“Cyber is one of those quiet, deadly, insidious unknowns you can’t see,” Hagel told U.S. troops in Hawaii. “It’s in the ether — it’s not one big navy sailing into a port, or one big army crossing a border, or squadrons of fighter planes … This is a very difficult, but real and dangerous, threat. There is no higher priority for our country than this issue.”
The previous quote comes from a recent article in Computer Security Online about the “Advanced Persistent Threat”. Not surprisingly Secretary Hagel has the hyperbole dial firmly entrenched on 11; I hope that the Secretary of Defense would consider our troops in Afghanistan as a higher priority. Maybe Iranian nukes. But I digress…
Advanced Persistent Threat is yet another buzzcept that is nowhere near as complex as it sounds. The Wikipedia article on APT, which is on the Internet and thus must be true, actually provides a pretty good vernacular description. Unfortunately the article tarts up the APT with a process flow diagram, showing that even hackers can’t do their jobs without stupid Powerpoint presentations.
Process flows aside, the key thing to understand about APT is that you are the target, not a target. Hackers and cybercriminals are hammers in search of a nail; any target is likely to provide the ego boost or financial gain these actors seek. The actors behind APT are specifically targeting a single organization, and they are not seeking a quick fix; they intend to maintain access to continue to steal data and affect operations as long as they can. And if they get booted out, they’re going to start trying again…because you are the target.
With this in mind, we can look at the recommendations in the CSO article for how to combat the APT:
1. Use big data for analysis/detection – Seriously, what the heck does that mean? How precisely does one “use big data”? I read the article, and other than some vacuous quotes from folks who are trying to make money detecting the APT with big data, there’s no meat here.
2. Share information with the right people – But per the article no one does this, and in fact they aren’t incentivized to do it. I agree sharing is better than not sharing, but that’s not the world we live in. Next.
3. Understand the “kill chain” – I don’t understand the kill chain, so here’s a tip from the article: “This is a so-called ‘phase-based’ model to describe the stages of an APT attack. Those stages include reconnaissance, weaponization, delivery, exploit, installation, command & control and actions.” Actually, this sounds exactly like a botnet. Or any other hack. Yeah, some of the phases may be missing, but there’s likely some variation amongst APTs too. It’s not wrong, but it’s not clear to me how it provides any insight unique to APTs.
4. Look for indicators of compromise – Now we’re getting somewhere, even though the advice can be summarized as “don’t assume you haven’t been attacked because your IDS hasn’t thrown an alert”. Even if you have no reason to believe that you’ve been hacked, keep an eye out for anomalous activity on your network, particularly machines talking that don’t have a good reason to talk…this is good hygiene for the Insider Threat as well.
5. Test your network – A bit more of the same…be proactive about looking for vulnerabilities, both with automated vulnerability scanning and penetration testing. The article recommends an external penetration tester, like Dover Networks. Well, they don’t mention Dover Networks, but one can infer it from context.
6. Support more training for APT hunters – Yeah, this is a good idea, though there is not much indication of what the right training is. Personally I recommend offensive training, almost any flavor, since they all get you thinking like an attacker. CISSP training is fine for what it does, but it doesn’t really address APT. Take the human body as an analogy for information security. Your CISSPs are the skin: critically important since you’d die without it, but it doesn’t really help once an infection gets past it. Your APT hunters need to be white blood cells; individual hunters who are highly adaptable.
So there are some good tips there, about as good as we have at this point. Without pimping a specific vendor’s product, I would also recommend investing in a host-based agent that can perform an analysis of host configurations, such as system directories and registry keys. These sorts of products can often detect anomalous behavior, and are certainly helpful in detecting and correcting mass infections that may occur, once they are diagnosed.