APTs and Small Businesses: Hype or Real?

A new buzzword seem to emerge every few hours these days. If it’s not “Cloud”, it is “DLP”. One of the latest, in the security field at least, is “APT”. For Debian-based Linux users, we think of Aptitude, the update tool when we hear the word Apt. This APT refers to Advanced Persistent Threat – a term that is argued to have been coined by Washington D.C.-based security firm Mandiant.

It is a new attempt at restating an old problem of information security. Think of the old telephone trap and trace, satellite imaging, the presence of undercover operatives on the enemy’s side of the fence etc. Just like “Cloud” and “DLP”, the phrase sounds catchy and has enough ominous ring to it that will make CEOs and CISOs perk up when it is thrown at them by master pitchmen of security providers.

What is Advanced Persistent Threat (APT)?

“Hacking” has evolved from the fun-loving explorations of yore to a money-making venture. It is no longer the curiosity to understand the inner workings of an Operating System or the desire to know what makes a device work. Now, it is the stealing of credit card and identity information for sale to the highest bidder. It almost reminds you of the age of mercenaries, soldiers of fortune who will take down a government for the right price.

We know about botnet attacks or drive-by download and bots and botnets. These are part of what make APTs big businesses these days. That is the new face of the threat we face and I believe this is what the vendors are selling with the serious sounding name of Advanced Persistent Threat.

The concept is real, just like online storage and software services and Data Loss Prevention. I do feel however, that vendors are again playing this up to a hype level so they could sell their gadgets to clients whether the solution is right for the environment or not.

That businesses, organizations and individuals face constant threats on the internet today is not a new phenomenon. Just install a simple firewall like Zone Alarm or Comodo and plug a computer directly to your internet router. Within a matter of seconds, watch your firewall go crazy with alerts. The threats have always been there. To paraphrase president Obama:

…[I]n this information age, one of […]our greatest strengths — in our case, our ability to communicate…through the Internet — could also be one of […]our greatest vulnerabilities.

The advanced and persistent aspects of the threat is what the new focus is on and this comes by way of the intruder or attacker having a need or necessity to work without detection for as long as possible.

Definitions of precisely what an APT is can vary, but Wikipedia summarized APTs by their named requirements below:

Advanced – Operators behind the threat utilize the full spectrum of intelligence gathering techniques. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methods and tools in order to reach and compromise their target.

Persistent – Operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

The advanced aspect of these persistent threats, or what some have described as a “confluence of personal identity theft and massive pervasive attacks against corporations, government targets, and especially military facilities”, is what I think the pitchers of APTs want to highlight.

A key requirement for APTs (as opposed to your good old botnet) is to remain invisible for as long as possible. As such, to quote Dambala “the criminal operators of APT technologies tend to focus on “low and slow” attacks – stealthily moving from one compromised host to the next, without generating regular or predictable network traffic – to hunt for their specific data or system objectives. Tremendous effort is invested to ensure that malicious actions cannot be observed by legitimate operators of the systems”.

An APT-type attack is all about espionage, not destruction so it is safe therefore, to argue that the attack objectives will typically extend beyond immediate financial gain, since the compromised systems have to continue to be of service even after key systems have been breached and initial goals reached.
For example:

  • A computer code known as “Poison Ivy” was designed to suck sensitive data out of a $4 billion consulting firm’s computer network.
  • RSA recently reported that some of its confidential data has been compromised, including information about the company’s SecurID technology.
  • Dupont, Walt Disney, Johnson & Johnson, Sony, and General Electric have all been hit by APT attacks, along with several law firms and insurance companies.
  • Investing firms and banks such as Morgan Stanley have been exploited.
  • McAfee revealed that the world’s biggest oil and energy companies have been victimized.
  • The U.S. government took APTs seriously enough a couple of years back that it launched a classified operation called Byzantine Foothold to detect, track, and disarm intrusions on the government’s most critical networks.
  • President George W. Bush while in office, quietly signed an order known as the Cyber Initiative to overhaul U.S. cyber defenses, at an eventual cost in the tens of billions of dollars.

