Over the past several years, a term has steadily crept into the minds of IT Security analysts and into the presentations of vendors everywhere: Advanced Persistent Threat (APT). It seems like every vendor has a solution to deal with APT or a 'magic bullet' to protect your organization by sniffing it out and eradicating it from your environment. This leaves many IT organizations wondering what's real, what's marketing fluff and what they should be doing to protect their organizations as attackers and threats become more advanced. In this article, we'll explore the concepts behind APT and introduce you to the different pieces of the puzzle - the actors, the threats and the techniques.
What is APT?
A common definition of APT is hard to come by as many vendors, consortiums and groups put their own twist on the terminology. A commonly accepted explanation of APT refers to it as "an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government." APT is sometimes used to refer to sophisticated hacking attacks and the groups behind them. What does that mean to the IT Professional, though?
Simply put, APT is reconnaissance and investigation of your network, in addition to your infrastructure and your information assets. It's a reference to a sophisticated and dedicated attacker or attackers who are willing to "lay low" and go very slow in exchange for gathering data about you, your organization and how you operate. For the IT Professional managing an environment, adjusting your current infrastructure and preparing for this threat will require a different mindset and some analytical assessment.
The Evolution of the Attacker
Traditional malware and traditional attackers have long operated in a very different model. IT Pros who spent hours working and sleeping in shifts to clean up after the messes left by Code Red, NIMDA, SQL Slammer, Blaster and many more can testify to the 'noisiness' of these attacks. Machines rebooted, kernel panics ensued, RPC Services shut down and identifying infected machines was relatively easy. As most organizations got a somewhat reasonable handle on patching systems, 'low-hanging-fruit' vulnerabilities like these became harder to exploit. These attacks tend to be louder, messier and much more apparent for an IT Professional to clean up. But what if the end-user never noticed that their machine was infected? What if the IT Pro managing servers never noticed anything amiss in performance or availability?
As with a typical arms race, with evolution in the IT organization brought evolution in the attacker space as well. Attackers began to realize that releasing their vulnerabilities in the public domain was not nearly as lucrative as holding on to them and selling them for private use. Malware marketplaces sprung up where a miscreant was able to 'license' an exploit or a custom piece of malware, sometimes even paying a subscription fee to keep up on the latest version of the malware that remains undetected or an exploit that remains unpatched. The targeted attack searching for valuable intellectual property has become much more en vogue amongst the profiteering attackers.
Defense in Depth and an APT scenario
Of course, a number of preventive and detective controls are available to help an IT Professional protect their environment - Firewalls, Intrusion Detection and Prevention Systems, Anti-Malware software, file integrity monitoring software, etc. A layered defense to protect the enterprise is the best course, but an attacker will often exploit the weakest link in the chain and move to more of an opportunistic approach waiting for the right time to strike.
Consider a well-funded and well-organized IT environment with many detective and preventive controls in place; firewalls are properly configured, router access control lists are tightly locked down, intrusion detection and prevention systems are tuned and honed, systems are patched, etc. However, an attacker is able to discover a weak username and password combination for an account in the Active Directory. Perhaps it's even a more complex password, but the user has left their password on a sticky note that an attacker has come across in an attack as simple as stealing a laptop bag from an airport terminal or breaking into a hotel room or rental car. At any rate, once the attacker obtains valid credentials and has connected in via a remote access tool, they log into a device and compromise it via an elevation of privilege attack. The attacker then reviews the 'cached credentials' database on that device and discovers that an IT Support Technician (with elevated privileges or even domain administrator privileges) has logged on locally to that device. The hash is cracked and the attacker now has the 'keys to the kingdom' to explore the environment and look for valuable intellectual property as they see fit. Once they compromise more devices, they can bide their time and wait for interesting or sensitive information to be stored in the environment. Perhaps they even plant some custom tracking and exfiltration software on these devices to siphon data out of the network at a later date.
The (not-so) hypothetical attack that was just described could happen to a very well-managed environment; the IT Professional may go about their day-to-day activities managing and supporting systems with no knowledge of this stealthy attacker. A deeper understanding of the environment and more conservative precautions are required, especially when dealing with APT-style attacks. Sometimes IT Professionals question whether their data is really the subject of these types of attacks or not; rest assured, your company's data is valuable to someone and the 'work factor' required to get at it versus the payoff reaped from obtaining it may be well worth it for that someone. Regardless of your industry, you should take these more advanced threats seriously.
So, what can be done to help combat this? The first step is to understand assets that are controlled and managed and the data that resides on them. Where are the 'crown jewels' of your organization? Chances are this sensitive information is stored electronically and it may be neatly archived in a centrally controlled and monitored database. More likely sensitive information is stashed about on unprotected file servers, endpoint workstations, in e-mail and collaboration tools, and on removable media as well. Evaluate the organization with an attacker's mindset; if you were out to snatch some sensitive data, how would you do it? Where would you focus your attention? Consider the impact and ramifications of a handful of USB flash drives dropped in the company parking lot that contained some custom built malware. How many users would pick up one of those drives and plug it right into their corporate system? For an attacker, this may be a much easier route to get into your environment versus penetrating firewalls or thwarting Intrusion Prevention Systems.
The basics of protecting the environment apply as well;
- Make sure that there is a routine patching process in place. Also, consider expanding the scope of patching beyond just the operating system. Custom catalogs exist inside of patch management tools today that allow an IT Professional to update applications that are often targeted by miscreants with targeted malware, such as Adobe Flash and Acrobat Reader and the Java Virtual Machine.
- Ensure that your anti-virus technology is up-to-date (both console and endpoint software), properly tuned and deployed and is working properly. While anti-virus is not a 'silver bullet', many organizations have a lax configuration policy or do not have the agent deployed to all of their assets.
- Managing permissions is critical as well; users (and administrators) should only have the rights they need to do their job and nothing more. As users change job roles or otherwise move throughout the organization, provisioning, de-provisioning and access auditing should occur to ensure no 'aggregation of privilege' scenarios exist. APT-focused attackers will exploit these trust relationships with long-existing users and the systems they access mercilessly.
APT may sound like a scary and menacing term, but by following the basics of IT administration and security you can raise the bar for an attacker and increase that 'work factor'. As always, user awareness and training is critical; humans are often the weakest link when trying to secure sensitive information. Remember, you don't have to outrun the bear, just the (organization) next to you. Tighten up those defenses, remain vigilant and keep tabs on attacker activity and you'll be far ahead of the curve with your peers.