How advanced persistent threats bypass your network security
October 19 2010
Hundreds of companies around the world have been thoroughly compromised by APTs (advanced persistent threats) -- sophisticated forms of cyber attacks through which hackers mine for sensitive corporate data over the long term. APTs aren't easily purged; rather, victimized companies often spend day after day trying to make a dent in them. Meanwhile, some security practitioners consider "APT" an overblown marketing term. It isn't.
One of the struggles faced by companies (and security consultants) is determining whether a breach is, indeed, an APT. They will call every found singular bot and trojan an APT and dream up long-term, radical threats from invisible attackers. I've had to disagree more than once with other consultants on whether APT was part of a security threat. The evidence was not there. The first step in fighting ATP is understanding what separates it from a traditional, targeted human-hacker attack. The follow-up step, which I will discuss next week, is detecting and eliminating these kinds of attacks.
Most people will immediately point to the "persistent" part of the definition as the key differentiator. The normal targeted attackers break in, look around, and immediately target the most valuable found assets. They figure that the faster they get in and out with the treasure, the more money and the less risk they face.
By contrast, APT attackers are there to stay as long as they can. The attackers aren't trying to steal everything at once. Instead, they exploit dozens to hundreds of computers, logon accounts, and email users, searching for new data and ideas over an extended period of months and years. Their interests (and keyword searches) change from one day to the next, as if their "customers" have given them a shopping list.
APTs are professionally run attacks, managed just like legitimate corporations instead of in the manner you'd expect of a black-attired, greasy-haired hacker kids hopped up on Mountain Dew. Many APT companies work in skyscrapers; have CEOs, recruiters, and payrolls; and pay taxes. APT hackers work in eight-hour shifts and take off holidays (at least those of the originating country).
Individual APT hackers appear to boast different specialties, whether it's compromising particular types of servers and workstations, dumping passwords, placing back doors, collecting data, or loading remote-access Trojans. Their malware creations have evidence of development team breakouts with development forks, beta testing, and updates. Victims often tell me they know when a particular hacker is at work simply by the methods and tools used.
Even the treasure taken by APTs is different. The traditional attacker seeks immediate financial gain. They will try to steal identities, transfer money to foreign bank accounts, and more. APT attackers, on the other hand, almost always take only information and leave money untouched. Their targets are corporate and product secrets, whether it be F-18 guidance system information, contract pricing, or the specs on the latest green refrigerator.
APT often steals large amounts of information each week, collecting it at a centralized computer within the compromised network, before sending it all home in a single archive file (often a tar ball). Many networks run APT bots that collect every new folder, file, and email, then send it home. The victims have an online backup system that rivals what they could otherwise pay for with a legitimate company.
APT is usually hosted in countries that provide political and legal safety. I've never seen evidence of a country that directly hosted black-hat hackers, but there appears to be a well-known list of countries that tolerates such operations within their boundaries and are uncooperative in assisting victims with justice. China and Russia are often mentioned, but there are dozens more. Former White House security adviser Richard Clark calls them "cyber sanctuaries" and urges our cyber allies to ask for accountability.
Worse yet, APTs are usually so ingrained into an environment that even if you know where they are, they can be difficult or impossible to move. I have several clients who've decided it's easier to live with APT (or portions of it) than it is to tackle and try to eradicate it. They don't like the odds of successfully ridding themselves of the APT and are afraid the APT would dig further undercover if the extermination attempt goes awry. By allowing some of it to remain on their network, they know where it is, and they can more closely monitor it to learn what is being stolen. It sounds crazy, but living with APT is not an uncommon scenario.
APT has many characteristics that make it stand out from regular hacking attacks. Hopefully, your company won't have to learn firsthand why that's the case.
View more news |