Managing Advanced Persistent Threats - LEGAL, REGULATIONS, COMPLIANCE, AND INVESTIGATIONS - Information Security Management Handbook, Sixth Edition (2012)

Information Security Management Handbook, Sixth Edition (2012)

DOMAIN 9: LEGAL, REGULATIONS, COMPLIANCE, AND INVESTIGATIONS

Major Categories of Computer Crime

Chapter 28. Managing Advanced Persistent Threats

E. Eugene Schultz and Cuc Du

Over the years, information security managers have faced a multitude of security threats and risks, some of which have been minor, but many of which have been major in terms of the magnitude of potential impacts to the organizations that we have served. In many ways, we have been lucky, however. With the exception of viruses and worms, the threats against the computing systems and information that we have tried to protect have been transitory. If, in the past, someone tried to attack one or more of these assets, they either succeeded or failed, and if they failed, they generally moved on to their next target. A widely accepted axiom among information security professionals was to ensure that the assets of one’s organization were just a little more secure than the other organizations’ assets so the “bad guys” would find the path of least resistance.

Things have changed. Security-related threats (and thus also risks) have grown considerably in severity in the last few years; much of the reason is that attacks have become so much more clever and sophisticated, and another is that threats are now so much more persistent. The Aurora attacks that plagued so many Fortune 500 companies and the U.S. military and government in 2009 serve as a strong case in point. Contrary to the way perpetrators attacked systems, applications, and databases just a few years ago, the Aurora attackers tended not to give up until they had conquered their targets. Given such a target- and vulnerability-rich environment, the attackers were almost guaranteed success in attacking the organizations with average or below-average security. But they even succeeded in attacking the computing systems of the companies that by all appearances had achieved “best practices” status in information security, forcing us to rethink the problem and how we try to solve it. This chapter deals with the problem (advanced persistent threats, APTs), its nature and severity, and what we should and should not be doing from an information security management point of view.

Introduction

In March, 2011, the attackers gained unauthorized access to the RSA systems that contained information concerning the intricacies of the RSA products that provide strong authentication. RSA’s SecurID is a good example of such a product, one that is preferred by clandestine agencies of the U.S. government because of its ability to provide much stronger authentication than conventional authentication methods; e.g., password-based authentication. An investigation of the RSA break-ins has led to early speculation of the origin—the People’s Republic of China. Yet at the same time, other widespread break-ins into the systems in the United States, United Kingdom, Canada, Germany, and other countries reveal that regardless of the apparent origin, a relatively new pattern of attacks characterized by great sophistication and persistence are occurring. This chapter covers what the nature of the threats associated with such attacks is, the toll, and what information security managers can do to mitigate the resulting security risks.

About APTs

The term “APT” means different things to different people, yet it is clear that the threats that are sophisticated and incessant have resulted in a variety of highly undesirable outcomes. One such outcome is a data security breach in which classified, proprietary, personal, and financial data is compromised. Another is prolonged denial-of-service (DoS), and still another is a compromise of the integrity of data, systems, applications, networks, and more. In the next section, the range of meanings of APT will be discussed and the scope of the associated risks will be described.

Definition of APT

The term “advanced persistent threats” means different things to different persons. Some claim that the term originated in the military and defense sectors to define a series of ongoing cyber-attack as espionage assaults from nation-states such as China, which initially targeted the military as well as certain manufacturing and technology industries. The term APT quickly entered the security industry with vendors using the term to promote their products, thereby substantially diluting its meaning. For the security community and professionals, APT may be a new term, but the concept is older. In general, the term refers to a series of “below the radar” attacks that were previously seen on a relatively small scale, but are now used collectively to launch highly targeted, prolonged attacks. Definitions vary, as summarized below:

Advanced means that the adversaries can operate in the full spectrum of computer intrusion. They can use the most pedestrian, publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits (often in connection with “zero-day” vulnerabilities), depending on the nature of the target and the goal(s) of the attack.

Advanced also means that the perpetrators utilize a full spectrum of techniques in gathering intelligence, developing sophisticated malware, and executing attacks. Methods used by the adversaries may include traditional intrusion technologies and techniques coupled with advanced tools and techniques developed to accomplish the task. Additionally, using advanced social engineering skills is another tactic used to capitalize on the weakest link of all, people.

Persistent means the adversary is determined (often formally) to accomplish a mission. The adversary is not acting opportunistically. Like an intelligence unit, the adversaries receive directives and work to meet the requirements handed to them. Persistent does not necessarily mean that they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to fulfill their objectives.

