20. February 2010 · Comments Off on Advanced Persistent Threats – substantive or just marketing buzz? · Categories: Advanced Persistent Threat (APT) · Tags: ,

While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.

Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.

Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.

Richard Bejtlich defined APT in this January 16, 2010 blog post:

  • Advanced means the adversary can operate in the full
    spectrum of computer intrusion. They can use the most pedestrian
    publicly available exploit against a well-known vulnerability, or they
    can elevate their game to research new vulnerabilities and develop
    custom exploits, depending on the target's posture.

  • Persistent
    means the adversary is formally tasked to accomplish a mission. They
    are not opportunistic intruders. Like an intelligence unit they receive
    directives and work to satisfy their masters. Persistent does not
    necessarily mean they need to constantly execute malicious code on
    victim computers. Rather, they maintain the level of interaction needed
    to execute their objectives.

  • Threat means the
    adversary is not a piece of mindless code. This point is crucial. Some
    people throw around the term "threat" with reference to malware. If
    malware had no human attached to it (someone to control the victim,
    read the stolen data, etc.), then most malware would be of little worry
    (as long as it didn't degrade or deny data). Rather, the adversary here
    is a threat because it is organized and funded and motivated. Some
    people speak of multiple "groups" consisting of dedicated "crews" with
    various missions.

Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:

  • Political objectives that include continuing to suppress its own population in the name of "stability."

  • Economic objectives
    that rely on stealing intellectual property from victims. Such IP can
    be cloned and sold, studied and underbid in competitive dealings, or
    fused with local research to produce new products and services more
    cheaply than the victims.

  • Technical objectives that
    further their ability to accomplish their mission. These include
    gaining access to source code for further exploit development, or
    learning how defenses work in order to better evade or disrupt them.
    Most worringly is the thought that intruders could make changes to
    improve their position and weaken the victim.

  • Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.

Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.

In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic  technical, economic, political, and military goals.

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management
16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.