You are on page 1of 11

B U s I N E ss R I s K L E A d E rs H I P

DIGITAL SPOTLIGHT

Advanced Persistent Threat

Addressing the Advanced Persistent Threat


September 2013 www.csoonline.com $ 9 . 0 0 

Strategies and solutions to help you detect and protect


Fighting APTs Isnt a Losing Battle 6 Why Active Defense Is a Sorely Needed Approach 10 Why Building In Security Is Better Than Active Defense 13 APTs: Stealthier and More Persistent Than Ever 16
POINT/COUNTERPOINT:

D IG ITA L S PO T L IG H T

Advanced Persistent Threat

APT: Shedding new light on a dark menace


The term advanced persistent threat, or APT, is one of those buzz-phrases thats become very common in the security industry over the past few years, but many differ on whether theres even an appropriate definition for it.

For example, in this Digital Spotlight on APTs, some industry experts say APTs are a who, such as an individual group able to pull of a long-term, persistent cyber-onslaught against an organization. Others argue APT is about the what, such as the type of attack and techniques used to disable an organization in some way. One source notes APTs arent about spam, botnets, DDoS, phishing, spyware or Trojans, but can, in fact, include them all. And the definition is evolving. More concisely, I had a discussion with someone the other day who made this observation. APT is cybercrime. Plain and simple. Whatever you prefer to call it, its still a problem, and a growing one. In this CSO Digital Spotlight, we delve into the issue of APTs the more common techniques, the debate about how best to defend your organization and, of course, tips and strategies you can use now to best position yourself for protection. As contributor Taylor Armerdings story points out, APTs are getting quieter and stealthier than ever. But fighting isnt going to be a losing battle with the right ideas in place. As Wade Williamson, senior security analyst with Palo Alto Networks, notes: There are solutions the sky is not falling. We hope after reading this Spotlight that you will have that same level of confidence and be ready to take on the attackers should they choose you as a target. Joan Goodchild, editor jgoodchild@cxo.com

Editor Joan Goodchild jgoodchild@cxo.com 508 988-7994 Twitter: @msjoanieg Copy Editor Melissa Andersen Art Director Steve Traynor Editorial Administrator Pat Josefek Research Manager Carolyn Johnson Contributors Taylor Armerding, Mary Brandel, John E. Dunn, Elisabeth Horwitt, George V. Hulme, Gregg Keizer, Jeremy Kirk, Richard Power, Jaikumar Vijayan, Bob Violino Editorial/Advertising/ Business Offices 492 Old Connecticut Path P.O. Box 9208 Framingham, MA 01701-9208 Main phone number: 508 872-0080 Subscriber Services Phone: 866 354-1125 Fax: 847 564-9453 cso@omeda.com

International Data Group Chairman of the Board Patrick J. McGovern IDG Communications, Inc. CEO Bob Carrigan Chief Content Officer John Gallant

2 www.csoonline .com September 2013

BEAT MALWARE AT ITS OWN GAME WITH A LAYERED DEFENSE

35% 50% 81%


spend more than 20 hours per week detecting and defending against advanced malware and a third spend at least one day per week on this problem. said they are not currently using any specific technologies to address these threats.

ADVANCED MALWAREA BIG PROBLEM THATS GETTING BIGGER

Advanced malware problem is a tough nut to crack


Traditional malware defenses like signatures are not enough, and stand-alone advanced malware solutions like sandboxing only take care of detection. But beyond that, sandboxing doesnt tackle the other critical requirements of a strong advanced malware defense namely, protection and remediation.

What worries IT security professionals most


According to a McAfee on-site survey at Black Hat USA 2013, as malware becomes more sophisticated security professionals are struggling to keep up.
Detection Chasing false positives Protection Breach notification Repair Other

20%
35%

22%
11% 9%

of security professionals interviewed at Black Hat USA 2013 say that advanced malware is a major concern.

3%

BIG IDEAS ARE NEEDED TO SOLVE THIS BIG PROBLEM


Thats where McAfee comes in. Our systematic, comprehensive arsenal of layered defenses meets advanced malware attacks head on. We dont just discover and identify threats, we contain them and repair the damage they do.

Advanced malware just doesnt stand a chance with McAfee Analysis and conviction

Containment and protection

Combined static analysis and dynamic sandboxing detect and classify malware accurately across multiple protocols. Signatures and behavioral analysis do a lot of discovery on the front end, minimizing the work that needs to get done in the sandbox. Threats are analyzed in the environment that matches the suspected malwares targeted system for more accurate results faster.

