Advanced Persistent Threats or APTs have many definitions. In most cases it’s an over used and abused marketing term adopted by point solution security vendors to talk about their ability to stop “bad things.” The term most generally defines an adversary with formidable means, organization, and motivation: they’re on a mission. It is often associated with espionage, and as such the concept predates the digital era and can be traced back to the earliest documentation of intelligence gathering recorded by military strategists such as Sun-Tzu and Chanakya. Richard Bejtlich of GE provides a great overview of APT in a recent article for SearchSecurity.
Talking about APTs has become increasingly popular over the last year. This is in part because of a series of cyber attacks dubbed Operation Aurora. These attacks started in mid-2009; Google, Northrop Grumman, Dow Chemical and around 30 other companies were targeted and it has been speculated that these attacks originated in China. Operation Aurora was considered an APT because the attacks were sophisticated, targeted, stealthy, and designed for long term manipulation of their targets. Over the last decade there have been several other attacks thought to be from China that could fall into the APT category including:
Titan Rain – A series of attacks in 2003 that extracted information equivalent in size to the Library of Congress from Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, NASA and several other government organizations.
F-35 Joint Strike Fighter – In 2009 the Wall Street Journal reported that the Pentagon’s $300 billion project had terabytes of data stolen.
When it comes to understanding APT, and the risk it poses to your business, you first need to consider four things: the actors, their motives, the targets, and goals. Once you understand these four aspects of an APT, you can better outline your own security strategy:
Actors: The actors behind an APT could be part of a terrorist group, activist group, or members of organized crime. Many perceive these actors as radical parts of a nation-state, but sympathizers and non-state participants can also be involved in APTs as seen in China with the antiCNN.exe attacks and in Russia with the Nashi youth groups where non-government citizens are called upon to engage in patriotic online attacks. We see many APTs based in Eastern European countries, Russia or China.
Motives: Hackers conducting an APT are almost always motivated by economic or political gain. These folks either want to make a significant amount of money from what they’re stealing, or they are driven by a strong ideology that is fundamentally at odds with an organization or group.
Targets: APT targets are often organizations such as the mainstream media, government, defense contractors, academic institutions or high powered individuals in control of sought-after, highly sensitive information. Organizations tied to state utility services are often targets.
Goals: Organizations involved in APT what to remain stealth or at least the organizers do. They will create backdoors, hide footprints, and take other measures to remain undetected while allowing alternative paths in. Ultimately they want sensitive data, they want to monitor communications, they want to disrupt operations, or some combination of all three.
Of imminent concern is the recent Stuxnet worm found on industrial control systems in the US, India, Iran and a handful of other nations this July. Now this is one sophisticated, expensive, and purpose-built worm. While the exact origins and motives behind Stuxnet are unknown, it is likely that it isn’t built to steal sensitive information or hold industrial control facilities hostage. There are far better ways to accomplish this. It targets controllers – the stuff that turns things on and off. It exploits a zero day vulnerability, uses stolen encryption signatures, leverages a rootkit and does all of this for the very first time we’ve ever seen it – on programmable logic controllers. Read: this worm is built to take over control of system operations. Not good.
So, what do you need to know about protecting against APT? Here are my thoughts in a nutshell:
First, there is no silver bullet for APT. If anybody offers you an anti-APT box – don’t walk away, run.
Take a risk-based approach to your security, rather than a threat-based approach. This may sound counter-intuitive, but trust me. Do discovery on your sensitive assets and create a broad, deep view of your network and assets from a centralized location. Integrate threat intelligence into your overall strategy so you understand the behaviors and techniques of the attackers. Break down the silos. Disparate security silos give APT attackers the advantage. A connected, integrated strategy is the best bet against APTs, whether your organization is a Fortune 50 or company of 50.