As easy as APT? It's not as simple as that
Dan Raywood, news editor, SC Magazine
With the imminent arrival of the annual European RSA Conference, I expect that we will be hearing three letters mentioned rather a lot ‘A, P and T'.
Earlier this year we looked at what the advanced persistent threat (APT) really meant to people. Most generally criticised the use of the word ‘advanced' and questioned what these of threats actually meant to businesses.
A recent tweet by Kaspersky Lab CEO Eugene Kaspersky seemed to sum up the general feeling about APTs. He said: “A disadvantage of APT is that it's not measurable. How much advanced and persistent should a threat be to become [an] APT?”
This week I stumbled across an interesting blog by Eric Huber at his page ‘A fistful of dongles', where he called most of the talk about APT ‘noise from people who don't understand the issue and/or are using the term as a cynical marketing ploy for their products'.
He said: “Yes, of course, tools are important in defending against advanced persistent actors as well as other threat actors. However, my eyes pretty much glaze over when I see the words advanced persistent threat as part of vendor tool marketing campaigns.
“I've lost count of the number of times I've read marketing information that wants me to think that the vendor has created some amazing unicorn blood-fuelled tool that will solve all of my problems and not require me to do much else other than to write them a big cheque each year.”
Looking at his perception of the word ‘advanced' in APT, he said that it does not mean that the attacker uses sophisticated malware in each attack, as even the best attackers have limited resources.
“Just because the tools and techniques that knocked you over weren't ‘advanced', doesn't mean it was not an advanced ‘actor'. It could very well just mean that your defences were so inadequate that the attacker didn't have to work very hard to defeat you. It could also mean that there were advanced tools and methods that were part of the campaign against you that escaped your detection or understanding,” he said.
According to Sam Curry, chief technology officer, marketing at RSA, APTs are typically highly targeted, thoroughly researched, amply funded and tailored to a particular organisation. Curry was speaking ahead of the publication of the Security for Business Innovation Council (SBIC) report, which said that it was a matter of when, not if businesses will be targeted by advanced threats.
Titled ‘When advanced persistent threats go mainstream: building information security strategies to combat escalating threats', it claimed that APTs are now targeting a broad range of private sector organisations rather than high-profile government targets.
Art Coviello, executive chairman of RSA, a company that has had its own share of APT issues this year, said that all organisations are part of the greater ecosystem of information exchange, and it is everyone's responsibility to build and protect that exchange.
The SBIC report encouraged organisations to adopt a new security mindset, shifting the concept of success from preventing infiltration to detecting attacks and mitigating damage as quickly as possible.
The council recommended seven defensive measures against escalating APT threats:
- Up-level intelligence gathering and analysis and make intelligence the cornerstone of your strategy;
- Activate smart monitoring and know what to look for and set up your security and network monitoring to look for it;
- Reclaim access control;
- Train your user population to recognise social engineering and compel them to take individual responsibility for organisational security;
- Manage the expectations of executive leadership so they realise the nature of combating APTs is fighting a digital arms race;
- Re-architect IT to move from flat to segregated networks so it is harder for attackers to roam the network and find the crown jewels;
- Participate in intelligence exchange to leverage knowledge from other organisations by sharing threat intelligence.
Curry said: “Advancing along these lines should make life a lot easier. This isn't a binary state either, it's about gradual improvements. All of these require deepening relationships and soft skills in a way that is daunting to some.
“However, small improvement in any of them will begin to lift any organisation's defence posture and ability to keep up and eventually keep ahead.
“The bottom line for me is that the individual activities we do and the principles we adhere to won't change, but how we put them together, how we plan, how we talk and how we work together will actually make all the difference and make us more flexible, more informed, more adaptable and more effective.”
I asked Lance James, director of intelligence at Vigilant, how ‘advanced' he felt the APTs are in comparison to other threats. He claimed that the phrase was something of a ‘misnomer', as it refers to a type of threat that is not actually that sophisticated, nor is it getting significantly more advanced in the tactics used to infiltrate systems and networks.
He said: “It would be more appropriate to call it an ‘organised persistent threat' since the salient feature of these attacks is the degree to which they are planned and premeditated, usually designed for a very specific target to achieve financial or espionage objectives.
“The idea of APTs strikes fear in the heart of security teams because in many cases the attacks and the tools being used are not known to the security community until the attack has already succeeded at acquiring data from the target. This does not necessarily mean that the threats are ‘advanced', but they do have an advantage since many of the security products today are not equipped to recognise malicious software and techniques that have not proliferated widely.”
Looking at the SBIC report, I asked James if he felt that the advice was hitting or missing the point. He said that he felt that the report was on the right track, though as a community we collectively need to dig deeper.
“Many of its recommendations are already reflected in one way or another in multiple standards, including NIST, ISO and FFIEC. The recommendations tend to represent a wishlist for what the majority of companies do or should include in their policies, but which are rarely followed in practice to the degree that they should be,” he said.
“What we're dealing with is a widespread gap between theoretical ‘best practices' and real-world practices. The larger the company, the less flexibility they have in applying policy; and unfortunately these ‘advanced' or ‘organised' threats operate at a greater advantage against these types of institutions.”
This is far from the end of the debate, if anything I expect the RSA Conference will further address APTs in many sessions and from many angles. Now far from being another passing trend, it seems that the APT theory is well worth consideration.