APT (advanced persistent threat) attacks have been in the press since 2006, but are only now gaining real media attention due to recent high-profile attacks, and IT teams must prepare to deal with these threats before they become commonplace. Some security practitioners consider APT an “overblown marketing term” and others will argue that it only affects the military or government agencies. In the military, the term APT has been used to describe a process of maintaining intelligence operations and conducting information warfare against an enemy. In information security terms, hundreds of companies around the world have been completely and utterly compromised by information security APTs, which allow hackers to mine and exfiltrate sensitive corporate data under the security radar, over an extended period of time.
In information security, these are targeted attacks launched using malware vectors, and as their name implies, they are employing zero-day unreported vulnerabilities, advanced coding practices, and automated behaviors to increase the effectiveness of their penetration capability, covert operation, and continued existence. They are persistent at attacking their target, and remaining in operation, often for years. Once inside the organization, APTs are not easily detected, contained and removed. Victimized companies will often continue on with their daily business unaware of the problem, and when they are eventually detected, they are often misdiagnosed as other less impressive malware and given an incorrect or incomplete treatment. If the malware agent is unable to communicate with its Command & Control (C&C) center, it will often attempt to reach another one, or use another communication channel or method to quietly squawk away your secrets.
Not every malware infection indicates an APT attack. Consultants are tempted to identify every bot-agent or Trojan found as an APT and dream up long-term, radical incident handling and remediation engagements from unseen and unknown attackers. I’ve had to disagree more than once with consultants and responders on whether APT was part of an active security event. The first step in handling an APT attack is understanding what separates it from a targeted hacker or a classic malware agent. Once it is properly defined and understood, detecting and eliminating these kinds of attack tools can become easier.
APT attacks started to be reported by the mainstream press in January 2010 with Google’s announcement of a major APT incident, and continue with the more recent RSA compromise involving theft of information concerning SecurID technology. That particular breach has been followed by serious reaction and concerns from users of the technology. The impact and aftermath of that incident are still unfolding. The hacking group Anonymous’ HBGary email leaks show that Dupont, Disney, Johnson & Johnson, Sony, and GE have been affected, along with several law firms and insurance companies. Global financial companies and banks have also been impacted by the APT threat. McAfee recently revealed that the world’s biggest oil and energy companies have also become victims.
Finding, containing and eliminating an APT attack requires careful advance planning and stealthy implementation to avoid alerting the attackers to your defensive maneuvers. The Canadian government had to isolate its largest financial departments, blocking access to and from the Internet in order to contain an APT threat and repair the damage that it caused. In every single case that I am aware of, the targeted organizations had actually been under attack for months or even years, undetected.
The attackers are selecting their targets very carefully. Where other malware vectors tend to be arbitrary, finding targets of opportunity, APT attacks are aimed precisely at targets of choice. The attackers spend a fair amount of time researching and learning about the organization that they are about to attack, its personnel, its market, its interests, its hierarchy, its policies and culture. They will custom build the installation routines and the malware agent to virtually eliminate the potential for anti-virus and other detections. There will be no signatures for the malware, and they will rarely use that particular agent anywhere else simultaneously. The attack itself will be well planned, often using social engineering tricks to get the program inside the perimeter. Users will be targeted specifically, sometimes using their personal home email and less protected home networks to get onto laptops, USB sticks and other media that can make their way into the workplace. Insiders may be used, and not just the ones that you screen and hire. You may be the target, but an upstream business partner, downstream service provider, or consultancy may do the hiring. Your network may even just serve initially as a conduit for the real target; a business partner, a consultant that works for both you and the ultimate target, or a shared service provider. Consider yourself a current target if you hold sensitive information beneficial to foreign governments, or have relationships with those who do.
Key target characteristics include:
Continue reading →