Turning the tide on APTs and nation state attackers
Turning the tide on APTs and nation state attackers

For nation-state sponsored attackers, targeting foreign companies is akin to a day job – for the simple reason that it is economically more viable to steal research and company secrets for a fraction of the price it would cost to perform or obtain themselves.  But for businesses, when they come under attack, the initial reaction is an emotional one.  Questions such as "who would do this to me?" and "how can I get this infiltrator out?" arise.  As someone with experience of dealing with these nation state attacks, I'd like to see a change in this mindset around them about how we protect IT.  Because once the background is understood about how these types of attacks operate, a more reasoned and rational approach that sees attacks as part and parcel of doing business would be more beneficial to organisations.

When first considering nation-state attackers, the game seems stacked in their favour because essentially they have unlimited time, resources and there is little consequence to them if they are caught due to geo-political boundaries preventing any kind of direct action.  Therefore, in reality, the only true risk to the attackers is the risk of getting caught, having their foothold in the organisation removed and then having to start over again.

Of course, it's not all doom and gloom, as there commonalities in all attacks that make them detectable, too.  Factors such as the need for code to run inside the target organisation, the ability to communicate back out to have control once inside and the fact that attackers need to maintain visibility on the areas of the organisation that hold the information of interest to them, all make it possible to track the perpetrators.

When the attackers and/or malware are discovered, usually at the point when they are attempting to make outside communications or when persistent behaviour is recognised, for many businesses the question of attribution immediately rears its head.  And this is likely based on misconceptions of how attackers operate. For example, many believe that the host country of the IP addresses that are seen to be conducting the attack must be that of the attackers. But the truth is that the IP addresses carrying out the attack may just be the last in a long chain of connections.  In short, every attempt at attribution comes with an element of uncertainty and thus is, on the whole, futile for anyone other than a government power.

The next decision made is normally a knee-jerk emotional reaction which sees organisations immediately take the stance that there is someone on their systems trying to do something bad to them and therefore they want it stopped and gone as soon as possible.

This is irrational for several reasons: firstly, the malware may have been present for over a year. Anything it was going to do it has already done. Secondly, there's an assumption that this was the only malware present, as opposed to simply one of many examples that the attacker had deployed as backup methods of entry to the organisation.

A more fruitful approach would be to detect the threat actor and contain it.  Monitor it. Know it is there without the attacker having any idea they've been spotted.  That way, attackers are fooled into still thinking they have a foothold in the organisation, but in reality – the organisation has the upper hand.  At the same time, if the offending traffic is being watched and read, the organisation knows exactly what impact it is having.

The advantage immediately disappears as soon as it has been broadcast that the organisation has spotted them and removed the malware. The attackers disappear from sight, leaving organisations with the challenge of finding them again when they inevitably return.

In summary, by accepting that the people who are intent on breaking into large and complex IT systems will achieve it if they really want to, we can design architectures and networks to ensure that the things of most value to our business are those that are most protected.  Therefore, it is clear that there needs to be a fundamental transformation from seeing attacks as unusual events brought about by people out to do direct harm, where emotions and reflex actions overtake reasoned and rational thinking, to one where these attacks are viewed as a normal part of doing business.

Contributed by Mike Auty, senior security researcher, MWR InfoSecurity