Information about newly convicted malware is immediately shared across multiple layers of defense. Integrated network security productsIPS and gateways stop malware from spreading.

Remediation

DONT WAIT FOR THE NEXT ADVANCED MALWARE ATTACK TO DISRUPT YOUR BUSINESS. FIND OUT HOW MCAFEE CAN HELP. www.mcafee.com/cmp.
Copyright 2013 McAfee, Inc. 60447ad_debunking-malware_cso_0813v7

Integrated endpoint defenses streamline the remediation process across the network. Tight integration significantly reduces your operational costs while efficacy improves.

D IG ITA L S PO T L IG H T

Advanced Persistent Threat

Fighting APTs Isnt a Losing Battle

But experts say it will take time, training and collaboration. BY TaYlOR ARmeRdinG
nation-states with vast resources, nor are they focused only on espionage or attacks against military and other government entities. They are living on networks in IT, energy, news, telecom, manufacturing and other sectors of the economy. But according to a number of security experts, while it will probably never be possible to eliminate them entirely, it is possible to detect APTs and minimize the damage they cause. There are solutions the sky is not falling, says Wade Williamson, senior security analyst at Palo Alto Networks. A lot of times security folks use APTs as an excuse for failure, but it shouldnt be. There are technologies that can help. Williamson is among those who also argue that detecting and defending against APTs effectively will take more than technology. In general, he says, the biggest change we need is not one of tactics, but strategy. Security must evolve to become a very creative discipline. Historically, security held the view of saying no to requests and blocking 100% of threats. Neither of these maxims is practical today. We need security professionals to be inquisitive to be looking out for the things that dont ex-

HE sUCCEss OF ADVANCED persistent threats (APT) is reportedly so pervasive that detecting and defeating them with any consistency may seem to be a hopeless battle. Based on news reports and multiple statements from U.S. officials, hackers from China breach the systems of all kinds of U.S. businesses, from major newspapers to defense contractors and cutting-edge technology companies, and remain undetected long enough to make off with billions in intellectual property and sophisticated weapon designs. Defense Secretary Chuck Hagel and officials from the National Security Agency and the Department of Homeland Security have called the power of APTs the security challenge of the modern era. Cyber is one of those quiet, deadly, insidious unknowns you cant see, Hagel told U.S. troops in Hawaii. Its in the ether its not one big navy sailing into a port, or one big army crossing a border, or squadrons of ghter planes. This is a very difficult, but real and dangerous, threat. There is no higher priority for our country than this issue. APTs are also no longer solely the domain of
6 www.csoonline .com September 2013

September 2013 www.csoonline .com 7

D IG ITA L S PO T L IG H T

Advanced Persistent Threat

actly make sense, and to ask themselves what it could mean, and how they should look deeper into the issue. We will always need automated security that blocks bad things, Williamson says, but we also need creative, engaged security experts to be looking for the creative, engaged bad guys on the other end of the connection. That said, there are a number of practices security experts recommend for organizations that are serious about the battle with APTs. In no particular order of ranking, they are:

Use big data for analysis/detection. The word from RSA Executive Chairman Art Coviello during his keynote address at the 2013 RSA conference is, The whole game here is to shift away from a prevention regime big data will allow you to detect and respond more quickly. That is endorsed by people like Aviv Raff, cofounder and CTO of Seculert, who notes that prevention from the perimeter is impossible; therefore, detection must be based on the ability to analyze data, which must be gathered from and analyzed over sustained time durations. And thats where big data analytics enters the picture. Of course, that takes an investment in analysis tools. IT does not have the automated tools needed to identify infections in a timely manner, says Brian Foster, CTO at Damballa. Instead they just have a ton of data. The industry needs to provide big-data approaches to IT for detecting infections in their network. Williamson agrees in part, calling big data useful in detection. But, he adds, The most important point is that the attack itself has spread out across multiple steps and technologies and our view of security of must break out of its silo view to be comprehensive as well.