Persistent also means that the perpetrators are highly focused with a goal of accomplishing their mission according to prioritization of specific tasks. Rather than using a “slash and burn” strategy to seize the first opportunity to attack, they execute a “low and slow” approach to continuously gather their information through sustained monitoring for long-term presence. They wait patiently for the appropriate time to strike.

Threat means that the adversary is organized, well-funded, and highly motivated. Adversaries often consist of multiple “groups” consisting of dedicated “crews” with a variety of missions. Some people equate the term “threat” with malware, but the adversary is not a piece of mindless code. If malware had no human (someone to control the victim, read the stolen data, etc.) in connection with its use, most of it would be of considerably less concern (as long as it did not capture, destroy, or modify information). The adversaries in APTs are the real threat.

Threat also means that the level of coordinated efforts involving the human factor is extensive. It is not about automated codes and scripts being tossed in the wild. Because the groups behind APTs are organized, motivated, and well-funded, they are highly evolved with their research and development (R&D) capabilities and they take great care in selecting their targets.

Brief History of APT-Related Attacks

APT-related attacks first surfaced in the late 1990s, although they were not recognized as such until later. The “Titan Rain” attacks, a steady barrage of coordinated attacks against U.S. computers that started in 2003, were the first to raise an alarm concerning the existence of APTs and the risks they posed. Targets included Sandia National Laboratory, Redstone Arsenal, NASA, Lockheed-Martin, and other organizations and sites (including numerous U.S. military sites). Evidence that the Chinese military was the primary instigator of these attacks exists and the fact that most of the attacks were traced to China strongly supports this notion. The exact nature of these attacks and their motivation remain unknown, however, in part because the perpetrators were clever in using a wide variety of methods (including installing extremely sophisticated malware in the victim systems) to evade detection.

Another flurry of APT-related attacks dubbed the “GhostNet” attacks was first discovered in early 2009. In these attacks, more than 1295 computing systems in 103 countries, including Taiwan, the United States, Germany, India, Tibet, Vietnam, Iran, South Korea, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados and Bhutan, Romania, Cyprus, Thailand, and Pakistan, were victimized. These attacks were characterized by their focus on high-importance systems, such as critical government systems that held information that if leaked could cause harm to the security and interests of the nations. The attacks also frequently resulted in the installation of remote administration tool (RAT) called GhostRat in compromised systems to allow the attackers remote back door access and to make changes in these systems at will. The origin of this tool, as well as the attacks themselves, was once again traced to China.

Operation Aurora was the next big round of APT-related attacks. Aurora (named after the file path of some malware on the attackers’ computing systems and possibly also the code name that the conspirators gave this operation) began in mid-2009 and continued until the end of 2009. Many corporations, some of which include Google, Rackspace, Juniper Networks, Northrop Grumman, Dow Chemical, Symantec, Adobe Systems, Yahoo, and Morgan Stanley, were targeted, as was also the U.S. military. Because of the covert methods used to subvert systems, however, the attacks were not detected until they subsided. Google was the first to publicly announce the attacks, and the speculation that Google was targeted because of its refusal to provide China with information about Chinese dissidents and its eventual withdrawal of Google search engine services from that country ran rampant. More than in any previous attacks, the Aurora attackers did not give up until they had vanquished their targets. The attackers gleaned large amounts of proprietary information and accessed (and presumably stole) a great deal of source code. Once again, the victims of these attacks failed to detect them for many months and the origin of the attacks was traced to China. Chinese officials denied any complicity in the attacks, however, instead blamed the U.S. for what it called a “conspiracy.” According to McAfee, the main objective of the attack was to access and possibly also modify the source code at the targeted corporations. The major “lesson learned” for the information security community was that implementing “best practices” is insufficient to thwart such sophisticated and persistent attacks. Additionally, the information security community was once again reminded of the importance of sharing information concerning incidents with others so that they could identify previously unrecognized attack patterns.

Still another set of clever, subtle, and persistence attacks labeled “Night Dragon” began in late 2009. Global energy, oil, and petrochemical corporations were targeted in this series of attacks, which utilized social engineering and spear-phishing, exploited Windows vulnerabilities, and utilized RATs in stealing highly proprietary commercial, financial, and oil and gas site bid-related operational information. The attacks, which yet another time were traced to China, were once again highly complex, coordinated, persistent, and covert to the point that most of the targeted corporations did not know that their systems had been compromised until they were informed by the U.S. government many months after they had initially occurred.

