APTs: the imperative for active monitoring
Every year, I search for a common theme at Infosec Europe, but this year it was not so immediately obvious. There were no large clouds hanging above the exhibition hall and many of the largest vendors were absent, their places taken by innovative start-ups.
Yet, under the covers, there were two major themes that many of the vendors that I spoke to talked about—APTs (Advanced Persistant Threats) and the need for continuous monitoring. In fact, these two things go hand in hand.
First, we need to be clear what an APT is, and what it is not. What it is not, is a super virus. That is not what the ‘A’, or advanced, in APT refers to. Whilst it is true that the word advanced does apply in terms of the use of a blended threat with many moving parts, it is rather better applied to those groups with advanced capabilities that are behind such exploits, which is being seen in ever larger numbers. And it is not only government agencies, defence contractors or large organisations with significant volumes of sensitive information that need to be worried. Rather, many victims of such attacks are not the final target, but rather the conduit into a larger organisation such as a business partner that they supply to. Anyone can be a victim.
The actors behind APTs tend to be highly organised, with significant resources at their disposal that rival those of many sizeable organisations. Cybersecurity firm Mandiant recently published a report regarding the resources and modus operandi of a group that it calls APT1, which is just one of more than 20 APT groups that it knows of with their origins in China. It states that the APT1 organisation has been conducting a cyber espionage campaign since 2006 in which nearly 150 organisations have been targeted, spanning 20 different industries. APT1 has a well-established attack methodology that has been refined over the years and which is designed to steal large volumes of intellectual property from targeted organisations. According to Mandiant, it is staffed by hundreds, if not thousands, of operators, with staff required to be proficient in IT security, computer network operations and English. Its widespread presence can be seen in the fact that it has established a minimum of 937 command and control servers hosted on 849 distinct IP addresses in 13 countries.
The ‘P’ in APT refers to persistent as criminal organisations behind APTs look to establish and maintain a presence on the networks they target, attempting to hide their tracks to avoid being detected. On average, APT1 maintains access to victim networks for 365 days, although the longest period of time that has been observed was four years and ten months. Many of its attacks successfully stole large volumes of intellectual property. From Mandiant’s observations, just one organisation alone suffered the loss of 6.5 terabytes of compressed data over a ten-month period. The sort of information that has been taken in such attacks includes technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from executives at the victim organisations.
Shortly after Infosec, I discussed issues surrounding APTs with Adrian Culley, global technical consultant for technology vendor Damballa and formerly a detective in the computer crime division of Scotland Yard. Culley states that APTs are not a new phenomenon, but have actually been around since 1993, when the number of personal computers in use began to soar and the first networks other than those designed for academia or the ARPANET network came into widespread use. He states that nation states and criminal organisations around the world are seriously studying, if not investing heavily in APT techniques.
So how do organisations respond to the threat? There are only three states in which data can exist-data can be at rest, where it is in storage; it can be in use, where it is active and can be constantly changed; and it can be in motion, which is data that is moving around a network. Forensics around data at rest is used to look for patterns in stored data that aim to retrace paths to see how something occurred; but criminals deploying APTs are well versed in forensic techniques and go to a lot of trouble to cover their tracks so that they cannot be traced. Investigating data in use is tricky owing to the constant changes made and is difficult to track at enterprise scale.
So that only leaves data in motion, which is easier to track as all communications can be intercepted. APTs are characterised by their need to ‘phone home’ to a command and control centre housed on a server. Therefore, it makes sense to continuously monitor all network communications in real time, looking for all violations of policy, such as when an advanced threat is trying to phone home, and to block all such exploits as they occur. Culley likens such capabilities to a fire sprinkler system for the network, whereby a sprinkler is deployed for each node in the network, putting out fires locally as they occur.
Proactive capabilities such a continuous monitoring will greatly add to an organisation’s detection capabilities, using techniques such as behavioural profiling that can detect more advanced threats that those using signatures for known threats alone. According to Culley, APTs represent a paradigm shift in the way we need to view security. These advanced attacks and the new threat vectors such as mobile device usage and ever-more interactive web applications mean that security controls placed at the perimeter based on static rule sets are no longer sufficient as sophisticated attackers will go out of their way to circumvent such controls. Rather, we need to be looking at everything that is moving around the network, actively looking for anything that constitutes abnormal behaviour to prevent APTs from communicating out and stealing valuable information.