APTs can be thwarted with the right tools and an informed user base, says Stephen Lawton.
In an advanced persistent threat (APT) attack, perpetrators research a specific target and customize the malware so that its signature cannot be identified by any existing anti-malware tools.Crimes of opportunity happen every day. A car door left unlocked leads to the theft of a wallet sitting on the front seat. A company laptop is stolen from the security checkpoint at an airport. A family out for a day trip comes home to find its front door open and its valuables gone. With crimes of this nature, the victim is often selected at random.
Now, imagine that a crook not only breaks into your building, but creates a door that only he can see so that he can come and go at his leisure, stealing not only your property, but ideas you have written down or drawings for a new widget you plan to build. One might consider this unlikely for a house, but it happens every day to computers.
Generally speaking, crimes of opportunity are similar in nature to malware that infects millions of computers worldwide. With simple malware or phishing attacks, the perpetrator generally is playing a numbers game – he sends out millions of emails containing a compromised link, for example, and hopes that a small fraction, or perhaps even fewer people, respond. Even if protective software stops 99 percent of the infected emails, and good computing practices prevent even more, the small number that get through often are enough to make a spam attack financially viable, says Christopher Smoak, a research scientist at the Georgia Tech Research Institute in Atlanta.
On the other hand, in an advanced persistent threat (APT) scenario, the perpetrator spends a considerable amount of time researching a specific target, often customizing the malware so that its signature is not identified by any existing anti-malware software, Smoak says. Two characteristics of such sophisticated attacks are that the adversary has significant resources, both financially and technologically, and an end goal that might not have anything to do with pure financial gain.
With the Stuxnet attack on nuclear facilities in Iran in June 2010, for example, Smoak says the attackers had in-depth knowledge of how the Siemens supervisory control and data acquisition (SCADA) systems worked, as well as considerable financial resources to develop and deliver the attack. Such knowledge of how the hardware operated, as well as intelligence on the installation itself, likely took a long time to obtain, he says.
Smoak says similar characteristics have been identified in what McAfee Labs' scientists recently dubbed Operation Shady RAT. The attack on more than 70 government, corporate and nonprofit entities was discovered when researchers came across a command-and-control server used by the attackers for directing remote administration tools, commonly called RATs. While investigating the server, McAfee came across log files dating back more than five years.
“The low-and-slow attack lends itself to an APT,” Smoak says. “It might take days, weeks, months or several years before it is even launched, and is designed to run for a long time.” As for why someone might opt for an attack that might not pay off for years, he says, “Sometimes it's cheaper to steal the information rather than to build it yourself.” Other times, he says, the attack might be for geopolitical reasons, such as with Stuxnet.
Companies and government organizations of all sizes need to realize that they are not immune from attack. “It's like [Alcoholics Anonymous],” Smoak says. “First you have to realize you have a problem, and then you work to fix it.”
However, not only large enterprises or government agencies are at risk, he says. Sometimes smaller companies that provide services to larger firms, such as Department of Defense contractors, could be hit so that the attacker can find a way to infect their ultimate target.
The best defenseMatt Jonkman, president of the Open Information Security Foundation (OISF), an open source-focused, nonprofit foundation that is building a next-generation intrusion detection system/intrusion prevention system (IDS/IPS) engine, uses a popular security industry chestnut to describe corporate network environments. There are two kinds of companies, the saying goes: those that have been compromised and those that don't know they've been compromised. Using this truism as a baseline, Jonkman stresses the importance of using layered security technologies in conjunction with effective user training and education.
What is clear is that from an organizational level, “we're leaking information like a sieve,” he says. “It used to be that we had a crunchy exterior perimeter [protection] with a soft inside. There's no crunchy exterior perimeter anymore.”
Jeff Horne, practice manager of malware solutions for Denver-based Accuvant Labs, says companies need to recognize that either they have been compromised or they will be. Today's attackers have sophisticated ways of bypassing perimeter protections, so Horne says organizations should focus on outgoing communications. There is little value to a hacker if they are able to compromise data on a server, but cannot transfer it off the network, he says.
Horne recommends a two-pronged defense against malware. The first is to use a combination of network best practices to keep data secure. Next, is to ensure that compromised assets cannot leave the network.
Malware has become a commodity easily purchased over the internet, he says. This malware can be customized for a specific target so that it can bypass security protections. Companies must ensure that they have layered defenses and do not rely just on their firewalls or anti-virus software, Horne says. Defensive approaches, such as segregating mission-critical systems on protected virtual LANs (VLANs) or simply keeping some systems physically separated from the corporate network, can prevent access to certain machines if the network is attacked. Additionally, network managers can remove the ability for PCs in a network to talk directly to each other, requiring all file-sharing to instead be done via servers that can be better protected. By barring peer-to-peer communications, Horne says, a number of exploits can be stopped in their tracks.
