Sunday, February 7, 2010

"Advanced Persistent Threat"

Courtney's First Law says that, "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment." The "environment" is all about threat, natural and artificial. For the first three decades, while we talked a lot about the man-made threat, the threat that mattered was from "The" environment, that is, from nature, mostly fire and water but also earthquake.

While the natural threat has not changed much, the risk has changed. The risk was governed in part by scale. In the early days, the consequences were related to the fact that computers were scarce, large, expensive, and we thought that we were very dependent on some of their applications. In a world in which computers are a commodity, small, and cheap, the risk is not to the property but to the information, the loss of confidentiality, integrity, or availability. Man, not nature, has become the threat of interest.

In 2006 The US Air Force began to use the Term "Advanced Persistent Threat" to describe the role of nation states in attacking users of the Internet. The expression has surfaced in both the industry and popular press during the past two weeks.

The use of words is how we "think about security." Expressions like this one influence what and how we think about security. If the expressions are not carefully crafted, they may distort or mislead. If we are to use them, we should examine them carefully.

Of course a nation state is not a threat; threats have rate. Rather a nation state, like organized crime, is a threat source; threats have rate and source. Persistent can clearly modify a threat source. One must assume that nation states are persistent.

It is hard to see how "advanced" can modify either threat or persistent. In context, it clearly modifies the attack method. Fundamental attack methods have not changed since I wrote about them in a side-bar for an article in IEEE Spectrum in the early seventies. What has changed is the implementation, both the art and the craft.

Nation states and organized crime may exploit vulnerabilities that are not widely known but what is significant about the methods in these attacks is how they are used in steps and stages, from target selection, to exploitation of the product.

For example, while Operation Aurora used other elements after the bait was taken, getting someone to take the bait was the key to success. While crafting of the bait included forging the origin address, and while resistance to this could have been automated, we need to be more skilled at recognizing bait. Today, it is all too easy to get someone to "click" on the bait and that is often sufficient to compromise a system or domain. Apparently, the higher up the "food chain" one is, the easier. Similarly, the higher up the food chain the origin appears to be, the more likely the target is to take the bait.

I am reminded of my South African colleague who said that his demonstration bait message had a subject line of "big teats." He argued that its attraction was gender dependent, but its appeal was to both genders. One gender wanted them while the other wanted to look at them.

The key word is "persistent." Right now that means fishing every day and throwing out a lot of bait. History suggests that artfully crafted bait sufficiently replicated and spread, will work. Of course, the key word in all of this is "sufficiently." However, "sufficiently" implies brute force. Since the adversary is not going away, one must recognize bait and force early, while there is still time to mitigate or resist it. One must decrease the size of the domain that can be compromised by a single "click."

Every "large" enterprise is a target but surprisingly so are some small ones. We will save this discussion for another day.

No comments:

Post a Comment