Characteristics of APT-Related Attacks

Cyber-attacks have occurred over the entire lifespan of the Internet. However, with ATPs, there is a paradigm shift concerning the purpose, motivations, methods, and people who are behind these attacks. Nonetheless, no two APTs are exactly the same. The methods and technologies used in each attack vary, but in general, APTs exhibit several similar characteristics.

Goal-Directed, Customized for Specific Targets

APT-related attacks are goal-driven and purposeful. The perpetrators take great care in planning their attacks, selecting their targets, and customizing their attack methods toward a specific sector, company, or technology to produce the greatest impact. The main goal is to create advantages that maximize the financial returns with each attack. Attackers use advanced social engineering methods to scope out a targeted organization’s employee structure to determine who has elevated privileges and the process to obtain privileged accesses. Other methods include tailored malware and reconnaissance to map out a target organization’s applications, networks, and systems to exploit weak or unpatched zero-day vulnerabilities. These activities are distributed over long periods of time, which makes them harder to detect and correlate based on behavior patterns, anomalies, or with timestamps. With APTs, the perpetrators have clear goals, expectations, and interests. Stealing sensitive data such as credit card information and social security numbers for identity theft is still prevalent. But, stealing intellectual property and trade secrets and participating in corporate espionage of targeted organization produce long-term damage that can ultimately destroy a brand and reputation of the company altogether. Government entities can lose power and competitive advantage over other countries if national security is compromised.

Well-Organized

Although there is an enormous increase in organized cyber-crime, a shift in the threat landscape changed the way these members operate today. These organizations are professionally managed like a legitimate corporation. CEOs, payrolls, HR, and recruiters often exist. Perpetrators of these groups have formal positions within a hierarchy, suggesting that there are teams of specialized individuals across multidisciplinary capabilities, skills, and expertise. Individuals possess different specialties and collaborate their attacks. For example, there are development teams who write malware and there are beta testers. Their social connections to the communities and other groups with similar criminal interests serve as an advantage to obtaining available computing resources. Espionage groups such as the Shadow Network, a hacker group in China, are highly evolved and may already own many of the already compromised networks and assets of the world. Additionally, the perpetrators actively recruit and seek new individuals to educate and train them to be professional cyber-attackers. These skilled individuals are paid well to carry out the attacks to achieve the mission of their organization. According to IT Business Edge, insider threats are the second highest danger to organizations. The economic downturn may inadvertently pressurize disgruntled employees to resort to stealing company information from within. The perpetrators may take advantage of the situation by recruiting financially strained employees for the insider information to increase their chance of success in attacks.

Well-Funded

Individual stakeholders of these organizations must have the financial funding to carefully research, plan, and carry out intensive attacks over long periods of time. Additionally, writing the quality of malicious code needed in these attacks requires considerable time and effort, again showing the need to be well-funded if an organization is going to be a player in the APT arena.

Diverse Attack Methodologies

It is common for the APT perpetrators to use multiple attack vectors concurrently to increase the likelihood that their attacks will be successful. Because the attackers are highly paid for their skills, there is strong motivation to use creative techniques and technologies to penetrate a targeted organization’s environment. Attackers use automated methods and human social engineering schemes to trick an organization’s own employees to be participants in their attacks. Attackers understand that people are the weakest links and therefore take advantage of their lack of awareness. The use of social media tools, such as spoofed Facebook and LinkedIn inquiries, creates a false sense of trust. Clicking on such links as “We went to high school together” may inadvertently install malware onto their computers. Such tactics are used to solicit further information and eventually gain access to a targeted organization’s network. The perpetrators take their time to get to know their victims. The huge amount of shrewdness, patience, and commitment involved in these attacks make these attacks so effective and deadly.

How APT-Related Attacks Differ from Conventional Attacks

Conventional attacks vary considerably, making them difficult to compare with APT-related attacks. Nevertheless, conventional attacks can at a high level be contrasted with APT-related attacks. Compared with conventional attacks, the following are the main characteristics of many APT-related attacks:

Detailed planning (sometimes over several months)

Reconnaissance-in-depth, often to the point of learning detailed information about social interactions, friendship patterns, and information access patterns among potential spear-phishing targets

Prolonged attempts (if necessary) to compromise the computing systems through extremely subtle spear-phishing attempts

Installing and using highly covert tools to create backdoor access with elevated privileges and to steal authentication credentials and data

Using compromised systems as a “pivot point” from which to launch further attacks

Malware Used in APT-Related Attacks

Sometimes, the malware used in APT-related attacks is identical to the malware used in conventional attacks, but the malware in the former type of attack is also often different. If it is different, it is likely to have the following characteristics.