Most important, however, security and network managers must stop unauthorized data from being sent off the network. This is more complicated, he says, because exploits can use innocuous coding holes to transfer data out.
If the network infrastructure was not built with security embedded into the underlying technology, then additional defenses will have to be tacked on to make up for the deficiencies, he says. One such weakness is allowing users to turn off automatic updates. While some users might have a valid reason for stopping updates, most employees need to have these updates turned on, even if they do cause a performance hit on their systems, Horne adds.
Proprietary software and Windows service packs also need to be updated on a regular basis, but for these applications a process is necessary to ensure that the upgrades do not crash the existing applications. Sometimes, he says, this process can take up to a year, depending on the type of update and the requirements of the network. Despite these delays, Horne says, major updates must be tested before they are installed. “You have to have a vetting process,” he says, “not an elimination process.”
Steep rise in attacks
Peter Morin, leader of the threat avoidance and incident response team at Bell Aliant in Halifax, Nova Scotia, says the number of attacks he sees on the Canadian telecommunications system has increased significantly during the past seven years and particularly in the past two years. He agrees that it is critical for companies to lock down their networks so that compromised data cannot be sent back to criminals' command-and-control servers.However, while Morin acknowledges that finding compromised systems is difficult, there are ways to ensure that network traffic is protected. He recommends that security and network engineers study logs to look for common indicators of an intrusion, such as if internal traffic is being redirected to an unauthorized domain name system (DNS) server.
“If your network is configured so that systems talk to a DNS server on your network, there is no reason why they should be communicating with a DNS server in Russia,” he says.
However, Earl Boebert, a retired senior scientist from New Mexico-based Sandia National Labs and the inventor or co-inventor on 13 computer security patents, cautions that technological approaches, including a security information and event management (SIEM) system, might not stop the sophisticated adversary. “If I, as an attacker, control your system to the degree that some of these accounts indicate, then I will ‘train' your software and your administrators to accept something that, if I just threw it at them, would raise an alarm.”
In addition, education is critical to stopping attacks, Boebert says. Not only must employees be taught to understand how social engineering works, and be given directions on what is and is not considered safe computing practices, but outside investigators also should be informed of the attacks. While APTs are, by definition, custom built, understanding what is being targeted, where the attack is coming from and how it is being done can assist investigators to shut down the command-and-control centers.
Meanwhile, much of the talk about education centers around helping employees understand social engineering. While some email might look authentic, employees should not click on just any link because it could either cause malware to download onto the system or take the user to a website where malicious code is hosted, says Patricia Titus (left), [at the time of this interview] CISO for Unisys [currently she is CISO at Symantec]. But, she adds, education is not for employees alone.
After speaking at a data security awareness conference for the U.S. Department of Defense, Titus says a high-ranking military officer walked up to her and asked if she would put a copy of her presentation on his thumb drive. Titus looked at the officer, then the drive, then back at the officer, and asked: “Is this a test?” Attaching any USB-connected device, to a computer is an invitation for an attack, she says.
One common test of employees' understanding of the potential security breach posed by unauthorized storage devices is to dump thumb drives with identifying information into a company parking lot, she says. If an employee plugs one of these devices into their company computer, the IT department is alerted and the employee gets additional training on security threats.
Human nature, Titus says, is generally the weak link in a company's data security posture. One's culture is often based on helping people in need, she says, making social engineering an effective way to defeat security protections.
Companies need to “empower people to participate,” she says. Rather than punishing an employee who might stop a C-suite executive from entering a secure area without proper credentials, employees need to know that if they follow proper precautions, their actions will not cause reprisals.
Security tips: Top 10
Security is weakest at the human level. Therefore, organizations should:
- Implement consistent security awareness training with associated testing to gauge effectiveness.
- Enforce security in all projects at the concept phase. Incorporating controls later in the implementation results in increased costs and less effective results.
- Develop procedures to ensure data stored on removable media devices is always encrypted. Delete files from flash drives as soon as possible.
- Protect passwords, change them often and do not write them down and leave them unsecured.
- Develop an effective policy for use of social media to limit the potential loss of critical company information, while leveraging the marketing flare of social media.
- Review access control frequently to prevent “privilege creep.” This is critical as employee roles expand.
- Consider application whitelisting (allowing the use of good applications and prohibiting bad ones) for employees who routinely manage sensitive data.
- Conduct periodic risk assessments to manage security spending effectively. Apply controls based on risk to the business.
- Move to multifactor authentication where feasible.
- Use a program that either prevents or warns you about navigating to a known spyware site.