STAP (Specialized Threat Analysis and Protection) technical controls are designed to complement, maybe in the future replace, traditional detection controls that require signatures and rules. STAP controls focus on threats/attacks that have not been seen before or that can morph very quickly and therefore are missed by signature-based controls.
Actors such as criminal organizations and nation states are interested in the long haul. They create specialized malware, intended for a specific target or groups of targets, with the ultimate goal of becoming embedded in the target’s infrastructure. These threats are nearly always new and never seen before. This malware is targeted, polymorphic, and dynamic. It can be delivered via Web page, spear-phishing email, or any other number of avenues.
Mr. Kolodgy breaks STAP controls into three categories:
Virtual sandboxing/emulation and behavioral analysis
Virtual containerization/isolation
Advanced system scanning
Based on Cymbel’s research, we would create fourth category for Advanced log analysis. There is considerable research and funded companies going beyond traditional rule- and statistical/threshold-based techniques. Many of these efforts are levering Hadoop and/or advanced Machine Learning algorithms.
I would like to comment on RSA’s use of the term Advanced Persistent Threat (APT) in their Open Letter to RSA Customers. From my perspective, any company’s trade secrets are subject to APTs from someone. There is always some competitor or government that can benefit from your trade secrets. All APT means is that someone is willing to focus on your organization with resources of approximately the value of a penetration test plus the cost of acquiring a 0-day attack.
This means that you must assume that you are or will be compromised and therefore you must invest in “detection controls.” In other words, your security portfolio must include detection as well as prevention controls. Important detection controls include intrusion detection, behavior anomaly detection, botnet command & control communications detection, and Security Information & Event Management (SIEM). If you don’t have the resources to administer and monitor these controls then you need to hire a managed security services provider (MSSP).
Furthermore, organizations must take a close look at their internal access control systems. Are they operationally and cost effective? Are you compromising effectiveness due to budget constraints? Are you suffering from “role explosion?” A three thousand person company with 800 Active Directory Groups is difficult to manage, to say the least. Does your access control system impede your responsiveness to changes in business requirements? Have you effectively implemented Separation of Duties? Can you cost effectively audit authorization?
While the term, Advanced Persistent Threat (APT) is not a new term, it is being used much more often since the breach announcement Google made in January. I wrote about it here and here.
Mandiant, a security consulting firm, defines the APT "as a group of sophisticated, determined and coordinated attackers that have been systematically compromising U.S. government and commercial computer networks for years. The vast majority of APT activity observed by MANDIANT has been linked to China." You can read more about what they have to say here.
Mandiant did a webinar on February 18 called Malware Behaving Badly, in which they compared Mass Malware Threats to Advanced Persistent Threats. As of today, Feb 20, Mandiant has not posted the webinar on its site.
Richard Bejtlich defined APT in this January 16, 2010 blog post:
Advanced means the adversary can operate in the full
spectrum of computer intrusion. They can use the most pedestrian
publicly available exploit against a well-known vulnerability, or they
can elevate their game to research new vulnerabilities and develop
custom exploits, depending on the target's posture.
Persistent
means the adversary is formally tasked to accomplish a mission. They
are not opportunistic intruders. Like an intelligence unit they receive
directives and work to satisfy their masters. Persistent does not
necessarily mean they need to constantly execute malicious code on
victim computers. Rather, they maintain the level of interaction needed
to execute their objectives.
Threat means the
adversary is not a piece of mindless code. This point is crucial. Some
people throw around the term "threat" with reference to malware. If
malware had no human attached to it (someone to control the victim,
read the stolen data, etc.), then most malware would be of little worry
(as long as it didn't degrade or deny data). Rather, the adversary here
is a threat because it is organized and funded and motivated. Some
people speak of multiple "groups" consisting of dedicated "crews" with
various missions.
Bejtlich goes on to itemize APT objectives, which interestingly does not include stealing money:
Political objectives that include continuing to suppress its own population in the name of "stability."
Economic objectives
that rely on stealing intellectual property from victims. Such IP can
be cloned and sold, studied and underbid in competitive dealings, or
fused with local research to produce new products and services more
cheaply than the victims.
Technical objectives that
further their ability to accomplish their mission. These include
gaining access to source code for further exploit development, or
learning how defenses work in order to better evade or disrupt them.
Most worringly is the thought that intruders could make changes to
improve their position and weaken the victim.
Mike Cloppert, a security engineer at Lockheed Martin, wrote about APTs in mid-2009 in his Security Intelligence series of blog posts. In Security Intelligence: Introduction (pt 1), he defines APT as "any sophisticated adversary engaged in information warfare in support of long-term strategic goals." Note his focus on the adversary and goals rather than just the techniques.
In summary then, APTs do represent techniques that are more difficult to detect because the adversary, when faced with an above average defense, does not move on to a weaker target. The adversary is persistent and will escalate tactics. Second the focus is on stealing intellectual property rather than money to advance the adversary's strategic technical, economic, political, and military goals.
