Skip to main content

Advanced Persistent Threats APTs

APTs or Advanced Persistent Threats are threats in which the threat agent (person or persons responsible) is highly motivated, well resourced, and highly skilled. This modis operendi of these people is to identify high-value target profiles (senior management, financially responsible, and influential) and gain persistent access to sensitive information.

Over the last few months, there has been an increasing number of public reports related to APT incidents:

Athough it has been widely reported in the past that malware writers and the criminal elements funding their research were moving in the direction of smaller, more targeted attacks, it appears that this trend has been accelerated and is catching many organizations and people off-guard in the process.

There are a couple of difficult challenges associated with countering these types of threats:

1) Threat information - with a few exceptions (government and private intelligence) most people and organizations in the commercial world have no idea who the people behind these attacks are, how they are motivated, the techniques they are using, and what type of information they are after. This severely limits our ability to prevent, detect and respond.

Many of the recently reported incidents have fully funded security teams that are quite well trained and I expect very capable, but without a better understanding of the threats (who they are, what they are after, how they operate, how to respond) their efforts are not likely to be focussed appropriately. Encrypted HTTPS sessions to eastern Europe from client browsers probably doesn't raise any alarms for most people today. There are many sources of vulnerability intelligence (adobe has a new 0-day flaw), but very few sources of threat intelligence (criminal gang X in europe are preparing to target CFO's of petro-chemical organizations by hiring malware developers).

We need to start sharing intelligence better. Governments who are funding intelligence research should expand these programs and build partnerships with the organizations being targeted. This serves to inform the community about current threats, and collect information regarding incidents. Targets are in most-cases commercial non-military organizations who don't have the benefit of being briefed by NSA on a regular basis. Those governments who don't collect this type of intelligence need to start. And commercially, private industry needs to serve our clients better by insuring advice being provided is as accurate and actionable as possible.

A good example of this is the Transglobal Secure Collaboration Program (TSCP).

2) Deployed control in-effectiveness - anti-virus, intrusion detection/prevention products have been developed to respond to malware that is reported to them in most cases after the infection has occurred. Keeping anti-virus software updated is important, but so is realizing that it only protects from well known vulnerabilities.

These threats are using custom malware, in some incidents used in only a small number of cases, and developed to be un-noticeable by the target. Exclusive dependence on traditional types of security controls for protection against these threats will only establish a false sense of security.

We also need to adopt a new set of controls and thinking when addressing these threats. We need to start isolating sensitive information and processing away from other less trustable activities (web browsing, email, etc), and we need to be vigilant in protecting them. We should start reintroducing the basic security concepts of fail-close, and whitelisting rather than signature matching into more of our sensitive processes and educating our clients on reasons they are not permitted to update their facebook profile from the online-banking terminal.


Popular posts from this blog

Local Classified Penny Auction Scam

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion.  I want to just walk through a simple example and reflect on how effective these methods continue to be. Many people turn toward online classified sites to buy and sell items online.  This example starts with which even I've used on occasion to find used electronics and other items.  Doing a search on the site for a " Samsung Galaxy Note 2 " returns a posting from today with someone selling one for an unreasonably priced unit. $125 for a $500 phone?, but what if it's for real?  No harm in just asking some simple questions.  Email sent with some obvious questions regarding the condition and location. About an hour passes before I get a response from what appears to be a legit seller. Notice no answer to the questions I asked, but a friendly pointer at where th

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.  Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount  of information released. With all this information, it can be difficult to understand what's relevant.  To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.   Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system.  The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics,

Touch ID - Distributed Fingerprint Lookup

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service.  Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government. One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems.  In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches. Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print. There are some limits to this, as there is likely only going to be one prin