Recently, I’ve been thinking a lot about advanced persistent threat (APT). APT is not a “who” or a “what”, it’s a philosophy. Something akin to the ancient military philosophy of: “the best thing in life is to crush your enemies, drive them before you and hear the lamentation of their network admins.”
So to dispel some of the myths and misconceptions around APT, let’s break it down into its constituent parts and tackle each in turn…
The current media approach to reporting on APT has demoralised a great deal of network defenders into thinking the threat is so advanced, that they can’t possibly thwart the bad guys. The truth is the threat is not that “advanced”. In fact, when you look at the vast majority of documented cases of so-called APT group attacks, it seems to break down into this: a zero day attack (an attack unknown to the vendor and which does not have a patch for the exploited vulnerability available) delivered by a payload in a phishing email.
In short: someone was tricked into clicking on something. As a result, the bad guys are inside.
If you watch the movies or listen to the major media reporters, we get the occasional glimpse of a clandestine operation; agents inserting USB sticks into enemy systems or specialized hardware/software being deployed, which is capable of back-dooring a mobile phone or PC. To me this is modern-day ninja intelligence activity, the blackest of cyber black ops. It is not APT; it’s what we expect of a contemporary intelligence service.
In almost all of the publicly revealed cases of APT, the cyber bad guys could have been thwarted or at least detected at the network layer, and certainly tools such as system integrity monitoring, application whitelisting and security awareness training could have been effective against them.
Defending against zero day attacks requires more layers than patch management and good antivirus. If you’re serious about dealing with this style of attack you need to emphasise layers of proactive, reactive, and detective security technologies – so you can tell when “something, is not like the other things.”
The groups that have been successful in infiltrating a network, work hard to do two things: maintain a foothold; and take your data. They try different techniques ranging from social networking reconnaissance, DDOS, Phishing emails, brute force – you name it, the bad guys may just hammer away at your defences or infiltrate subtly with an old account that has not been disabled, but which may have been disclosed in some other data breach. If you have external web services; expect a vast amount of injection attacks against anything exposed.
I think everyone understands the Internet is no longer rainbows and ponies; it is now a pretty hostile place. This is where ransomware attacks have started to make IT security better and not worse. It only takes a couple of ransomware attacks on a business – if they survive – before they start asking their current IT provider (or their new one) what can be done to stop it.
Most of the strengthening we do is equally effective against APT gaining a foothold on the network. We have seen current versions of ransomware using many techniques we associate with APT. From payloads targeting Adobe Flash with a zero day (thanks hacking team) to obfuscated command and control using Tor and the system registry to hide the malware.
Yes, malware is a growing threat, but it’s just part of the landscape of being online. If your choice of antivirus allows a virus through, from the perspective of the IT admin: It was advanced enough to get by my AV, it was persistent - difficult to remove and spread to other machines – and it threatened or wrecked my weekend.
My advice? Let’s stop freaking out about APT and adopt the defence in depth techniques we are using to combat ransomware: segment the network; build egress firewall rules; update systems aggressively; remove admin rights; reduce the attack surface (get rid of adobe flash); maintain robust antivirus and web content filtering; and monitor/log the network traffic. If you add a solid backup solution into the above; you’re building a solid defence against APT and pretty much any other Internet threat out there.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA, CPM, BA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.
Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide.