Friday, August 26, 2011

APT: A Geopolitical Problem

An important thing to understand when thinking about advanced persistent threat (APT) is that it’s a much bigger problem than any one of us individually as organizations can handle because it's ultimately a geopolitical issue. We're talking about nation-states who are engaging in attacks against the confidentiality of sensitive data that belongs to other nation-states, their industrial base, academic institutions, and non-profit organizations. In other words, China isn't going to stop using cyber attacks as an active tool for its national security and economic development efforts until someone forces them to do so or their government changes radically.

Being targeted by a nation-state actor is a daunting thing to consider. Matt Olney, who is still the reigning champion of the pithy APT definition, wrote, "APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt wasn't kidding when he said they have more resources that you. A nation-state has the ability to levee taxes and print money. I don't care what your organization’s profit margins and revenues were last year, they can't compete when it comes to outspending these people. Nation-states can have tremendous resources when it comes to personnel, intelligence gathering, education, and research and development capabilities. Jonathan Abolins made a fine point in response to my last blog post when he stated that if your organization is targeted by a nation-state for cyber attacks, it's almost certainly being targeted by more traditional physical data collection methods. Nation-states have comprehensive intelligence collection strategies where information warfare is just one piece of their strategy.

So we're cooked, right? Absolutely not. There are things that we can and should be doing to protect our individual organizations from these nation-state actors such as developing robust threat-based security teams. One of the best things we can do to combat this threat is to work hard to raise awareness so that other organizations will wake up and start fighting back also. Nation-states can have immense resources, but they aren't unlimited resources. They have to make resource allocation decisions just like anyone else. The more we collectively fight back against them, the more of their resources they have to expend to keep up with us.  Either they have to allocate more resources to keeping up their current level of overall activity or they have to start making tough choices on who to target and how much to spend on that particular target. Let’s make this really expensive for them.

When you fight back intelligently against this threat, you help everyone else out also. The business case for having your organization properly defend against this threat is the long term health and profitability of the organization. The altruistic case is that your efforts will likely help make others safer also by making hostile nation-states use more of their limited resources.  Maybe that resource drain means that some United States Navy commander at VFA-123 doesn't have to write condolence letters home to a pair of military families because that officer lost two naval aviators in an F/A-18 to an anti-aircraft defense system that was made better by stolen technology. 

This is a lot of vendor noise out there on the topic of APT, but I don't agree with those who say that we should abandon the term APT because of gross misuse by others. We have to fight misuse of the terminology just as we have to fight the misinformation about the subject itself. If we come up with a new term, the marketing people will just abuse it like APT so this a linguistic battle that I'm willing to fight.

So what can you do? The first thing you should do is to educate yourself about the nature of the threat so that you can cut through the noise and properly educate your organizational leadership. The people who I look up to and who are very influential in how I approach this issue are Richard Bejtlich, Rob Lee, and Mike Cloppert. I recommend starting by absorbing anything you can from them such as books, blogs, conference presentations, podcasts, random scribblings on cocktail napkins, articles, and Twitter feeds. There are excellent conferences such as the DoD Cybercrime and SANS Digital Forensics and Incident Response Summit (full disclosure: I teach digital forensics for SANS) that are held each year and include fantastic presentations on nation-state threats along with many other great topics.

You should also maintain at least a working knowledge of the business and geopolitical world around you. Since advanced persistent threat is a nation-state issue, it's important to understand what is happening in the world and how it connects to your daily life as an information security professional. There are resources such as The Wall Street Journal, The Economist, Brookings, Council on Foreign Relations, and Foreign Policy that all have robust and convenient online presences complete with mobile applications.

Even though I'm beating up on some vendors because of their misuse of terminology and sometimes FUD driven marketing, there are great vendors out there who provide a wide variety of tools, services, and educational efforts that are very helpful your efforts. I’ll try and highlight as many as I can in future blog posts. One example is Mandiant who does a fantastic job of educating the community about the nature of advanced persistent threats as well as threats from other actors. They are very open with what they know and I highly recommend their frequent webcasts.

Sunday, August 21, 2011

Advanced Persistent Threat

Like most people who have a strong interest in incident response and information warfare, I follow Richard Bejtlich’s blog and Twitter feed closely. Richard fired off a series of excellent Tweets this week talking about the “advanced” aspect of advanced persistent threat (APT). This inspired me to write this APT post that I’ve had in my head for some time now, but was hesitant to write because there is so much written these days about APT that is quacking and barking from vendors and others who don’t understand what they are talking about. I just didn’t want to contribute to all of the noise about the issue when you already have established experts like Richard, Rob Lee, and Michael Cloppert who are wonderful with this topic.

We’ve gone from a situation where the term APT was used by government cyber warfare people along with some of their partners in the private sector to something that is grossly misunderstood and misused by people who pretend to be experts, but have no earthly clue what they are talking about. Ever since the Operation Aurora information hit the media and information security tool vendor’s marketing departments consciousness, we’ve been inundated with all sorts of shrieking and wailing about APT from vendors and self-appointed experts. Most of it has been noise from people who don’t understand the issue and/or are using the term as a cynical marketing ploy for their products. Yes, of course, tools are important in defending against advance persistent actors as well as other threat actors. However, my eyes pretty much glaze over when I see the words advanced persistent threat as part of vendor tool marketing campaigns. I’ve lost count of the number of times I’ve read marketing information that wants me to think that the vendor has created some amazing unicorn blood fueled tool that will solve all of my problems and not require me to do much else other than to write them a big check each year.

Richard’s Twitter feed is always excellent and the Tweets that he crafted this week were simply brilliant and inspired me to write this post. Some of them where:

“Bruce Lee fought using sticks, nunchakus, or his bare hands. He must not have been that advanced or powerful. Sort of like APT, eh? #sarcasm”

“The Army uses mules to move cargo across mountains in Afghanistan? Those guys must be as advanced as the Spartans! Like APT. #moresarcasm”

“My point is when you only judge an adversary by the TOOLS that YOU see him using (2 errors there) you're making a big mistake. That's #APT.”

I don’t know if a particular event caused Richard to write this series of Tweets, but a personal hot button of mine are people who say that because a particular tool or technique was not advanced, it means that an APT actor was not involved. This is nonsense on stilts. As I pointed out on my own Twitter account, just because the tools and techniques that knocked you over weren’t “advanced” doesn’t mean it was not an advanced actor. It could very well just mean that your defenses were so inadequate that the attacker didn’t have to work very hard to defeat you. It could also mean that there were advanced tools and methods that were part of the campaign against you that escaped your detection or understanding.

As Rob Lee has taught us, APT is a “who” not a “what”. In regards to the who, APT is ultimately nation-state actors like China who are aggressively pursing the theft of a wide range of information information they consider vital to their national interests. It is important to understand that these nation-state actors have broad national interests that extend well beyond military technology. That is why we’ve seen so much APT activity targeting organizations that aren’t in the defense space. Remember the event that made many people aware of this threat was the Operation Aurora incident where organizations like Google, Yahoo, Symantec, Adobe, and Dow Chemical were reported to be targeted along with human rights organizations and think tanks. Some people in the field will also extend the definition of APT to sophisticated organized crime groups who target organizations to steal data such as credit card information. Reasonable people can and do disagree on the definition of advanced persistent threat, but there are definitions that are just silly. For example, you should be very suspicious of a definition that requires the use advanced tools for the activity in question to be classified as being advanced persistent threat.

“Advanced” doesn’t mean the attacker uses sophisticated malware in each attack. Even advanced attackers have limited resources. They aren’t going to send their top people with their best tools after you if it’s not necessary. They have to make decisions on resource allocation just like you do. If you get knocked over by a low tech attack, it might still be an advanced actor, but it could very well mean that you aren’t good enough for them to deploy their best operators and weapons systems. As I heard someone say awhile back, if an organization has its administrator credentials compromised and the attacker is using them to compromise additional computers, we don’t call that hacking anymore, we just call that logging in.

All that said, advanced actors can and will deploy some very sophisticated tools when necessary to achieve their goals. The anti-virus vendors can’t keep up with these attackers which is why anti-virus technology, while necessary, isn’t a comprehensive solution to countering their tools. This is why malware analysis is a key aspect of defending against APT operators. I see it as one of the few areas where the defenders have an advantage against attackers compared to traditional warfare. In traditional kinetic warfare, an attacker can successfully use a sophisticated weapons system such as a stealth fighter and the defender will not have the opportunity to examine that weapon unless they capture it. Additionally, that capture is likely to come after the weapon system has been significantly damaged which will make a full exam more difficult. With cyber warfare, the attackers are commonly leaving their weapons systems behind on the defender’s networks. Many times these weapons are in perfect operating condition. Malware analysis is a vital part of an effective defense strategy against advanced persistent actors. It’s a critical part of incident response because gaining a fuller understanding of malware being used against you can provide the team with additional indicators of compromise which can be used to detect the scope of the attack against you. It also important to your threat intelligence function because it can provide valuable intelligence about who is going after you. This is important information that will aid in your defense especially when compared to your existing body of intelligence data. Because malware analysis is so important, it’s also important to make sure that your team has the ability to do malware analysis beyond just the behavioral level. A fully functional malware analysis capability will include malware analysts who can use skills such as knowledge of assembly language to reverse engineer the tools used by the attackers. If you don’t have a proper malware analysis capability, you are ignoring one of the few advantages defenders have against advanced persistent attackers.

The advanced actors aren’t stupid. They understand that this is a problem that they have especially when they go up against advanced defenders. If their weapon system falls in the hands of a sophisticated defender, it could be reserve engineered and the defender will use that knowledge to defend themselves. Even worse, the defender might share what they have learned with others which can lead to the weapon system not being as effective against other targets. So if they don’t have to use advanced malware against a defender, why would they want to use it? It’s better to use something simple to complete a successful attack and save the more advanced tools and methods for when the basic tools and methods won’t get the job done.

If the eye of an advanced persistent actor like China has fallen upon your organization, you’re in for a long term struggle that won’t end anytime soon. Persistent means just that. APT isn’t something you spray for once and forget about, it’s something that you have to continuously fight for control over your network. That’s hard news to have to break to your organizational leadership, but the sooner they accept this, the better off your organization will be in the long run as it works to defend its intellectual property, business processes, and sensitive internal communications. Yes, of course, it requires good tools, processes, and proper funding to accomplish an effective defense, but your success against APT will live and die by the quality of your people and the leadership that you provide them. It’s imperative that whoever is leading your effort against the advanced persistent actors have a strong understanding of the nature of the threat and the leadership skills to build and lead a highly effective team.