Unique

New malware that has not been previously identified is likely to be used in APT-related attacks. Sometimes, new malware is created because of the desire to launch newly designed attacks. In other cases, new malware is developed because the fact that it is new will create obstacles for malware and intrusion detection tools that require malware signatures before they can recognize the malicious program.

Extremely Covert

If APT-related attacks are to go unnoticed by victim organizations, malware must be extremely difficult to detect. Malware authors who are part of an APT effort therefore program their software to be as covert as possible. In conventional attacks, malware such as viruses, worms, and Trojan programs are frequently used. Viruses and worms are almost never used in APT-related attacks, however, because these types of malware are self-reproducing, thereby greatly increasing the probability that the attacks will be noticed. These authors also often build mechanisms such as code packing, i.e., encoding a program such that malware scanners do not recognize it, designed to evade the detection of their malware.

Bot Functionality

Although bots and botnets are common in conventional attacks, they are even more prevalent in APT-related attacks. The main reason is the desire for control of systems and networks on the part of attackers. At the same time, however, bots and botnets are seldom used to launch distributed denial-of-service (DDoS) attacks because such attacks are so noticeable.

Well-Written

Analysis of some of the malware used in APT-related attacks shows that the quality of the software is often much higher (in terms of code structure and the absence of coding errors) than for most commercially available software. The reason is that APT-related attacks are often well-funded, allowing sponsor nation-states to hire top-notch programmers and use coding standards, development tools, and testing methods that go far beyond conventional ones typically used in commercial software development.

The Perpetrators, Motivations, and Targets

Who are the perpetrators of APT-related attacks, what are their motivations, and what types of targets are they attacking? This section answers these questions.

Perpetrators

The types of perpetrators potentially associated with APT-related attacks include countries, terrorists, activists, organized crime, disgruntled employees, and members of the “black hat” community. The list of types of potential perpetrators is narrowed considerably by the need for considerable labor and financial resources in preparing for and launching APT-related attacks. This is, in fact, the major reason that nation-states and organized crime are currently the major perpetrators of these attacks.

When APT-related attacks are discovered, the origin is often (but not always) China. Although China has repeatedly denied being involved in such attacks, their denial has almost always been implausible. Connections in these attacks frequently trace back directly to one or more IP addresses in China, and if not, to proxy servers in other countries that in turn have connections originating from China. Furthermore, the malware known to be developed and actively used in China (such as GhostRat) is frequently also found in victim systems, and comments in the code are very often written in Chinese.

Not all attacks are from China, however. Some attacks originate from Eastern European countries such as Russia, Belarus, and Ukraine. Others originate from Brazil and the United States. These attacks are almost always the work of organized crime gangs in these countries who plunder Western computing systems and use mules to cleanly and carefully move money to accounts where the money can be stored until needed.

Motivations

Of all the motivations for launching APT-related attacks, financial gain is the easiest to understand. To put it bluntly, there is a lot of money to be made by stealing proprietary information. The fact that financial information and lease bid data owned by oil companies have been frequent targets of APT-related attacks in the past strongly points to a financial motive in at least some of the attacks. Countries such as China that invest heavily in the U.S. stock market may be gaining the equivalent of insider trading information when they break into corporations’ systems that hold financial information. They may also be attempting to give a critical competitive advantage to companies in their country. Or, perhaps, these countries may more than anything be attempting to achieve economic dominance.

Other motivations for launching APT-related attacks are less clear. Although we know that nation-state–sponsored activity is motivated by the desire to gain intelligence, how this intelligence is actually used is not very well understood at this time. Additionally, the theft of so much U.S. military information as the result of APT-related attacks suggests that gaining a military advantage over potentially adversarial countries is another motivation for launching these attacks.

Targets

Targets can easily be derived based on understanding the profiles of the perpetrators and their motives. Less than 3 years ago, APT attacks targeted mostly U.S. government organizations. More recent incidents such as Operation Aurora indicate that the targets have expanded to large corporations and to national governments other than the U.S. government. It is also common to target critical infrastructures, including water, electric power, nuclear power, or chemical companies and facilities. Countries near China, such as Tibet and Taiwan, are experiencing a growing number of APT-related attacks, suggesting that any country that is adversarial to China’s desire for power and dominance is also a likely target of APT-related attacks.

APTs and Security-Related Risk

How do APTs affect the types and levels of security-related risk? This section addresses this question.

