There is no doubting that both the complexity of the threat landscape and the cost of defending against it are on an upward curve. More than ever, there is a temptation to rely upon legacy security defenses. However, with an increase in advanced persistent threats (APTs) – as perhaps best exemplified by the Operation Aurora attacks that were first disclosed by Google at the start of 2010, and more recently the real-world emergence of advanced evasion technique (AET) scenarios – this would not only be a false economy, but also a very high-risk strategy.
Advanced Persistent Threats Defined
In talking to several infosec professionals and researchers from security vendors while researching this article, it became clear that everyone has a slightly different definition of what an APT actually is. There seems no doubt that the term itself has been overhyped – not least by those with products to sell in order to combat whatever description has been applied. There is, however, no doubting that the advanced persistent threat is very real.
Taking a composite approach to defining an APT leaves us with a highly targeted method for compromising data security and accessing specific information. Most often reported when aimed at government or military networks, an APT can actually be used against any target, including business enterprises. They are advanced because they use a blended approach of both computer intrusion (hacking/malware) and social engineering (phishing/scamming), in concert with sophisticated management tools to bring the disparate prongs of an attack together.
|"AETs require a significant amount of information gathering on a company for them to be executed successfully"|
|Andrew Blyth, University of Glamorgan|
Unlike the kind of ‘spray and pray’ phishing and malware attacks that have become prevalent during the last decade, APTs are not only highly focused on a specific data target, but as the name implies, they are persistent in their attempts to access it. Most often this persistence is seen in the form of a ‘low and slow’ technique, so there will be no constant bombardment of malware, but rather a consistent and stealthy digging away at the defense layers over time. As Adrian Davis, principal analyst from independent security body the Information Security Forum (ISF) says, “typically, any malware used in the attack will have been tested for its ability to remain undetected by commercial anti-virus (AV) products – or will be downloaded via an infected URL. Social engineering or placing someone ‘on the inside’ may form part of the attack to gain access and bypass perimeter or similar defenses. The combination of threats multiplies the target’s defensive difficulties”.
Advanced Evasion Techniques Defined
An advanced evasion technique (AET) attack is very different indeed from an APT – both by design and intent. “By design insofar as it is seeking to exploit what is a known and understood threat condition”, explains professor John Walker, an editorial board member of the Cyber Security Research Institute. He continues: “by re-engineering the vector of attack with intent to bypass any threat-aware protection deployed at the perimeter”.
Why? Well, consider an organization that has, not uncommonly, adopted a security position that relies upon perimeter protection for internal systems. As Walker points out, these organizations will patch internet-facing systems but often not those ‘protected’ internal systems. “If then circumvention of the external protection can be achieved”, Walker says, “they are thus left exposed, and open to attack, compromise, and manipulation”.
|"Let’s be clear, criminals generally don’t need to resort to APT and AET to infiltrate a vulnerable environment"|
|Neira Jones, Barclaycard|
Professor Andrew Blyth, head of the computer systems engineering division at the University of Glamorgan in Wales (and a leading information security academic) adds that AETs are “well crafted threats which can cost millions to construct and they require a significant amount of information gathering on a company for them to be executed successfully”.
While some security vendors have dismissed AETs as nothing more than hype from a rival vendor (the term was coined by Stonesoft), Blyth warns that “the advisories developing AETs are sophisticated, well-resourced, and have good understandings of how systems work; and we have already seen AET-based attacks being used in the wild”. He adds that it is, however, “unlikely we are going to see them used against companies on an everyday basis. This is because they are only used against big targets which hold significant value to a hacker”.
The security vendor silence – apart from Stonesoft of course – was pretty evident at the Infosecurity Europe show in April this year, but that should not mean that information security professionals should be equally deaf to the threat posed by an AET. “Stonesoft have not only conducted some very valid research in this area”, professor Walker states, “but were also demonstrating in real time how the AET could be leveraged, evading up-to-date perimeter defenses and leading to exploitation of a protected system”.