Share information with the right people. According to Anton Chuvakin, writing on the Gartner blog last year, the bad guys share data, tricks [and] methods much better than the good guys. It is considered acceptable to sit on the hardearned knowledge of ways you used to detect that proverbial advanced attacker while your peers in other organizations are being owned by the same threat, he writes. And the cycle of suffering continues!!! To get an edge over APTs, he writes, organizations must share information in a way that helps them but doesnt benet the attackers and doesnt violate laws or regulations governing the sharing of sensitive information. Beyond the legal considerations, however, there are also economic constraints to sharing information. Brian Krebs, a former reporter at The Washington Post and author of the blog Krebs on Security, says he has seen progress in information sharing, but also efforts to hoard it to exploit it nancially. The past few years have seen the emergence of several companies that make decent prots selling and exploiting this intelligence, so there remains a fair amount of tension between sharing and hoarding information about threat actors and indicators, he says. Understand the kill chain. This is a so-called phase-based model to describe the stages of an APT attack. Those stages include reconnaissance, weaponization, delivery, exploit, installation, command & control and actions. As Lysa Myers, a virus hunter for Intego, put it in an InfoSec Institute article, In essence, its a lot like a stereotypical burglary the thief will perform reconnaissance on a building before trying to inltrate it, and then go through several more steps before actually making off with the loot. Obviously, the closer to the beginning of the

chain that one can detect and stop an attack, the better. Damballas Foster says attackers leave a trail of breadcrumbs that can lead right to the infected system. Understanding and analyzing this kill chain can be the key to implementing the appropriate defense controls at the necessary stage.

Look for indicators of compromise (IOCs). This is connected to kill chain understanding. No organization can stop every attack, so the IT team needs to know how to look for symptoms or breadcrumbs. This includes looking for the unique ways that an APT might communicate out of the network. Any unique DNS queries or websites it contacts are common IOCs, Williamson says. APTs will often customize their tools to their own needs, which will often provide the anomalies needed to distinguish an APT from normal traffic, he says. They will also use a variety of common applications like remote desktop applications, proxies or encrypted tunnels to communicate. Unusual use of these and other applications can be key to nding a true APT. This, of course, requires IT to have a very solid baseline for what is normal in their networks. Williamson says tracking user anomalies can help as well. For example, users talking to an SQL server may be normal on the network, but very abnormal for a particular user.

vulnerable. As the saying goes, everyone gets pen-tested, whether or not they pay for it. Krebs says he leans toward hiring someone from the outside. To use a tired but apropos analogy, it is often quite difficult to see the forest for the trees when you are standing on the forest oor. Often, it takes an outsider who has a more holistic and perhaps unbiased and APT-trained view of things to spot a more systemic problem. Support more training for APT hunters. Edwin Covert, a cybersecurity analyst and subject matter expert at Booz Allen Hamilton, argued recently in a post on Infosec Island that the industry needs a new training model for APT hunters, since the standard skills of an information security specialist are not enough. APT mitigation requires the ability to see things that are not readily apparent, he writes. The CISSP [Certied Information Systems Security Professional] was designed for technical managers, not APT hunters. Covert isnt downplaying the CISSP designation, since he holds it himself, but he says those with APT training will notice anomalous les that most administrators and even security personnel will not. And the need for specialists is critical. Covert quotes SANS Institute Director Alan Paller as saying there is a need for more than 30,000 APT specialists, but that only about 1,000 to 2,000 have the necessary skills to combat the numerous real-life scenarios happening in todays organizations. Taylor Amerding is a frequent contributor to CSO.

Test your network. This can include active analysis or sandboxing. One of the best ways to determine if something is bad is to actually run it and see if it behaves badly, Williamson says. Blogger Krebs adds that while there are vulnerability management tools to help close obvious holes, there is no substitute for periodically hacking your own networks (or paying someone else to do it) to nd out where you are

8 www.csoonline .com September 2013

September 2013 www.csoonline .com 9

D IG ITA L S PO T L IG H T

Advanced Persistent Threat


POINT/COUNTE R POINT

Why Active Defense Is a Sorely Needed Approach

BY StewaRt A. BaKeR
hackers arent getting in because theyre smarter or because they are spending more money. Theyre getting in because attacking is easier. And its easier because of human nature. Cyberdefenders have to guard against thousands of vulnerabilities 24/7, and they have to be 100% successful. Networks are used by people, who can be relied upon to engage in risky behavior (e.g., using weak passwords, visiting websites that they shouldnt, indiscriminately opening email attachments). Attackers now have access to more information about their victims than they have ever had before, due to the explosion of social networking. Those who want to stop cyberespionage by putting an end to all of these unsafe practices stand a better chance of ending venereal disease by getting everyone to use condoms. Actually, relying on passive defense to prevent cyberattacks is even dumber than that. The viruses that cause venereal disease arent thinking adversaries, but hackers are. So relying on passive cyberdefense to stop them is like

