Defending Against Advanced Persistent Threats

Monday, February 08, 2010

Cross-Posted from:

Wired has written a detailed report [1] on Mandiant’s findings in response to the hacks that targeted Google and other major companies and the report is both interesting and questionable. I have no reservations about the levels of expertise coming out of Mandiant or their findings; I do however, have reservations about the explanations and interpretation of what was summarized in the Wired article.

According to Wired, comments are made by Mandiant about what is called an “Advanced Persistent Threat” or “APT” and, for those unaware of what an APT is, the earliest *visibly* known use of the word came from BusinessWeek in April 2008 [2].  This “explosive” revelation of the APT attack enabled me to introduce a new defense to counter APT. I call it a “Dynamically Unique Metrics Based Analysis for Secure Systems” or DUMBASS. Since the media loves its acronyms so much and security professionals love to capitalize and market FUD [3], it is only fair we offer our prescription for APT into the security theater [4].

In the true form of FUD manufacturing, APT needs to be explained in detail. This “dire threat” is explained by Wiki as:

Advanced – Operators behind the threat utilize the full spectrum of intelligence gathering techniques. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent – Operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized and well funded.

Kevin Mandia in the Wired Article states: “There are not 50 companies compromised. There are thousands of companies compromised. Actively right now.“  These comments almost made me jump out of my seat and fork over a purchase order to the first company returned on a Google search. “Thousands compromised!” That must mean trillions of dollars! While it sounds potentially “nation-crippling,” the harsh reality is that companies have only themselves to blame where is quality assurance, CoBIT, ITIL and other various forms of risk assessment and security. There are many established mechanisms to block these attacks and many are free. I am skeptical of the numbers Mr. Mandia claims are compromised. Thousands of companies? This infers that “thousands” of companies are not and have not been compliant with regulatory measures for some time.

I repeat: Many of these attacks – including and especially the 0-day attacks – can and could have been drastically minimized and or stopped ages ago; however as an engineer, I can see how many companies and their systems of bureaucracy in those companies, might have at times prohibited security professionals from stopping these attacks. That coupled with those companies who hire under-clued security engineers, the improper training of staff, an arrogant attitude from businesses and certain employees and, of course, some would argue “technological constraints.”

The technological mechanisms needed to minimize and or stop these attacks are already available to most companies. They are likely to be already in-house, and many of the necessary components that “aren’t” readily available can be had for the whopping price of free. I will discuss this momentarily.

Getting back to snippets of the Wired Article, it was shocking to learn that Google’s employees had “received e-mail with malware that exploited an undiscovered vulnerability in Internet Explorer 6.” Shocked that Google would allows its employees to use an outdated and known-to-be vulnerable browser. It just sounds mind-boggling considering that Google makes its own browser Chrome [5]. However, in being fair, let’s suppose that Google did use a vulnerable browser as stated in the article: If so, then how did Google and “thousands” of other companies meet compliance? After all, Google is publicly traded, so SOX for them, compliance is a must. Google also has some very talented staff on hand, so surely the use of a vulnerable browser would have not only have been regulated through mandatory compliance audits, but there would be red flags aplenty by Google’s own staff. Or maybe, just maybe, someone at Google fell asleep at the helm, then woke up, discovered the nature of the APT beast and decided that enough was enough. [6]

Either way, the argument from those in enterprise environments in using vulnerable software is a typical one (quoting one typical forum):

Imagine your billing production system (which produces 100,000’s of bills each run) was designed for MSIE 6 (stupid I know). The upgrade cost is very high (factoring development, deployment, testing, training, etc), even if it’s only <<< for a “simple” upgrade to MSIE7/8. We’re not talking about home PCs and consumer applications here. The enterprise is a different world! It’s tricky to upgrade. However, with that said, I hate MSIE 6 and would love to see the thing go!

My views of statements like this one is that, companies seems to lack quality assurance and potentially security aware staff at these companies. Too many metrics from security managers and inconsistent risk metrics; AV * EF = nonsense.  For those companies that have legacy programs that were designed for a particular browser, the solution to that problem is to force the vendor to create support for a more secure version of the browser, or isolation. You are after all the customer and demanding competent support is not much to ask. Note that the words “force the vendor” imply that you are after all paying for support, are you not? If it is a legacy application with no support available, then the obvious answer would be to either find a new product or to sandbox the systems that need to utilize browsers with widely known security holes. Certainly a proxy server with solely internal connections can intercept browser connections, PDF documents and the like. It is inexcusable to let a particular browser or vendors limitations compromise your security.

In either event, most of these attacks could have and can be defended against with established security controls and training. Companies could even utilize their existing infrastructure to liaison amongst documents, emails and ensure that no rogue documents or scripts reach users. For example; Install Apache, Squid, and use a Unix based machine with the proper firewall rules. Using a sandbox server with no outbound (towards the Internet) connectivity, and then force users to read from this server. Apply “Extrusion Detection” [7] and keep a vigilant eye on data leaving the network. It is that simple. Don’t let anyone in the security arena fool you into thinking the sky is falling via usage of buzzwords such as APT. Otherwise, you could end up jumping out of your seat, running to get a purchase order signed and paying the first company to spout what will likely be the new buzzword: APTDS “Advanced Persistent Threat Detection Systems.” You could even go a step further if China is a concern for you,and outright block their IP space on a most extreme level.

Nothing mentioned in the article via way of attacks being carried out is foreign or advanced to a properly trained security professional. At least theoretically, they shouldn’t be. As a matter of fact, the Information Assurance Certification Review Board’s (IACRB) [8] Certified Expert Penetration Tester (CEPT) [9] exam exposes security professionals to many of the tricks these “APT” hackers use to infiltrate a network. Perhaps businesses should take the time to train their staff more properly? Maybe they need to hire Jack Koziol, Dave Aitel, Dino Dai Zovi or other expert penetration testers to wake up management before businesses continue to suffer “by the thousands” as Mr. Mandia suggests. The answers are and have been simple for some time. Talk of “Operation Aurora” continually seems to be, highly FUD driven. That’s my opinion, and also that of some other security heavyweights that have chimed in similarly on this issue as well. [10]

However, as the old saying goes though: If you can’t beat em, join em. To that end, I now offer DUMBASS: It is scalable, defensible, makes sense and is economical in these hard financial times. Prices can be discussed via secure channels.  Just remember to act now while the threat is persistent and deeply rooted in your network right now. Operators are standing by.


[1] [2] HTTP://businesswomen/magazine/content/08_16/ [3],_uncertainty_and_doubt [4] [5] HTTP:// [6] [7] [8] [9] [10]

Possibly Related Articles:
Breaches Privacy Webappsec->General
Google Hacks China
Post Rating I Like this!