Sunday, August 21, 2011

Advanced Persistent Threat

Like most people who have a strong interest in incident response and information warfare, I follow Richard Bejtlich’s blog and Twitter feed closely. Richard fired off a series of excellent Tweets this week talking about the “advanced” aspect of advanced persistent threat (APT). This inspired me to write this APT post that I’ve had in my head for some time now, but was hesitant to write because there is so much written these days about APT that is quacking and barking from vendors and others who don’t understand what they are talking about. I just didn’t want to contribute to all of the noise about the issue when you already have established experts like Richard, Rob Lee, and Michael Cloppert who are wonderful with this topic.

We’ve gone from a situation where the term APT was used by government cyber warfare people along with some of their partners in the private sector to something that is grossly misunderstood and misused by people who pretend to be experts, but have no earthly clue what they are talking about. Ever since the Operation Aurora information hit the media and information security tool vendor’s marketing departments consciousness, we’ve been inundated with all sorts of shrieking and wailing about APT from vendors and self-appointed experts. Most of it has been noise from people who don’t understand the issue and/or are using the term as a cynical marketing ploy for their products. Yes, of course, tools are important in defending against advance persistent actors as well as other threat actors. However, my eyes pretty much glaze over when I see the words advanced persistent threat as part of vendor tool marketing campaigns. I’ve lost count of the number of times I’ve read marketing information that wants me to think that the vendor has created some amazing unicorn blood fueled tool that will solve all of my problems and not require me to do much else other than to write them a big check each year.

Richard’s Twitter feed is always excellent and the Tweets that he crafted this week were simply brilliant and inspired me to write this post. Some of them where:

“Bruce Lee fought using sticks, nunchakus, or his bare hands. He must not have been that advanced or powerful. Sort of like APT, eh? #sarcasm”

“The Army uses mules to move cargo across mountains in Afghanistan? Those guys must be as advanced as the Spartans! Like APT. #moresarcasm”

“My point is when you only judge an adversary by the TOOLS that YOU see him using (2 errors there) you're making a big mistake. That's #APT.”

I don’t know if a particular event caused Richard to write this series of Tweets, but a personal hot button of mine are people who say that because a particular tool or technique was not advanced, it means that an APT actor was not involved. This is nonsense on stilts. As I pointed out on my own Twitter account, just because the tools and techniques that knocked you over weren’t “advanced” doesn’t mean it was not an advanced actor. It could very well just mean that your defenses were so inadequate that the attacker didn’t have to work very hard to defeat you. It could also mean that there were advanced tools and methods that were part of the campaign against you that escaped your detection or understanding.

As Rob Lee has taught us, APT is a “who” not a “what”. In regards to the who, APT is ultimately nation-state actors like China who are aggressively pursing the theft of a wide range of information information they consider vital to their national interests. It is important to understand that these nation-state actors have broad national interests that extend well beyond military technology. That is why we’ve seen so much APT activity targeting organizations that aren’t in the defense space. Remember the event that made many people aware of this threat was the Operation Aurora incident where organizations like Google, Yahoo, Symantec, Adobe, and Dow Chemical were reported to be targeted along with human rights organizations and think tanks. Some people in the field will also extend the definition of APT to sophisticated organized crime groups who target organizations to steal data such as credit card information. Reasonable people can and do disagree on the definition of advanced persistent threat, but there are definitions that are just silly. For example, you should be very suspicious of a definition that requires the use advanced tools for the activity in question to be classified as being advanced persistent threat.

“Advanced” doesn’t mean the attacker uses sophisticated malware in each attack. Even advanced attackers have limited resources. They aren’t going to send their top people with their best tools after you if it’s not necessary. They have to make decisions on resource allocation just like you do. If you get knocked over by a low tech attack, it might still be an advanced actor, but it could very well mean that you aren’t good enough for them to deploy their best operators and weapons systems. As I heard someone say awhile back, if an organization has its administrator credentials compromised and the attacker is using them to compromise additional computers, we don’t call that hacking anymore, we just call that logging in.

All that said, advanced actors can and will deploy some very sophisticated tools when necessary to achieve their goals. The anti-virus vendors can’t keep up with these attackers which is why anti-virus technology, while necessary, isn’t a comprehensive solution to countering their tools. This is why malware analysis is a key aspect of defending against APT operators. I see it as one of the few areas where the defenders have an advantage against attackers compared to traditional warfare. In traditional kinetic warfare, an attacker can successfully use a sophisticated weapons system such as a stealth fighter and the defender will not have the opportunity to examine that weapon unless they capture it. Additionally, that capture is likely to come after the weapon system has been significantly damaged which will make a full exam more difficult. With cyber warfare, the attackers are commonly leaving their weapons systems behind on the defender’s networks. Many times these weapons are in perfect operating condition. Malware analysis is a vital part of an effective defense strategy against advanced persistent actors. It’s a critical part of incident response because gaining a fuller understanding of malware being used against you can provide the team with additional indicators of compromise which can be used to detect the scope of the attack against you. It also important to your threat intelligence function because it can provide valuable intelligence about who is going after you. This is important information that will aid in your defense especially when compared to your existing body of intelligence data. Because malware analysis is so important, it’s also important to make sure that your team has the ability to do malware analysis beyond just the behavioral level. A fully functional malware analysis capability will include malware analysts who can use skills such as knowledge of assembly language to reverse engineer the tools used by the attackers. If you don’t have a proper malware analysis capability, you are ignoring one of the few advantages defenders have against advanced persistent attackers.

The advanced actors aren’t stupid. They understand that this is a problem that they have especially when they go up against advanced defenders. If their weapon system falls in the hands of a sophisticated defender, it could be reserve engineered and the defender will use that knowledge to defend themselves. Even worse, the defender might share what they have learned with others which can lead to the weapon system not being as effective against other targets. So if they don’t have to use advanced malware against a defender, why would they want to use it? It’s better to use something simple to complete a successful attack and save the more advanced tools and methods for when the basic tools and methods won’t get the job done.

If the eye of an advanced persistent actor like China has fallen upon your organization, you’re in for a long term struggle that won’t end anytime soon. Persistent means just that. APT isn’t something you spray for once and forget about, it’s something that you have to continuously fight for control over your network. That’s hard news to have to break to your organizational leadership, but the sooner they accept this, the better off your organization will be in the long run as it works to defend its intellectual property, business processes, and sensitive internal communications. Yes, of course, it requires good tools, processes, and proper funding to accomplish an effective defense, but your success against APT will live and die by the quality of your people and the leadership that you provide them. It’s imperative that whoever is leading your effort against the advanced persistent actors have a strong understanding of the nature of the threat and the leadership skills to build and lead a highly effective team.


  1. Excellent post. Well stated.

    It may be helpful to consider APT (or whatever term one prefers) as a part of intelligence operations and that a variety of tools and methods might be employed. Stepping back further, in such a context, not everything will be sophisticated and not all cyber. Targeted organisations might also be subject to non-cyber attempts to compromise their people and information. (E.g., sneaking access to business travellers belonging while they're overseas, honeytraps, compromised insiders, etc.)

    Some resources:
    US Office of National Counter-Intelligence Executive Publications (including CI awareness tips)

    FBI - Counter-Intelligence

  2. Good article and summary on this Eric, many thanks.