Well funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems. Well-funded APT adversaries do not necessarily need to breach perimeter security controls from an external perspective. They can, and often do, leverage “insider threat” and “trusted connection” vectors to access and compromise targeted systems.

People Are Still The Weakest Link:

Remote control functionality is said to be the at the heart of every APT. It is a necessity if the intruder wants “to navigate to specific hosts within target organizations, exploit and manipulate local systems, and gain continuous access to critical information”.

For all intent and purpose, the targeted organization may employ sophisticated technologies in order to prevent infection and compromise of their digital systems, criminal operators often tunnel in to an organization (through SSL or SSH) using the hijacked credentials of employees or business partners, or via less-secured remote offices. As such, almost any organization or remote site may fall victim to an APT and be utilized as a soft entry or information harvesting point.

And here is where the rubber meets the road for small business owners. Heather Adkins, information security manager for Google opined that the biggest lesson learned from Operation Aurora by the Internet company was that it takes a specialized, on-site team to respond to Advanced Persistent Threats:

The first thing we learned was that we need an A Team to respond. This is not an easy task to give you — you have to evaluate the talent you have inside, what you need to educate them, and how you build your team. Your adversary… has one.

The interim goal of fighting APTs is to make it harder and more expensive for attackers to target your organization and exfiltrate intellectual property and information after gaining a foothold. Adkins calls it changing the economies of the game. Or as Kevin Mandia, president of Mandiant, put it:

Let’s make the cost of doing this so expensive for these folks so they have to earn it. They aren’t earning it now.

Sadly, although APT attacks on big corporations only get the headlines, small businesses are equally vulnerable. But they do not have the vast resources of a Google, Dupont or Microsoft so there are no “purse strings that will probably start to loosen” in order to go head-to-head with heavily funded “APTists”. So in that sense, the threat is real. The hype aspect comes when security vendors try to pitch their solutions as “easy” and “cheap” or combine it with what we might call regular threats like spyware, viruses and botnet attacks.

What can small businesses do to thwart APT attacks?

A few of the following suggestions make sense in the small business environment:

  1. Begin by threat modeling the past attacks against the biggest weaknesses in the environment. Doing so will help you identify where to begin defending and cleaning up.
  2. Implement least-privilege authentication and access control. Don’t give users access to any resource they don’t use. This will help slow down damage from the next APT attack. Some corporations are going so far as to tell people not to give anyone domain admin rights. Instead, they are advised to use delegation.
  3. Harden computers following the vendor’s recommended security settings.
  4. Make sure you’re patching everything, especially popular browser add-ons.
  5. Implement application control whitelisting to stop new malicious programs from spreading around the environment.
  6. Implement strong password policies, with 12-character or longer complex passwords for standard user accounts. Elevated accounts should be even longer. I actually prefer pass-phrases – sentences you can remember beats a cryptic password that you may have to write down any day, in my opinion.
  7. Use two-factor authentication if long passwords are a problem or aren’t secure enough.
  8. Implement an enterprise-wide log management system, with comprehensive alerting and auditing.
  9. Isolate security domains and hosts. If computers shouldn’t talk to each other, don’t let them.
  10. Deploy an anomaly-detection product, such as HIDS (host-based intrusion detection systems) or NIDS (network-based intrusion detection systems).
  11. Make sure antivirus scanners check for updates every 24 hours or less and that they scan for hacking tools. If possible, use the newer products that include sand-boxing features.
  12. Most importantly, educate end-users about the biggest risks, such as Adobe Acrobat and Java exploits, fake antivirus warnings, phishing sites, and so on.

The question is, are today’s systems actually defendable at all from APT-type attacks? Experts seem to agree that most organizations must assume today that they already have been infiltrated by one of these quiet, targeted, persistent attacks.

For more about APTs:

This interesting article highlights APT.
This one discusses how APTs bypasses your networks security
Dark Reading has an article called Hacking the APT
Dambala has this article on how APTs breach enterprises