Letter to the editor: APTs and unknown unknowns
the SC Magazine UK take:
I have just read the APT Article published in the recent edition of SC Magazine and, based on more than 30 years' experience and hands on research both on/offshore into the subject of APT/AET in Labs, and live operational environments, I do feel that some of the comments are a little off line in this current age, and that they need some form of redress to add clarity to the actual risks posed.
Having attended and presented at the ISMG APT Summit in New York in 2014, I noted that there was much discussion on this topic which expanded the risk posed by the APT far beyond what we expect. To be clear, the basics of an APT are the complexities of the overall construction aligned to the composition of the planned vectors of attack which make up the end product. These can be based on a mix of vulnerabilities, intelligence, known points of exposure, and say Humint, or Social Engineering. In fact it was such a tool of adversity that I built way back in 1993 when I circumvented AV with encapsulated packets – a paper I resented this at VB93.
There are definitions of what the APT is, but one thing is for sure, it does not arrive labelled APT – it arrives with an intelligent construction of capabilities, payload, and an objective to compromise which may manifest itself in the form of unknown unknowns.
There is also much substantiated research on this subject and I feel it is useful to add into the pot with examples of inner weakness; poor patching; incapable, yet up-to-date perimeter protection, linked to the potentials for TCP/IP stack manipulation presenting an adverse packet to the protected core of the network. From which one may gain a ‘Shell', then say launch wmic. [Which should not be available, yet is on most default Windows builds] and as they say, another example of how one may construct an APT...With the other most important components of skill, and imagination.
In the New Age of cyber-security the exposure to APTs may be countered with some effect by leveraging OSINT which may be called Minority Reporting to discover the Unknown Unknowns. But one thing is for sure, anyone who expects the old style risk assessment to mitigate or counter the threats of APT needs to think again. In 2015 we need to consider cyber-security in a whole new light if we are to win the battle against the bad guys/gals.
Professor John Walker CFIP MFSoc CRISC CISM ITPC CITP SIRM FBCS FRSA
Director of CSIRT & Cyber Forensics