CtiVE DEFENsE isNt JUst A good idea. Its a necessity. We have to go beyond passively defending our networks for the simple reason that such defenses have conclusively failed. From RSA to Bit9 to the Pentagon, networks run by securityconscious administrators have been penetrated with embarrassing ease. Oh sure, defenders of the status quo will say that all those penetrated networks were run by fools who made simple and avoidable mistakes. If only those network operators had kept their systems patched and up to date, they say, the networks would not have been compromised. And if youve been compromised, youre doing it wrong. What the defenders of passive defense say about good network defense is pretty much the same thing that academic Marxists used to say about true communism, that its never really been tried. But like the defenders of communism, advocates of pure defense are ignoring the inherent fallibility of human beings. The
10 www.csoonline .com September 2013

trying to stop street crime by requiring every pedestrian to buy new and better body armor every six months. It wont work, at least not until we raise the cost of attacking innocent pedestrians. In theory, the government could itself raise the cost of cyber-intrusions, by investigating each intrusion, identifying the intruders, and then using criminal or even military means to punish and deter them. Why not leave that job to the professionals? Thats pretty much what the computer crime section of the Justice Department has been telling us since the 1980s. But after 30 years, everyone except the computer crime prosecutors knows the answer: The professionals have failed. Today the government doesnt have the resources to investigate every intrusion, let alone prosecute or take other action against the intruders. The scale of the problem is far beyond what the Department of Justice and the FBI can handle. The Bureau doesnt have the manpower and it doesnt have the technical capacity to investigate all intrusions in detail. And, given the current budget climate, it never will. Only in the private sector are we likely to see a continued rise in expenditures to ght network attacks and cyberespionage. Even if it had the resources, the Justice Department apparently lacks the tools, or the will, to do anything about the intrusions. For reasons that seem compelling to government professionals, if not to the rest of us, officials have been consistently unwilling to tell the American public what they know about cyberespionage. Whats more, when companies are attacked,

Most proponents of active defense advocate more limited (and more useful) evidencegathering activities, aimed at identifying the attackers.

the task of identifying and coping with the attacks falls to private remediation companies. The governments role consists largely of offering sympathy and some security tips to follow next time pretty much the same thing youd get if you reported a stolen bicycle in New York City. Whats particularly discouraging about the prosecutors failure is that it could be so different. In fact, we stand on the verge of a revolution in attribution that could transform computer defense by dramatically raising the cost of cyberespionage. Because it turns out that all the human traits that cause our security to fail also plague our attackers when they try to hide their identities: They make mistakes when theyre in a hurry or overcondent. They leave bits of code behind on abandoned command-and-control computers. They reuse passwords and email addresses and computers. Their remote access tools are full of vulnerabilities. These are openings that private researchers from Mandiant and Trend Micro to SecDev and the Citizen Lab have exploited; theyve traced cyberattacks to the command and control computers used to carry them out, then to homes and offices of the hackers that perpetrate them. I call it Bakers law: Our security sucks, but so does theirs. And it opens the door to raising the cost of intrusion by the simple tactic of identifying the attackers and punishing them. For reasons Ive made clear, its the victims and the investigators they hire who have the resources and the interest needed to gather attribution evidence. They should do it responsibly
September 2013 www.csoonline .com 11

D IG ITA L S PO T L IG H T

Advanced Persistent Threat


POINT/COUNTE R POINT

avoiding harm to innocent parties, sticking largely to evidence-gathering, sharing what they learn with other victims and with governments and they should be sanctioned if they dont. But there is simply no excuse for the computer crime prosecutors effort to brand such actions as criminal. Of course, attribution only works if its followed by retribution. And the Justice Departments record of effective deterrence is nothing to brag about. So, should victims also be allowed to mete out retribution without involving the government? Thats the question that opponents of active defense always leap to answer. They call active defense hacking back and conjure images of cyber-vigilantes armed with pitchforks or blindly throwing cyber-rocks into the dark. That kind of active defense, they say, will only launch a cycle of escalating retaliations. Pretty scary. But not what most of us mean by active defense. Most proponents of active defense do not advocate blindly lashing out at unidentied hackers; instead, they advocate more limited (and more useful) evidence-gathering activities, aimed at identifying the attackers. It is hard to see how spying on the spies would result in an out-of-control cycle of escalations. And to my mind, theres no contradiction between allowing victims to collect information from their attackers systems and prohibiting them from causing damage to those systems. Thats not meant to be an endorsement of the governments current efforts at retribution and deterrence, which have largely failed. But that

