Wednesday, February 16, 2011

What's So Scary About APT?



The latest security buzzword is APT: Advanced Persistent Threat. Is APT important and should we be concerned? I’m afraid the answer to both these questions is “yes.” But knowledge is power. If we understand APT, we can learn how to protect against it.

Previously, most external threats to commercial enterprises came from hackers and criminals. These threats are generally opportunistic and unoriginal. Everyone’s money is equal so criminals and hackers focus on the softest targets. If one defender is more secure than average, these attackers focus elsewhere. And the tools they use are nothing special, just prebuilt exploits that they bought on the Internet. This is similar to home security. You don’t need perfect security. If your security is clearly better than your neighbor’s, the thieves will go to his house. And their burglary tools will come from the hardware store: crowbars and screwdrivers.

APT is different. With APT, the attacker is highly skilled, well funded, and operating with a long-term focused objective in mind. That’s why it’s called an Advanced Persistent Threat. Recent examples include GhostNet, ShadowNet, and Operation Aurora. In all these cases, someone targeted particular organizations and used sophisticated techniques to infect and infiltrate their systems. The attackers didn’t break anything. They laid low and extracted as much information as they could without setting off alarms.

APT is more like a jewel thief or an art heist than a house theft. The attacker selects a specific target, evaluates its defenses, and employs special tools to commit the crime. In the cyber realm, the tools are custom-built, often exploiting unreported vulnerabilities for which no patch or signature is available.
Nobody knows who’s behind the recent spike in APT attacks but suspicions rest on military or intelligence forces. Their motivations are similarly obscure. Are they just gathering intelligence or planting booby traps and back doors that they can exploit later? Unclear.

What does this mean? For those of us in information security, our entire threat landscape has changed. APT attacks are no longer clever tricks that only happen in the movies or at the Black Hat conference. They’re now a real danger for our enterprises. Who would have thought that Google would be targeted by APT attackers? If they are a target, who is immune?

The good news is that we have some good defenses against APT attacks. Behavior-based intrusion detection systems excel at detecting previously unknown attacks. Data leakage prevention systems can sniff out large-scale data exfiltration. Security incident and event management systems can correlate log messages to detect problems. And insider threat detection techniques can detect stealthy attacks in general.

Most important, we must all be on our guard. The threat landscape has changed. APT is no longer theoretical. It’s real and it could affect any of us. Keep a close eye out for anomalies. Put in place multiple layers of defense. And don’t ignore clues that point to a stealthy, persistent, and sophisticated infiltration at your organization. It’s not impossible. In fact, it’s quite likely.

No comments:

Post a Comment