Confidentiality, Integrity, and Availability Risk

Of confidentiality, integrity, and availability, confidentiality is most at risk when APT-related attacks occur. Most of these attacks are motivated by the desire to obtain information—financial, intellectual property, personal, military, or other information. These types of information are often targeted in conventional attacks—the big difference in terms of risk is the fact that the perpetrators of APT-related risk typically do not give up until they have obtained the information on which they have focused. APT-related confidentiality risks are thus potentially disproportionately high, something about which risk and information security managers within national governments and large corporations should be highly cognizant. At the same time, however, confidentiality risks within organizations generally not targeted in APT-related attacks are in most cases in reality not higher than normal.

Other Risk (Reputational, Legal, Regulatory, and More)

APTs also raise the reputational risk considerably. Corporations that have been victimized in APT-related attacks are invariably mentioned in the media, often in a negative light. For example, Google received a disproportionate amount of press attention, much of it negative, after the details of the Aurora attacks started to publicly surface. The same was true of Exxon-Mobile, Shell, and BP, after the Night Dragon attacks came to light. The fact that almost every APT-related attack over the years has not been detected until months after the attack’s occurrence has also tended to make attack victims appear hapless, as if they had incompetent information security practices.

APTs also elevate legal and regulatory risk. Theft of certain types of financial information, e.g., constitutes a violation of the U.S. Gramm–Leach–Bliley statute. Theft of patient medical data is a violation of the U.S. Health Information Portability and Accountability Act (HIPAA). Theft of cleartext credit card information violates the PCI-DSS standard. Theft of personal information of European Union (EU) citizens constitutes a violation of the EU Privacy Directive as well as certain EU country-specific laws.

Where Conventional Risk Analysis Fails

Is conventional risk analysis, qualitative or quantitative, sufficient when it comes to APTs? The answer is perhaps, but probably not, for the following reasons:

One of the typical limitations of risk analysis is that an insufficient range of threats is generally considered. Numerous potentially relevant risks are too often eliminated from further analysis because they are considered extremely unlikely to occur. APTs are one such threat source. If you are an information security manager at Google, you will almost certainly include APTs in your risk analysis. By contrast, if you work for a sports manufacturing corporation, you are unlikely to evaluate the risk due to APTs because so far this kind of company has not to the best of our knowledge been targeted in advanced persistent attacks. But APT-related attacks are constantly occurring, and the focus of these attacks often shifts midstream during their course. One, therefore, never really knows what the next target will be.

It is difficult to obtain a realistic estimate of the likelihood of such attacks for risk analysis purpose because so many of these attacks have gone completely undetected or detected only long after they have occurred and many are overlooked altogether. As such, historical data about these attacks is of limited use.

Even if a somewhat realistic estimate of the likelihood of APTs surfacing could be derived, APTs are so dynamic that this estimate would almost certainly be invalid a short time later.

Many security professionals view risk as equal to value × threats × likelihood. Threats must exploit vulnerabilities if they are to manifest themselves as risk factors, but the vulnerabilities that are almost always exploited in APT-related attacks are usually zero-day vulnerabilities, vulnerabilities that cannot be anticipated. Without a realistic estimate of the vulnerability factor in the above risk equation, risk cannot be suitably estimated.

We are not in any way saying that risk analysis should omit all consideration of APTs. We are instead saying that even the best risk analysis is unlikely to be even marginally accurate when it comes to APTs. The solution, improving risk analysis methods to accurately take into account APTs and other nonconventional and serious threats, is certain to come in time, however.

How Potential Victims Become Targets

Any organization anywhere can be a victim. The proverbial battlefield is getting bigger, more nation-states are getting involved in espionage and information warfare, and organization crime is becoming incredibly proficient in inventing and exploiting ways to profit from its sordid activities. At the same time, however, it is important to realize that when individuals are targeted in APT-related spear-phishing attacks, it is generally in fact the organization to which the individual belongs, not the individual per se, that is being targeted. The attacks that have occurred so far show that having information that is of interest and value to the adversaries is most likely to make a certain organization or individual the target of an APT-related attack. Attackers will send one spear-phishing message to one user within the targeted organization, then another, then another, until enough machines are compromised and a sufficient number of Trojans that allow remote backdoor access and contain keystroke and packet capturing routines have been installed. All the while, no one is likely to notice what is happening.

Another possibility is that an organization or individual could be targeted by APTs because of an association (e.g., a third-party business partnership) with another organization or individual that is the real target. If attempts to penetrate the target’s computers and networks fail, the focus of the attacks might quickly shift to the other organization or individual.

Risk Mitigation Measures

No problem is unsolvable, but some problems are extraordinarily challenging. APTs constitute one such problem. The next section will cover how and why conventional security measures fail, how information security managers need to adjust their information security framework in dealing with APTs, and the types of controls that are most likely to be successful against APT-related attacks.