failure argues rst for turning to other agencies and other tools in the ght against cyberespionage. As I have written elsewhere, there are many tools that government can use to deter cyberespionage once we improve our attribution capabilities. These range from naming and shaming nations, to imposition of sanctions on companies that use stolen intellectual property, to civil suits or criminal prosecutions. Perhaps at some point in the future we might want to authorize victims to take further types of action like deleting their own stolen data from an attackers system. But there is a lot we can do short of that by simply allowing companies to focus on evidence-gathering and encouraging government to show more imagination in punishing the hackers the victims identify. We ought to try those things before we get the pitchforks out. Stewart Baker, a partner in the Washington office of Steptoe & Johnson, is the former assistant secretary for policy, Department of Homeland Security, and former general counsel, National Security Agency. He is the author of Skating on Stilts: Why Were Not Stopping Tomorrows Terrorism.

Why Building In Security Is Better Than Active Defense

BY GaRY MCGRaw
should be the Secret Service, the FBI and law enforcement agencies, not private individuals and corporations. Its ridiculous to say that if you get punched in the nose, you should be able to punch somebody right back in the nose. That isnt the way the law works. If you get punched in the nose, youre supposed to le an assault charge. Its also true that government doesnt have the resources to investigate and prosecute every intrusion. Theres a reason for that. Everybodys stuff is so broken that even script kiddies can cause big trouble. But the alternative isnt to let corporations and individuals run around shooting their guns and killing people tried only in their heads at the heat of the moment. The active defense argument reminds me of the stand your ground laws found in some states, which I nd pretty reprehensible (and Im a gun owner). I just dont think that a decision about deadly force should be left up to individuals, especially in the fog of real time. Either were going to be a society of laws or were not. Its amazing to me that people who seem othSeptember 2013 www.csoonline .com 13

Even if it had the resources, the Justice Department apparently lacks the tools, or the will, to do anything about the intrusions.
12 www.csoonline .com September 2013

ts trUE tHAt tHE OlD pArADigm of computer security that is, protecting the broken stuff from bad people by putting a thing between them is broken. Its also true that reactive computer security has failed. So whats the alternative? Build systems that arent so riddled with vulnerabilities that even a sixth-grader can exploit them the rather sad situation that we nd ourselves in today! We do have serious issues with our standard approach to computer security, but that doesnt grant us permission to be silly and resort to the vigilantism of the Old West. Thats ridiculous and childish, because it means taking the law into your own hands. Were supposed to have laws and international norms to govern what happens when people and organizations dont follow the rules. Such norms dont always work internationally, and theyre by no means perfect, but the rule of law is certainly better than complete chaos and anarchy. Should we go after people who cause cybersecurity problems? Absolutely, but the we

D IG ITA L S PO T L IG H T

Advanced Persistent Threat If the proponents of active defense have their way, we will all lose.
hit him in the head and knock him silly, he was going to pick the rock up off the ground and throw it right back at you. So we learned very quickly, around the time of the Romans, that when you deploy a weapon, you dont want it to be able to be picked up and thrown right back at you. Thats why Roman spear technology was designed so the weapons would kill somebody, but couldnt be redeployed immediately in the other direction. (This had to do with spear shafts and launching technology.) Cyber-people havent even gotten that far yet. If the suggestion is that we go after our attackers by exploiting their systems, guring out who they are, nding our les and getting them back as some sort of real-time thing, then that represents a serious misunderstanding of cybersecurity. If we want to solve this problem, we have to resort to building systems that arent so easy to attack. Only then will we be able to gure out who the real attackers are versus the script kiddies. Its just too easy to attack now. Its like were all running around without locks on our doors and were really mad about crime. To stretch our analogy, we actually know how to make locks, so we should start deploying them. We should practice some real security engineering. It is correct that the previous computer security paradigm has failed. Standing around monitoring our broken systems is untenable because our systems are so broken. Watching for attacks is more than a full-time job. Its like being a volunteer re department in the age be-

