Continued hype surrounding the topic of so-called advanced persistent threats (APTs) is causing alarm and confusion as to what an APT actually is.
To nobody's surprise, it appears that some security vendors have applied the APT label to an instance of a widespread malware attack and then claimed that they can "protect your organization from APTs."
We know this claim is not true. It's time for an APT reality check.
To separate fact from fiction and to bring visibility to this potentially damaging security trend, attendees at the recent Black Hat conference in Las Vegas weighed in about APTs.
To help frame the situation, Richard Bejtlich, chief security officer at security intelligence firm MANDIANT, reminded me that the APT name is not new, but defined by the U.S. Air Force in 2006 as a way to describe specific actors targeting specific entities in support of long-term strategic goals.
Most vendors agreed that what APT means "under the hood" is not really new either. APTs are essentially slow and low, and extremely targeted attacks.
The new reality, however, is that while APTs don't target the masses, they are essentially unavoidable and undetectable. This is not what security vendors want their prospects and clients to hear, but it is important that organizations take this into account as they hear this term being flung about recklessly.
There are some key attributes of an APT.
- They are driven by specific actors with specific objective(s).
- Attacks target a specific entity with the sole goal of achieving their objective(s).
- They often leverage phishing as the primary entry method into the organization.
- Compromises are accomplished via low-hanging fruit, such as unpatched systems and zero-day vulnerabilities
- Attacks are performed slowly and covertly, will cycle many times to build up intelligence, and will utilize the network to work their way deeper into the environment.
- They avoid detection at all costs by using undetectable attacks, even slowing or pausing the attacks when necessary.
- They attempt to re-compromise remediated systems that remain vulnerable or become vulnerable again.
The following are not attributes of an APT:
- A specific attack using readily-detectable methods or behaviors.
- A widespread attack where multiple, unrelated targets are compromised.
- A specific attack that can be detected by monitoring events and incidents in real time.
Given that the actor won't stop until it finds its way into the target organization, an APT, by definition, is an ongoing attack that has been successful at some level while remaining undetected.
Its initial success was likely gained through one or more social engineering schemes, landing itself on an unprotected, unpatched, or misconfigured desktop or laptop. Once bootstrapped into the organization, it will remain stealthy for as long as it needs to while covertly collecting more information about the environment and its assets, using the acquired information to slowly work its way deeper into the organization. It will continue this cycle until it successfully reaches its objective. Of course, there's nothing to suggest that it wouldn't continue to operate in this fashion even though its initial objectives have been met.
Because of its stealthy behavior, an APT is usually extremely difficult to detect in real time – the triggers simply may not be visible.
And without the right collection of network information, it could even be impossible to detect the attack retrospectively, according to Alan Hall, director of Marketing at Solera Networks, and Joe Levy, CTO of Solera Networks.
"The attacks could be there for a while, festering away, leaking out what could appear to be seemingly innocent or irrelevant data," Hall told me. "If an organization has decided to not capture some network traffic data because they didn't think it was needed, they could find that they have no idea how they arrived at the point of being breached. Worse yet, they may be unable to detect that they have been breached at all."
- Collect the right amount of network traffic information, keep it for a long time, and analyze it regularly, using security knowledge gained from reports of security incidents and trends. According to Bejtlich, this is sometimes referred to as "retrospective security analysis."
- Become uncompromisingly diligent in protecting the endpoint, keeping the protections on, policies and configurations properly defined and enforced, and all detection components up to date. Endpoints are often the most vulnerable and represent the largest numbers for the actors to target. These devices are usually tied to a human being that can be tricked into installing the first piece of malware, which could be the takeoff point for the entire campaign.
- Get a grip on mobile devices. They will certainly be the next wave of APT entry points; picture them as the next tasty form of low-hanging fruit.
The walk-away lessons learned about dealing with APTs:
- Avoid getting caught up in the hype and beware of false promises.
- Continue to manage your environment using the security best practices you've grown to know and accept.
- Find ways to stay abreast of current threat activities such that you can make quick, informed decisions in real time, forward-looking, and retrospectively.
When asked about APTs in relation to virtualization and the cloud, Jeff Horne, practice manager of malware solutions at Accuvant, and Matt Alderman, director of product management at Qualys, both suggested that APTs would not necessarily target this particular IT asset or environment. They described these systems/networks as being better configured and less likely to be compromised compared to that of largely unmanaged endpoints and uncontrolled mobile devices.
Hindsight is 20/20, but to get this quality of vision, you have to look back.
If you think your organization is a target for an APT, even if just on a small scale, take what you learn about the latest attacks and couple that with good data collection and retrospective forensic analysis procedures.
When push comes to shove, be sure to have measures in place so you can actually prove that your data has not been accessed or compromised.
Users of the cloud have to employ their own security measures based on their risk level and their regulatory requirements. When logs are being created, it's important that technologies are used properly to analyze and correlate the data into different sets of information. These actions, including policy definitions and admin changes associated with logs, need to be independently signed.
Otherwise, it comes down to trust.
"One of the first things that an attacker will do after gaining access to a system, especially if they are an inside attacker, is to go into the logs and remove the entries that show how and where the access was gained and what has been done to modify the environment to leave the back door open," Mike Gault, CEO of GuardTime, told me. "Nobody can completely prevent those things from happening, but keyless signatures can independently prove via mathematics that those logs are intact and haven't been changed outside of the defined rules, thereby removing the need for trust."