Wednesday, August 25, 2010

Are you a target of "Advanced Persistent Threat," Sources, or Attacks

"Advanced Persistent Threat" (APT) is a term of art. It was coined by the USAF to label an attack pattern that they had identified and that they thought was emanating from a nation state. It came into the security jargon when it was used to describe an extended and resourceful attack reported by Google.

These attacks are "advanced" in the sense that they are coordinated and multi-phased. The phases begin with target selection and vulnerability identification, through domain contamination and information ex-filtration, to intelligence analysis and exploitation.

These attacks are also advanced in the sense that there are knowledge, skills, and abilities specific to each phase; no single individual is likely to be expert in all phases. One guy crafts the bait while another selects the malicious code. The attacks are advanced in that the threat source brings together the necessary experts and coordinates their activity across phases and time.

The attack is persistent in the sense that it continues through all the necessary phases, and the threat source is persistent in the sense that it will invest whateever time and resource in necessary for success.

While the term really refers to an attack, rather than a threat, to the extent that the attack has a rate and a source, it implies a "threat."

Is this something that you need to woory about? Is your enterprise a target?

The short answer is that if you are a Fortune Five Hundred enterprise with intellectual property, you are probably a target of choice of one or more nation states. If you are a financial services company or a payment card industry service provider, you are a target of choice for organized and resourceful criminal enterprises.

This is not to say that the rest of us might not be targets of opportunity for these threat sources, but only that their attacks against us are not persistent or continuing. Individuals may be "victims" of payment card fraud but it is the enterprise that is the "target."

It would be nice if one could detect such attacks early. Then one could at least determine whether or not one was currently under attack. However, the attacks usually begin with low intensity activities such as vulnerability probes or the distribution of bait messages. While intensive probes are easy to recognize, the same probes spread across enough time may not be obvious. If bait messages are not difficult to detect, they will not work at all. In fact, they will be as artfully crafted as necessary for them to work. There will also be a "sufficient" number of them that one or more victims will take the bait. Only after the bait has been taken are the other phases of the attack triggered. While it is somewhat easier to automate the detection of these later phases of the attack, it may also be only after some data has leaked and some systems compromised.

Note that while the compromise of your intellectual property may be a threat to the health and continuity of your enterprise, the consequences may not be limited to your enterprise. They may include damage to the vitality and growth of our economy and, perhaps, even to "homeland security." In this light, "best efforts" or "hit and miss" security is not good enough.

"Defense in depth" must be the order of the day; push your defenses up and out and your resources in and down. We can no longer afford an enterprise architecture that relies primarily on perimeter protection such that one person clicking on a bait message compromises the entire defense.

No comments:

Post a Comment