erwise sane suggest that we should resort to anarchy when it comes to computer security. If the proponents of active defense have their way, we will all lose. The only valid alternative is to build stuff that isnt broken. You should demand of your vendors and of your technology providers that they actually build in security. Ask them for some proof that theyve done that! An analogy may help us think about this. If you are sitting in your kitchen with only a screen door as your security mechanism, and bad guys keep breaking into your house because they simply open up your screen door or they slash the screen and unhook it, the alternative isnt to buy a gun and shoot anyone who comes through your screen door but to go out and get a sturdy door with a lock. On another point, claims that the attribution problem is solved are wrong. It isnt. In fact, its not even partially solved. The argument that the Mandiant guys gured out that it was the Chinese military that carried out the attack on The New York Times is interesting, but it took Mandiant six months to do that work and their study was based on four years worth of evidence. Thats a very careful (and commendable) fo-

someone else is attacking them. Thats all Attacker 101 stuff. Put it this way: If a simple-minded corporation that doesnt really understand Internet technology has permission from society to attack back, it will be duped into attacking the wrong people and might even start a real war. I dont want some corporation like MomandPop.com to decide that it has the right to attack the Chinese military and then to try to do it, because MomandPop.com will be obliterated. Active defense generally means attacking back. Its a doublespeak term for offense. Nobody thinks that we should do nothing. What Im suggesting is that we have got to develop some international norms, we have to follow the rule of law, we have to come up with evidence, we have to use that evidence in a meaningful fashion to out the people who are doing this stuff and make them stop. But thats a far cry from allowing corporations to attack back. Gathering evidence is ne. But some very misguided people have suggested that you could booby-trap a document, that the document could then be taken by the bad guys, and it could phone home and tell you what is going on and maybe even exploit the bad guys system

fore sprinkler systems. Back then you couldnt get re insurance because buildings burned down all the time. Remember what happened after the San Francisco earthquake of 1906? Practically the whole city burned down because there were no re codes, no sprinkler systems and no re hydrants. It was just chaos; buildings were shoddily constructed out of ammable materials. Weve come a long way in construction codes since 1906. You can even buy re insurance these days. We need to make similar progress now in computer security by adopting security engineering and building security into the technology systems we depend on. Gary McGraw is CTO of Cigital.

If we want to solve this problem, we have to resort to building systems that arent so easy to attack.
rensic operation. Kudos to the skills of the Mandiant guys. But its not like when somebodys attacking you, you can just attack back in real time because you think you know who they are. You dont know who they are. Its exceptionally easy for an attacker to use the reactive technologies that weve set up, like intrusion detection systems and monitoring systems, or to hop through a bajillion nodes, to cause the person or organization being attacked to think
14 www.csoonline .com September 2013

at the same time. But the notion of booby-trapping a document with an exploit turns out to be handing an actual attack to the people who are theoretically attacking you, all packaged up and ready to go. Its like, Here is this exploit. Why dont you turn it around and use it against us? Back in the Stone Age, the height of attack technology was a rock. When you picked up a rock and threw it at your enemy, you had to make sure you hit him. Because if you didnt

September 2013 www.csoonline .com 15

D IG ITA L S PO T L IG H T

Advanced Persistent Threat

T
Thinkstock

Advanced persistent threats have evolved, and experts say they arent just for nation-states anymore. BY TaYlOR ARmeRdinG
in their operations after the release of the APT1 report. Indeed, three months after APT1 was exposed, The Washington Post reported on a condential report from the Defense Science Board (DSB) to the Pentagon that hackers had stolen designs of more than two dozen major weapons systems critical to U.S. missile defenses and combat aircraft and ships. While the DSB didnt directly accuse the PLA, senior military and industry officials with knowledge of the breaches said the vast majority were part of a widening Chinese campaign of espionage against U.S. defense contractors and government agencies, the Post reported. There are various estimates of how long the average APT remains undetected, but it can easily exceed a year. Mandiant reported that the median is 243 days. But the rms report on APT1 found that the unit maintained access to victims networks for an average of 365 days, with the longest being just two months short of ve years. And Aviv Raff, CTO at Seculert, says research shows the average is more than 400 days. Bloomberg reported in May on a breach of defense contractor QinetiQ North America
September 2013 www.csoonline .com 17

APTs: Stealthier and More Persistent Than Ever

HE EVOlUtiON OF ADVANCED persistent threats (APTs) essentially comes down to one word: more. They have become more advanced, more persistent, and more of a problem since becoming a signicant part of the cyberattack landscape nearly a decade ago. That is partially because there are more of them. Firmex, a provider of virtual data rooms, reported this year that the number of APT attacks doubled in 2011 compared with years past. And while there have been signicant steps made in detecting and responding to APTs in recent years Mandiants outing this past February of Unit 61398 of the Chinese Peoples Liberation Army, also known as Comment Crew and APT1, got international attention many attackers still get inside organizations, both private and public, and remain undetected for years. Mandiant reported in May that while APT1s activity had decreased, it was still operational, with a discernible post-report shift towards new tools and infrastructure. The company also found that of the 20-plus APT groups of suspected Chinese origin that it tracks, there had been no signicant changes

