Is resistance against Advanced Persistent Threats really futile?
At four recent security conferences - Defcon XX, LayerOne, ISSA-LA, and BSides – LA (Hermosa Beach), various speakers gave markedly differing interpretations of APT, and even what risk APT engenders. That the topic is constantly a popular subject only shows that many in IT Security are concerned with a stealthy attack that targets them. Arriving at an accepted definition may be equally problematic. Once the term is bandied about by marketers, many threats are given a moniker of APT. Sophisticated malware, botnets, and rootkits aren’t APT attacks. An APT can’t usually be prevented by an appliance.
There are people smarter than you; they have more resources than you, and they are coming for you. Good luck with that.
Matt Olney, Sourcefire, Vulnerability Research Team (VRT)
But the marketer is sadly mistaken, no matter how sophisticated is that one rootkit. The original meaning of an APT concerned a targeted attack at an entity that makes use of advanced hacking techniques, is solely directed at that enterprise, and continues for a period, probably several weeks to several months or more. APT describes the level of persistence and skill behind the attack, even if initial entry is solely through social engineering. The malware used will be hard to detect, evolve to escape subsequent detection, and will have multiple instances in multiple locations so initial eradication will be guaranteed to fail.
Why does APT scare security engineers in the trenches? One truism is that hackers (red team) have all the time and only have to be right once; blue team (security team) members have to be right all the time and only have a limited period of time for any one incident.
Mandiant’s Jim Aldridge relied much on Richard Bejtlich’s definition of APT, in that the adversary:
- receives orders and tasks much like professional work or intelligence unit;
- persistence applies to the desired long-term presence in your systems, not that malicious code is constantly executed;
- the threat portion does not refer to mindless code, because if malware had no human behind it, the threat would be drastically scaled back. Instead it refers to the attacker;
- the adversary is well-funded, organized, and motivated: their mission is getting your data
- as described in more detail by speakers from PWC, some APT “crews” have special teams: penetration, persistence – hiding, gaining access, and exfiltration.
McAfee defines an advanced persistent threat as one that originates from a nation-state and is carried out for motivations other than financial gain or political protest. Because many times APTs that have been analyzed frequently start with social engineering type attacks (“pretexting”), the advanced part of the definition is either a misnomer or reserved for the exfiltration or perseverance portion of the attack. Really, “advanced” refers either or both to the multiple ways and patience exhibited that an attacking group will use to gain entry, then hide themselves, and the crews’ organization.
Douglas Mechaber, from a former life as a molecular biologist to his current occupation as a security architect, Doug has worked in everything from healthcare to utilities. He currently tries to foster a security culture for a mid-sized municipality. In his spare time, Doug teaches Scuba, is active in OWASP, ISSA, and ISACA, and is a member of a local USCG Auxiliary flotilla.
See here for all of his Tom's IT Pro articles.