Defending your Network against the APT
You might be acquainted with the "old school" meaning of the word "apt," which refers to someone who is unusually intelligent and/or able to learn quickly and easily. Put it in all caps - APT - and in the context of IT security, and it takes on a whole new meaning: Advanced Persistent Threat. This term is used to describe organizations (especially governments) or, less frequently, smaller groups of individuals that have the ability and intent to wage an ongoing cyber-attack against specific targets using sophisticated methods (note the key words).
Some definitions apply the term only to attacks sponsored by nation/states and some narrow it down to threats that are intended to steal data in general or intellectual property (IP) in particular. Here's a discussion of what APT means to different security experts.
In this article, we'll take a look at how the APT has evolved and what you need to do to defend your network against this type of threat.
Who's at risk?
Some network admins will take a look at that definition and conclude that their networks aren't at risk. Why would a small or midsized business be targeted by a big cybercrime organization or a nation-state? The APT began as a threat primarily confined to government agencies and the defense industry but then APT operators expanded their horizons to target companies such as Google. But your company doesn't have to be a tech behemoth to be targeted. While it's true that a government agency or a large multi-national corporation involved in national security or defense contracting, or maybe high finance, might be a more attractive target for the APT, size really doesn't matter - and many small companies these days store data that could be used in piecing together the sort of intelligence needed by these organizations to gain political or economic advantage. Even individuals who work in positions where they have access to that type of information could be targeted through their home computers, laptops or mobile devices.
Even large enterprises that invest tons of money in security can still be breached by the APT, through many different means. Sometimes it's as simple as the exploitation of known vulnerabilities that haven't been patched. In the enterprise environment, often the policy dictates that new updates be tested thoroughly before being deployed to production machines. This can save you a lot of grief in the event of incompatibilities, but it also leaves those systems open to exploit. In other cases, wi-fi vulnerabilities, smartphone bridging, of even infiltration of a cloud provider's network may offer the APT a way in.
In any size company, if employees visit web sites, use email (especially HTML mail), transfer files, etc., those activities can be taken advantage of to deliver the APT components. Malware can be conveyed through drive-by downloads, infected attachments, and infected files. Companies with excellent edge protection still aren't safe from internal delivery via infected removable drives (USB sticks, flash cards), laptops that were infected elsewhere, and similar means.
What forms do APTs take?
It's called "advanced" because those who are behind APTs have a sophisticated plan based on a specific strategy, even if they use relatively unsophisticated mechanisms to carry them out. In other words, the APT operators don't necessarily have to be master hackers; they may use scripts available on the Internet, and modify others' malware to work for them. Or they may create custom malware to fit their specific objectives. Often they use many different types of attacks against the same target, and keep coming back over and over; thus the description "persistent." However, depending on the ultimate objective, this may be done in a stealthy and low profile way rather than a huge, overwhelming attack. In fact, APT operators are often masters of stealth, taking steps to cover their tracks and avoid leaving tell-tale evidence of their intrusions in the logs for as long as possible.
Toward that end, APT operators also employ social engineering techniques and/or recruitment of insiders to obtain valid credentials. Branch offices that may have less stringent security precautions than the main location, but have a trust relationship, are sometimes infiltrated for easier remote access to plant malware on the targeted systems. Once that malicious software is in place, they are able to access and control your systems from anywhere they want, or automate the process so that the malware sends your sensitive data back to them.
The tools used by APT operators will depend on what their objectives are and the state of your own network's configuration and security. Here's a simple analogy: a burglar might be able to use a credit card to open the door to a house that has simple locks, but if all the doors are dead-bolted, he'll need different tools to get in. Likewise the APT operator will generally use the simplest tool that will get the job done. Why waste a custom, sophisticated tool on a job that doesn't require it? That just gives you the opportunity to analyze it, figure out how to defend against it and alert others to its existence.
APT operators frequently utilize botnets, which give them more resources for launching the attack and also make it more difficult to track back to the origins of the attack. Although botnets are often associated with spam, they can be used for many types of attacks. A single command and control server can control thousands of computers that are located in hundreds of different organizations. The malware on those machines can be constantly updated, to stay ahead of your detection methods. Even if your company isn't the target of an APT attack, it can be used without your knowledge as a tool of the crime - hosting infected "zombie" agents that are part of a botnet that's used to attack other networks. Botnet tracker reported more than 2000 suspected botnets as of September 1, 2011.
Detecting the APT
It's important to understand that an APT is not a particular method of attack - rather, it describes the "who, what and why" rather than the "how." That means there is no commercial solution that can claim to specifically detect or defend against APTs. Unfortunately, APT has become a popular buzzword and marketing phrase with security vendors (many of whom don't even know what it means).
Solutions that rely on definitions for known attacks are likely to fail to detect sophisticated APT attacks that are designed to operate in "stealth mode." Detecting APTs requires a good monitoring solution that is able to identify and analyze the subtle changes and anomalies on servers and clients that are common to APT attacks. Regardless of how brilliantly a criminal plans and executes a crime, he inevitably must leave something of himself at the scene; in a physical criminal investigation, this means trace evidence - evidence that is not noticeable and may even be invisible to the naked eye. In a digital world, the APT operator, in order to carry out his objective (entering the network, planting the malware, copying the data) will leave some obscure footprint somewhere in the system. Your security software must be capable of recognizing these markers as indications of possible malicious activity. Software is not only faster but can be more effective at doing this than a manual examination of the files, since APT operators often use such tricks as giving their malware files filenames that are very similar to common Windows files. The software can detect the slightest difference in the file name (such as the substitution of an uppercase I for a lowercase L (l) that the human eye would not recognize.
Once anomalies have been detected, this should trigger closer examination of the affected machine(s). Another key element is timely notification, so the machine(s) can be fully examined as soon as possible and evidence of the APT can be preserved for examination, since a knowledgeable APT operator will attempt to delete as many of the markers as possible to avoid detection.
Whereas technology is best for detecting anomalies on the network, another aspect of APT detection requires the human factor. That means people who can gather intelligence about what's going on in the cybercriminal underground. Just as more traditional terrorists often signal that an attack is imminent through increased "chatter," APT operators may signal that attacks are being planned or are already in progress (undetected) through various communications. You don't necessarily have to have someone in your own organization who intercepts and analyzes the chatter, but you should keep abreast of what's going on in the world of cybercrime through related publications, relationships with the appropriate law enforcement professionals, and so forth.
Defending your network
Many of defensive measures that protect against APT are the same ones you have probably deployed already, to protect against more "run of the mill" malware and intrusion threats. Good anti-virus and anti-malware software is critical, but it's also important to understand that in the case of the APT, the perpetrators often have resources that are way beyond those of the average hacker/attacker. That means they can hire programmers who are capable of creating or modifying malware "on the fly" for which no security vendors have created definitions - Zero Day threats.
Because the APT is, by definition, a targeted attack, your company's public actions and reputation can have a bearing on whether or not it becomes a victim of an APT attack. Thus reputation/brand monitoring and management can be an important component in preventing such attacks. "Evil corporations" and organizations that take a position (political, social or otherwise) that is unpopular with APT operators are those that are likely to be targeted. In some cases, just being in a particular industry (oil company, banking, etc.) is enough to make you "evil" in the attackers' eyes. However, in some cases you can reduce your risk by carefully cultivating your public image.
Join in with other organizations that are dedicated to detecting, reporting and taking down botnets. Information sharing and notification are important parts of mitigating the botnet threat, as proposed here.
By destroying some of the tools used by APTs (such as botnets), we can help to protect not only our own networks but the entire Internet ecosystem from this growing threat.