16 www.csoonline .com September 2013

D IG ITA L S PO T L IG H T

Advanced Persistent Threat

that went on for three years and compromised most if not all of the companys research, which includes work on secret satellites, drones and software used by U.S. Special Forces in Afghanistan and the Middle East. The denition of APTs is evolving as well. Some experts say they are a who, dened by the attacker, while others contend they are a what, dened by a technique or method. Daniel Gold, writing for InfoSec Institute, leans toward who, calling APTs groups of highly adept IT professionals with the funding and resources required to maintain a constant onslaught of cyber-attacks against their target organizations. Mandiant would seem to be in that camp as well, since it named the unit it tracked APT1. So is Rob Lee, a digital forensics trainer at the SANS Institute and a former director at Mandiant. His denition of APT is as follows: a cyber-adversary displaying advanced logistical and operational capability for long-term intrusion campaigns. Its goal is to maintain access to victim networks and exltrate intellectual property data as well as information that is economically and politically advantageous. But Jeffrey Carr, in a recent opinion column in Forbes, argued: If APT only refers to this type of attack conducted by the Peoples [sic] Republic of China, what do we call identical attacks sponsored by other nation-states like the Russian Federation? When you have multiple whos [sic] operating with similar or identical methods, I think it makes more sense to name the method rather than the actor. Jeremy Demar, senior researcher at Damballa and a Navy veteran, says the U.S. government view is expressed in publications by the Department of Defense. Those reports also lean toward the what, describing both attacks and exploitation as actions taken to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or
18 www.csoonline .com September 2013

to collect intelligence via computer networks that exploit data gathered from target or enemy information systems or networks. Wade Williamson, senior security analyst at Palo Alto Networks, says he thinks some of the disagreement is due to the evolution of APTs. The term initially came out of the government defense side of the world, and it was almost code for Chinese hackers, he says. It was tied to, Who are the folks behind it? But now its grown beyond nation-states, and the techniques have spread, he adds. All kinds of data get stolen with this. The APT strategy enables virtually any type of offensive network behavior by virtually any type of actor. That now includes groups much smaller than nation-states, like hactivists and crime syndicates, which now have the skill and funding to use APT techniques. The who or what questions are important for an organization concerned with protecting sensitive or valuable data, [but] the most important question to respond to is how, says Geoff Webb, director of solution strategy at NetIQ. Understanding how these threats compromise security, and thereby developing a good response, is the keystone of building a security plan that survives contact with the enemy. Joel Harding, a retired military intelligence officer and information operations expert, noted in a recent presentation that APTs arent conventional cyberattacks they arent specically a DDoS, a botnet, malware, phishing or spear-phishing, spoong, spyware, a Trojan, a virus, a password sniffer, spamming, identity theft, social engineering or a Web browser exploit but can include them all. There is almost unanimous consensus, however, that APT actors, unlike conventional hackers or criminals, are interested in a specic target. Bruce Schneier, chief security technology officer at BT, notes in a blog post that de-