How and Why Conventional Security Measures Fail

Three types of controls—administrative, physical, and technical controls—are available to mitigate information security risks. Administrative controls are critical, but measures such as policy and standards go only so far in countering the levels of risk that APTs produce. Password policies do not really help in countering APT-related risk because passwords are virtually never cracked in advanced persistent attacks. If anything, passwords are sniffed instead. Standards requiring certain system configurations for the sake of security and patching are likely to help in slowing the process of attacking, but advanced persistent attackers keep trying one attack method after another until they finally succeed. So if they cannot exploit any configuration weakness, they try to exploit one bug, then another, then another, until one exploit works. And remember, also, that many APT-related attacks exploit zero-day bugs, bugs that not even the best of vulnerability patching efforts can fix until patches finally become available.

Physical controls are irrelevant to APTs, at least up to this point in time. But technical controls are potentially highly relevant—after all, firewalls and intrusion prevention systems (IPSs) are designed to stop many attacks, as also are strong authentication methods and file and directory permissions. Intrusion detection systems (IDSs) are designed to discover attacks. To some extent, these controls serve their purpose, but there is a big caveat—the residual risk associated with each control. No control mitigates all relevant risks. An application firewall that thwarts 95 percent of all known attacks against Web applications fails to stop the remaining 5 percent of attacks. An IPS that stops 90 percent of all network attacks will fail in preventing the remaining 10 percent. And if you have seen the empirical results of independent testing conducted on commercial Web application firewalls and IPSs such as the ones that NSSLabs frequently conducts and publishes, you will not be surprised to learn that many widely used commercial security products score only 60 or 70 percent when they are tested for ability to stop attacks. Given the limitations in today’s security technology, advanced persistent attackers truly have a target-rich environment.

But traditional wisdom says to use a defense-in-depth strategy in combating information security threats. The basic idea is that control 1 may at some point fail, control 2 may also fail at another point, and perhaps even control 3 may fail at yet another point, but then control 4 will finally defeat an attacker’s efforts. We have seen this type of scheme work in thwarting numerous attacks in the past, but not in stopping more recent APT-related attacks. The fundamental problem with the conventional defense-in-depth security model is that every control is imperfect. Suppose that in a defense-in-depth scheme control 1 is highly effective to the point that it has only a 10 percent residual risk factor. As far as conventional attacks go, the control is nearly perfect. But now consider an APT scenario in which a highly persistent attacker will not quit until s/he has defeated or bypassed this control. After considerable time and effort, the attacker succeeds and moves on to defeat or bypass the next control in the defense-in-depth scheme. Suppose, furthermore, that the next control has a residual risk factor of 20 percent, a factor with which most information security professionals who really understand the nature and amount of residual risk would be happy. The attacker is even more likely to succeed in defeating or bypassing this control than the first control, which had a residual risk factor of only 10 percent. Now consider the third control, and the point should now really become clear.

Defense-in-depth is a good strategy, but it was not designed to meet the onslaught of APT-related attacks that have been plaguing us. Any time that any control has residual risk, a determined attacker is likely to be able to defeat or bypass it. Defense-in-depth per se is not the real problem. The real problem instead is defense-in-depth with controls that are less than perfect (or, more realistically, at least somewhat ineffective against the range of possible actions of highly determined attackers). The higher the residual risk associated with a control measure, the more likely an APT-related attack is to succeed.

We are not suggesting that information security managers abandon defense-in-depth strategies. We instead recommend that these managers rethink how to deploy defense-in-depth. We have moved from having endpoint solutions (e.g., a firewall at the external gateway in each network, network IDSs, network IPSs, network access control appliances, and so forth) to a unified threat management (UTM) or “all-in-one” approach. In theory, this move has solved the problem of point solutions being unaware of and unable to coordinate and cooperate with each other, but at the same time we have set ourselves up for failure when it comes to APTs. We buy one vendor’s UTM product with all the functions we need, but many of the functions are not “best-of-breed.” One vendor may make the best application firewall, another may make the best IDS, and still another may make the best network access control tool. Each UTM function that is not “best-of-breed” makes advanced persistent attacks easier with respect to defeating or bypassing that function. One of the most important considerations in countering APTs, therefore, is having defense-in-depth based on the concept of “best-of-breed,” not simply having multiple barriers, each of which may be insufficiently effective.

Recommended Controls

In this next section, controls that are most likely to be effective against APTs are discussed.

