion in place to watch the event to discover:

  • Who the attacker is
  • The objective of the attack
  • The capability of the attacker
  • The depth of penetration into the network

Interestingly, this approach is also supported by in the DoD Joint Publication 2-01.3. With some of the tools you already may have in place, you do not have to give up significant losses suggested by this strategy, but still gain much of the benefits. You can have your (cup)cake and eat it too.

With the use of some solutions available in an enterprise’s war chest, discovering unknown intrusions, determining an attacker’s intent, TTPs (Tactics, Techniques, and Procedures), and protecting sensitive data is possible.

Traditionally, honeypots are a tool used to discover unknown events in the infrastructure. But these require a significant amount of effort to sell them as legitimate. The ability to take the discoveries and make them immediately actionable is a challenge. Thereby Honeypots or Honeynets, while a nice idea, have some practical problems.

On the other end, the concept of a honey token carries the advantages of a honey net, without its shortcomings. A honey token is often a file that would not be legitimately touched or copied (or by only well-known processes, such as backups). When that token is accessed, action can be taken and data collected.

Note: Honey tokens used with Sourcefire will be posted in a future publication. For those interested, comment on the blog and I will comment back when the document hits the net with a link.

One application is with Sourcefire. Sourcefire can use Network File trajectory to track a honey token across the network, determine who accessed it, what was the user and their role. With the use of Sourcefire’s built-in API, we can learn quickly and then stop attacks, not having to concede losses as large to achieve this objective (think Churchill and the Covington bombing). In fact, if properly configured, once we collect the intelligence on the honey token being exfiltrated, near simultaneously we can block access.

Another valuable source of intelligence is to watch for telltale data exfiltration and botnet activity.

An Achilles heel for many of these exfiltration attempts, and botnet C&C connection attempts initiated by phishing campaigns, is that many rely on DNS. The Cisco Custom Threat Intelligence service provides analysis of DNS activity to identify suspicious DNS events. This report can identify if outbound requests are being sent to known malicious upload sites, and concealment of outbound activity by calling on services such as TOR, in addition to other interesting, and potentially dangerous outbound calls.


  • Determine what are your important information assets
  • Consider Nation-States have sophisticated war chests at their disposals; traditional hard outer shell security will not work on its own
  • Data shows a clear uptick in espionage; most is state sponsored
  • Manufacturing, technology, education, and finance are targets (not just Government contractors)
  • You have tools at your disposal
  • Collecting counter-intelligence has never been easier and can help you expose an previously unknown actor in your network
  • Tools are available to act quickly and stop the losses

Remember, stealing information is trending up, while financial theft, still the largest breach, is trending down. Consider this when evaluating the critical value of your company’s trade secrets.


Andre' Ara Karamanian

Security Consultant

Strategic Security Research Organization