The APT strategy enables virtually any type of offensive network behavior by virtually any type of actor.
Wade WILLIamson, senior secUritY anaLYst, PaLo ALto Networks
fending against conventional hackers is much different, and easier, than defending against APTs. Security against [the conventional] attacker is relative; as long as youre more secure than almost everyone else, the attackers will go after other people, not you, he writes. An APT is different; its an attacker who for whatever reason wants to attack you. Against this sort of attacker, the absolute level of your security is whats important. It doesnt matter how secure you are compared to your peers; all that matters is whether youre secure enough to keep him out. Even that may be evolving. The APT methodology has [increasingly] become the de facto standard, Williamson says. A lot of APTs may not be targeted theyre more opportunistic. You see folks getting inside networks and then selling that access, which is a change. Youre seeing this strategy adopted on a larger scale. But there is no disagreement that, as Schneier puts it: APT attackers are more highly motivated. Theyre likely to be better skilled, better funded, and more patient. Theyre likely to try several different avenues of attack. And theyre much more likely to succeed. Indeed, it is generally acknowledged that 90% of organizations nd out about APT intrusions from a third party usually government and law enforcement. And that, as noted previously, is generally after the attackers have been on the inside for months or even years. Damballas Demar says that gure may be somewhat misleading. Its not that 90% of the victims are unable to detect some of the threats, its just that information sharing and reporting to law enforcement is getting better, he says. Still, the Verizon 2013 Data Breach Investigations Report found that 66% of APT attacks werent discovered for months. There are a number of reasons for that success, experts say. As Schneier wrote, APT attackers tend to be better skilled and funded many times because they are working for, or with the knowledge and support of, a nation-state. They have evolved in their skill at gaining entry to networks through much more sophisticated spear-phishing tricking an insider into opening a malicious email that appears to come from a very trusted source like an employees manager, the head of the IT department, a Facebook friend or another familiar person. It is also done through infected media, through malicious links embedded on social media sites and through compromising supply chains. It can be spear-phishing, but not always, says Seculerts Raff. Watering holes a zero-day on a specic website the target will visit are also an increasing trend of attack vector. Social engineering in its many forms, whether it is physical or virtual, is indeed the way the attackers are using to get into corporate networks. Those attacks can include fake prole pages on sites like LinkedIn and Facebook. Williamson says one of the reasons APTs are so successful is because the advanced part of the name is a bit of a misnomer. A lot of the APTs on networks are relatively common, and thats what helps them stay on the network, he
September 2013 www.csoonline .com 19

D IG ITA L S PO T L IG H T

Advanced Persistent Threat Understanding how these threats compromise security, and thereby developing a good response, is the keystone of building a security plan that survives contact with the enemy.
GeoFF Webb, director of SoLUtion StrategY, NetIQ
says. They stay below the water line, where nobodys looking out for them. He also notes that the perception that APTs gain entry and remain undetected because they are zero-day exploits is also misleading. It isnt that it is a never-before-seen type of malware, but is instead an existing one in disguise. The trick attackers use is to take known malware and re-encrypt it, so it looks like a different le. Once its decrypted, it runs the same way it always has. All you need is to get one thing through the wall, he says. Its hard to detect them with traditional signatures, says Williamson. Its just a le it doesnt stand out as anomaly. Many network security teams simply do not monitor their internal network traffic for exploits and malware, so attacking from the inside of the network may be far more successful. Also, because the APT resides on one or more trusted systems, it can easily blend in with normal network traffic, he adds. The APT can communicate back out to its attackers using web traffic, small customized messages, instant messaging, DNS and the list goes on. But part of the success of APTs is due to the difficulty and expense of maintaining a good defense. IT is still too dependent on the traditional Tootsie Pop prevention approach hard on the outside and soft/accessible on the inside, says Brian Foster, CTO at Damballa. The smartest threats know how to evade traditional S&S [signature and sandboxing] defenses to get in. And once they do get in, theyre
20 www.csoonline .com September 2013

Resources
Block and Tackle Stealthy Villians at Every Vector and Every Attack Phase
The most damaging kind of cyberattack is a stealthy one. This solution brief offers best practices, tips, and tools to root out rootkits and other advanced malware. Learn about the controls that work together to block the activities of each phase of an attack.

able to remain undetected by these solutions, which just look at traffic going one way in. Another difficulty: It is hard to maintain a trained, experienced workforce. Good people leave, says Mandiants Lee. They get experience, became good and then hire themselves out. You lose half of your cyber-detection army. Theres a bidding war going on for the most experienced. You can teach what these threats look like, but there is a huge difference between training and experience. Taylor Amerding is a frequent contributor to CSO.

Adapt Layered Defenses for Comprehensive Malware Protection


Sophisticated advanced targeted malware requires a sophisticated approach. This solution brief explains how to defend your organization with a comprehensive, layered approach that identies, contains, and remediates these insidious threats.

Why Malicious Cyberactivities Are The Greatest Transfer of Wealth in Human History
Estimating the cost of malicious cyberactivities is complicated. But the real issue is how it affects trade, technology, and economic competition. This in-depth report takes a look at the scope of the problem and what factors determine the real cost of cybercrime.

Stand Up to Malware with an Arsenal of Layered Defenses that Identifies, Protects, and Remediates
Smart and malicious advanced malware is targeted stealthy, evasive, and adaptive. Sandboxing and other stand-alone products cant do the job on their own. This editorial brief explains why you need an arsenal of layered, integrated defenses to protect against these sophisticated threats.

September 2013 www.csoonline .com 21