E-Mail Filters and Virus Walls

APT-related attacks often use spear-phishing to get unsuspecting users to open attachments sent with e-mail messages that appear to be sent by someone the users know and trust. They also use spear-phishing to get the users to click on URLs that redirect browsers to malicious Web sites that push malware into the users’ computers. Having the ability to filter incoming e-mail from a known phishing site or IP address is thus an effective measure against APTs. Additionally, having a virus wall that inspects each e-mail attachment for malicious code and deletes anything that is found is useful for the same purpose.

Ensuring That Web Browsers Have Built-in Protections

Users do not have to be sent e-mail containing malicious URLs to visit malicious Web sites. Having browsers that help protect against common types of attacks (including advanced persistent attacks) is thus an effective control measure. For example, the Internet Explorer 8 warns the users when they attempt to go to a known malicious site, including but not limited to a site known to be used in connection with phishing.

Enforcing the Least Privilege Principle

In most operating systems, root- or administrator-level privileges are required to install software. Ensuring that the users do not have these levels of privilege thus helps prevent their systems from being infected with malware. In Windows Vista and Windows 7, e.g., everyday users run with normal privilege levels by default.

User Training and Awareness

Phishing and spear-phishing are in reality types of social engineering attacks. Training users to refrain from opening attachments they are not expecting, even if the attachments appear to be sent from someone they know, and to avoid clicking on URLs that are sent to them in e-mail messages unless they know that it is safe to do so, is another effective measure against APTs.

Using “Best-of-Breed” Malware Detection and Eradication Tools

Antivirus technology has reached its limit. It, for the most part, relies on “signatures” to detect malware, but today’s generation of malware is extremely sophisticated to the point that it formats and frequently changes itself to avoid detection. Only “best-of-breed” malware detection and eradication tools (e.g., Trusteer Rapport) are genuinely effective. Using these tools can considerably help in the fight against APTs.

Random Inspection of Systems

Some organizations recognize the limitations of most of today’s antimalware tools to the point that although they use these tools, they never trust their output (or lack thereof). Instead, they hire top-notch technology talent to randomly inspect a given number of systems daily. Perhaps not surprisingly, these gurus generally find several new types of malware every week. These organizations then determine what the identifying characteristics of these new types of malware are and then inform the system administrators, who are required to inspect the systems that they manage to determine if any are infected with the identified malware and, if so, to eradicate it.

Personnel Measures

The Aurora attacks against Google were aided by several Google employees who came from China to work for Google in the United States. Having effective personnel screening measures is thus another potentially useful control against APTs.

Greater Cross-Organization Cooperation

Organizations that experience security-related breaches tend to keep the information about the breaches to themselves. If the organizations shared this kind of information with other organizations, APT-related attacks might be identified sooner than they typically are and ultimately stopped or at least slowed down. Organizations such as FIRST (The Forum of Incident Response and Security Teams) promote sharing incident-related information, but unfortunately, very few organizations are members of FIRST.

Effective Intrusion Detection

APT-related attacks that have occurred so far have been greatly facilitated by the fact that the victim organizations have almost without exception failed to detect these attacks until it was too late. Being able to detect such attacks in near real-time would enable the organizations to intervene much earlier in the attack cycle, possibly to the degree that further attacks could be stopped. Effective intrusion detection, including the ability to effectively correlate system logs, firewall and IPS logs, and IDS output to identify patterns that indicate that slow and subtle attacks are occurring, would go a long way in the war against APTs.

Effective Incident Response

Yet another potentially effective control in countering APTs is having an effective incident response capability that is capable of quickly identifying advanced persistent attacks and containing them and their effects so that they do not spread and get out of control. An interesting twist on the incident response theme is being tried by an increasing number of organizations that assume that their networks are already compromised and that they are thus always in incident response mode. Every connection, internal and external, is considered suspicious and is thus investigated. The main limitation with this approach is the resources needed to be in a constant state of reaction to events, but those who use it generally attest to its many advantages, given the number, severity, and persistence of today’s attacks.

Adjusting the Security Framework

An information security framework is one of the most valuable tools that information security managers have in moving their information security practice in an appropriate direction to achieve the desired level of information security governance. This kind of framework should, among other things, include the goals of the information security risk management program and how they are aligned with business drivers, the major strengths/advantages and potential obstacles with respect to achieving the defined goals, and what constitutes success. Given the reality of APTs today, most information security managers need to revisit their security frameworks, looking in particular how APT-related risk potentially affects business processes and how APTs result in new obstacles that information security practices need to address. Managing an information security effort is not easy, but with the advent of APTs, doing so just got more difficult. Information security managers must think strategically and proactively, and doing so with respect to dealing with APTs is not an option, but is now rather a de facto requirement.

