It’s NOT that Easy (to be an APT or AET)!!

As many of seasoned IT Pros may have noticed, the APT and AET debate has once again been given some tripping space on the boards of the IT security press. However, whenever this happens, the confusion that arises around what ‘they’ are, and what constitutes the ‘label’, sets me off on a trip of frustration.

Now granted, one could argue that well-crafted, engineered code like that of Stuxnet could in fact represent what constitutes an AET. It may even be that some code currently under development will be crafted with some special objective in mind, with payload set firmly, on say some SCADA, or Military target of the future – in fact an AET in the making.

But, the AET does not have to stick to these rigid rules to reach the dizzying heights to be awarded the fascinating label ‘AET’. In fact far from it, as there are also other such manifestations that fall into the same bracket of the AET, which are based on the concept of COPs.

As we observed circa 2010/11, insecurity would seem to have been the modus operandi of the era, with some big name players being hacked, cracked, attacked,  hacktivised, and compromised – were these high-tech AET’s, built just to exploit some unsuspecting organizations and targets  – possibly in some cases, yes. However, some other attacks will fall into my category of the COP – but what is it?

I am sure you will agree, the majority of the successful incursions and compromises against top-shelf targets required a modicum of skill to transgress a successful breach of corporate defenses – and notwithstanding the criminal fraternity has managed to carry out some exploitation of a target, this is by no means, what may be referred to as easy pickings. Far from it, in fact, in my humble estimation, a high percentage of these would have used an AET, but we just don’t recognize this fact!

It really can come down to three facets of COPs, which are ‘C’ – the use, deployment, and leverage of a known, or reengineered piece of malware. ‘O’ – The Opportunity of a presented or hosted exposure or vulnerability on the target asset.  And last but not least ‘P’ – Planning the execution of the attack, or compromise. Bring these altogether you have the building blocks of what an AET really can be.

So, if there is an expectation that when the AET arrives at the corporate perimeter, it will be labelled, well, ‘AET’, you may be in for a bit of a disappointment. However, I believe there have been many successful attacks and compromises that may not be directly attributed to the good old AET profile – but nevertheless, have been crafted with the operational objective in mind to build and use, out of pure ‘imagination’, a method to circumvent a perimeter of security. And what do I really know about this subject? It’s simple: I built, demonstrated, and presented some of these types of attacks more years ago now than I care to remember – but what changed? We just got more interconnected, and more dependent on technology.

But let us return to the subject of the well-engineered crafted code, and consider the ‘Duqu’ Worm that has been reported by Symantec as a possible derivative of Stuxnet, but this time designed with the objective of gathering intelligence. In fact, if I am not mistaken, the profile of Duqu looks very much like that of the malware that was discovered infecting the US Air Force Drones – DroneBug. Do we consider this to fall into the definition of an AET?

And then we have the new threat of criminals turning their attention and skill against the vulnerable mobile devices to circumvent their security – going where the money is, and looking to craft new attacks to evade the conventions of the human mind, not to mention the hand.

And last but not least we have the recent research published by a Scandinavian set of researchers who have discovered 163 new AET vectors of attack, some of which circumvent current IPS and IDS applications, which I assert are deployed today within corporate environments.

As always I do concede to the opinion of other professionals, and I do take time to listen to what they have to say, and here their opinions – however, I am only too hopeful for their sake, and possibly the sake of their employers, that they pay the same compliment to others who may not be completely tuned in to what they think.

Comment on this blog