Walker considers the fact that no ‘big players’ seem to have engaged with the threat as “very surprising”. Rik Ferguson, director of security research with Trend Micro, disagrees and insists that “the security industry is definitely awake to the threat to governments and businesses from advanced attack techniques, and security technology is constantly evolving. Any vendor (or customer) who believes that the core technologies that served them well a decade ago should still form the basis of their defenses today, is sorely mistaken”.
Budgetary Considerations and Defense Strategies
The infosec professional needs to at least consider what can be done to protect data and resources from both kinds of threats. The answer, according to Adrian Davis, is actually pretty straightforward and can be summed up as doing the basics. “Patch management, awareness, access control and regular review and audit of logs, systems and networks, for example”, he advises. “These provide a level of security that will reduce the likelihood of opportunistic hacking or accidental compromise”.
|"[SMTs are a] complex union of human intelligence, information security, communications intelligence/signals intelligence and open sources intelligence"|
|Simon Leech, HP|
Surely it’s not that simple? Well, no, it isn’t. There are three key additional approaches that need to be adopted. “First”, Davis says, “is adopting an incident management process specifically to deal with APT and rehearsing it. Second, is good network management and security, as this will assist in identifying unusual traffic patterns associated with APT and may allow the organization to disrupt the APT”.
And third? An old favorite in the infosec world: situational awareness. “Stay tuned in to situational awareness pertinent to your sector and industry”, professor Walker advises. “Pay particular attention to security alerts and reports put out by the independents like Secunia. Remember, a particular provider of technology may know they have an issue, but it does not mean they will inform all of their clients in a timely manner”.
All About the Money
What about the budgetary implications of an AET/APT defense strategy? Rik Ferguson answers the ‘how much’ question from the risk management view, with the obvious answer that it depends on the value of the assets being protected. “From a risk management perspective, the amount spent on the protection of an asset should not exceed the cost to the business of a catastrophic event that negatively impacts that asset”, Ferguson states, adding “some things, such as security best practice, are low cost and should be applied consistently”.
Professor Walker insists that incumbent security professionals and administrators need to “tune in to an increased level of situational awareness and watch the press for the term AET with a keen eye”, as the consequences of both APT and AET attacks “raise questions over the effectiveness of perimeter security technologies”. Simon Leech, a Certified Information Systems Security Professional (CISSP) who heads up the solutions architects at HP TippingPoint Group, predicts that subversive multi-vector threats (SMT) are next to watch out for as they take the definition of APTs a couple of steps further down the line. SMTs are a “complex union of human intelligence, information security, communications intelligence/signals intelligence and open sources intelligence”, he suggests. In other words, a combination of people, process and technology to take down a target organization. Just when you thought things sounded bad enough...
TO PANIC OR NOT TO PANIC?
Neira Jones, head of payment security at Barclaycard, has been very vocal when it comes to analyzing APT and AET threats. She makes the following assessment:
Recently, there has been a lot of hype in information security circles around the advanced persistent threat (APT) and the advanced evasion technique (AET), partly due to the high-profile breaches we have seen this year. I will not offer a definition here, as many industry experts have done an extremely good job of it and I do not dispute the fact that these threats exist and sophisticated techniques are now being employed. However, let’s remember one thing: AETs depend on a vulnerable system inside the target environment.
Let’s be clear, criminals generally don’t need to resort to APT and AET to infiltrate a vulnerable environment: The Verizon DBIR 2011 states that 87% of attacks could be prevented using simple, proactive measures. APTs (through AETs) are likely to target organizations where they would achieve the most financial or political gain. In my book, this means that the first step would be to understand what the critical assets are and the second to understand the infrastructure deployed for those critical assets.
Predictably, as you may expect coming from me, the third step should be to protect the assets based on a risk assessment reflecting the organization’s risk appetite. So whilst it is a good idea to check whether your intrusion prevention appliances are or will be anti-evasion ready, and capable of receiving current AET patches and security updates continuously and dynamically (and again, a lot of good research has been done in this area), look inside first... Have you fixed the basics?