Conclusion

This final section presents a summary of the major points raised in this chapter, a discussion of what APTs are likely to be in the future, and, finally, a discussion of possible next steps in dealing with APTs.

Summary

APTs have grown from being little-noticed and rather insignificant to threats that should be on every information security manager’s proverbial radar screen. APT-related attacks such as Titan Rain, GhostNet, Operation Aurora, and Night Dragon have resulted in a considerable amount of sensitive information falling into the hands of adversaries. Adversaries have generally become well-financed, well-organized, and highly motivated to succeed to the point that, contrary to the way things worked in the past, they do not give up, even after experiencing multiple setbacks. They frequently use spear-phishing methods, targeting individuals whom they have thoroughly researched. They develop and use malware that is incredibly well-written and tested and that incorporates mechanisms that help cloak its presence. They also often exploit zero-day vulnerabilities. Of confidentiality, availability, and integrity risks, advanced persistent attacks are most likely to cause confidentiality-related risks to soar. Defending against APT-related attacks is exceptionally difficult, in part because of the persistence of the attackers coupled with the residual risk in connection with controls commonly used as part of a defense-in-depth scheme. The best approach is to use “best-of-breed” technical controls (e.g., e-mail and browser filters, virus walls, intrusion detection, and more) in conjunction with user awareness and training and effective incident response. More effective sharing of incident-related information would also help organizations be able to better thwart APT-related risks. Information security managers should also update and revise their practice’s information security framework to take APTs into account.

APTs in the Future

As long as the adversaries continue to have the upper hand, they are likely to continue with the same strategies that they are currently using. They can continue to focus on finding victim organizations, preparing for attacks, writing and using new malware, and gleaning volumes of information that meets their goals. Large organizations such as Fortune 500 companies and government departments and agencies are likely to continue to be the major targets of APT-related attacks. Given these organizations’ very high risk appetite, advanced persistent attacks are likely to continue mostly unabated well into the future, but the range of targets is likely to expand. Not surprisingly, small and medium-sized businesses and academic institutions have almost without exception been immune to APT-related attacks so far. Although future APT-related attacks will primarily be aimed against corporations and governments, other types of organizations will also be likely future candidates as their IT services move to the target-rich cloud computing environment.

Next Steps

APTs are for all purposes presently unstoppable and much of the blame falls upon security technology vendors. Instead of producing best-in-class products, they too often freely use the “APT” acronym in their marketing strategies as a means of inciting fear in individuals who might not otherwise be inclined to buy their products. When confronted with the results of independent testing that show that their products are not all that proficient in accomplishing what the vendors say they do, the vendors often unjustly impugn the testing process used to produce the results and/or claim that the disappointing results for their product were due to the fact that an older version of their product was used in the tests. We need a massive amount of help from vendors if we are going to have a chance against APTs, but too many vendors are barking up the wrong tree, so to speak. Vendors need to pursue making products that are above everything else best-in-class. The sooner they do this, the more likely our systems, devices, and networks will be to resist APT-related attacks.

About the Authors

E. Eugene Schultz, PhD, CISM, CISSP, GSLC, is the chief technology officer at Emagined Security, an information security consultancy based in San Carlos, California. He is the author/coauthor of five books, one on UNIX security, another on Internet security, a third on Windows NT/2000 security, a fourth on incident response, and the latest on intrusion detection and prevention. He has also written over 120 published papers. Gene was the editor-in-chief of Computers and Security from 2002 to 2007 and is currently an associate editor of Computers and Security and Network Security. He is also a certified SANS instructor, senior SANS analyst, member of the SANS NewsBites editorial board, coauthor of the 2005 and 2006 Certified Information Security Manager preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been a professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. Named a distinguished fellow of the Information Systems Security Association (ISSA), Gene has also received the ISSA Hall of Fame award as well as the ISSA’s Professional Achievement and Honor Roll awards. While at Lawrence Livermore National Laboratory, he founded and managed the U.S. Department of Energy’s Computer Incident Advisory Capability (CIAC). He is also a cofounder of FIRST, the Forum of Incident Response and Security Teams. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues and has served as an expert witness in legal cases.

Cuc Du is currently the information security officer for the Office of the Chancellor at the California State University, where she holds responsibility for the overall information security function and program at the Chancellor’s Office. Prior to serving in this position, she served in a senior security role for Fremont Investment and Loan, where she played a key role in developing and implementing the company’s information security program. In addition, Cuc was a security engineer at Option One Mortgage Corporation and security consultant at Callisma, Inc. (now known as AT&T).