APT – More Persistent than advanced

RSA, one of this years highest profile victims of an ‘Advanced Persistent Threat (APT)’ held a summit in Washinton DC this summer on the subject with TechAmerica. Government and business leaders met for two days to discuss the impact of APTs and to agree strategies for mitigation and defence. The full report is due shortly, but in the meantime a series of interim ‘perspectives’ have been published, and they make interesting reading.

Here are five of the main points:

People are now the attack vector

In the past, the hardware and software in a business was the attack vector used in most intrusions. Software would ship with a vulnerability, which would be exploited by an attacker, giving them access to internal infrastructure. Once inside, a mixture of further software exploitation, password cracking and the absense of effective user access controls inside the network would allow an attacker to move through the network acquiring data or causing disruption.

As organisastions began to adopt the principle of defence in depth, and sofware vendors began to take security more seriously, the techniques required to breach a network from the outside have become more advanced – the ‘A’ in APT. The RSA summit, however, found that these technically advanced attacks are no longer typical. It is now much more common for attackers to target an organisation through social engineering, using techniques such as spear-phishing. Our people are now our security perimeter and anyone can be compromised given the right approach.

You must assume that you have been compromised

It is no longer realistic to keep adversaries out of complex network, so organisations should plan and act as though they have already been breached. Efforts should be focussed on understanding which assets should be protected, where they reside and who has access to them. Damage limitation will be the new focus and should be achieved through compartmentalisation of systems, protection of critical data and adoption of the principles of ‘defence in depth’ and ‘least priviliege’.

Situational awareness is essential to detect threats

Understanding what is happening beyond our network is essential to detect over-the-horizon threats. As an example, ‘Beta attacks’ – test attacks on dummy targets for the purpose of checking tools and techniques – are on the rise and could provide useful indicators that new techniques are about to be used in genuine attacks. Such situational awareness would require close international cooperation between organisations and governments.

Supply chain poisoning is on the rise

Given the complexity of attacking infrastructure once it is in place, attackers are moving upstream and are cultivating vulnerabilities in trusted suppliers. Monitoring suppliers, therefore, is a new and growing challenge, and one that has yet to be met.

Options include independent external audits of suppliers, or some form of external monitoring, though there are few if any current examples in the commercial sector. There is, of course, much to be learnt here from the relationship between the national Governments and the defence sector, where these issues are far from new.

Customization defies signature based approaches

Although not always technically advanced, APTs are usually custom developed to work against a specific weakness in a target. Malware is often compiled just hours before an attack and will exploit zero-day vulnerabilities that are unknown to anti-malware manufacturers. These attack characteristics defy identification by generic anti-malware signatures.

As a result, organisations can no longer rely on automatic software-based protections. They must also invest in a skilled workforce of incident responders and security specalists, capable of spotting new and novel attack techniques themselves.