Read an Excerpt
Advanced Persistent Threat
Understanding the Danger and How to Protect Your Organization
By Eric Cole Elsevier Science
Copyright © 2013 Elsevier, Inc.
All rights reserved.
ISBN: 978-1-59749-955-2
Excerpt
CHAPTER 1
The Changing Threat
INTRODUCTION
Organizations continue to spend significant amount of money on security but today an interesting trend is happening. In the past spending money on security led to less compromises and increased protection. Today, organizations are increasing their security budgets but still getting compromised. What is being done today no longer seems to work.
The problem is that the threat has changed but organization's approach to security has not changed. While traditional threats are still a concern and cannot be ignored, organizations now have a new challenge dealing with the Advanced Persistent Threat known as the APT. The APT is well funded, organized groups that are systematically compromising government and commercial entities. The term originally was developed as a code name for Chinese-related intrusions against US military organizations. The term has evolved to refer to advanced adversaries that are focused on critical data with the goal of exploiting information in a covert manner. APTs are highly sophisticated and bypass virtually all "best practice" cyber security programs to try and establish a long-term network presence. The APT is attacks that are stealthy, targeted, and data focused which is quite different than traditional worms or viruses. The APT are very well-organized entities (typically foreign adversaries) that are targeting an organization to gather a specific piece of information today and ultimately maintain long-term access so information can be extracted at will in the future. APT breaks all of the rules of attackers by typically adapting their techniques on the file, targeting users as the entry point, and hiding their tracks very carefully; therefore many traditional security measures are not effective at dealing with this threat.
Today, the term APT has evolved and different people refer to it as different things. Some people only refer to attacks from China, while others include all attacks as being part of the APT. The goal of this book is not to debate a definition but to provide a guide of how to implement effective security that actually works against the advanced threats that are bypassing and rendering traditional security measures to be less effectively than they previously were against traditional viruses and worms. While the focus of this book is on APT, the real focus is implemented effective security that secures an organization from all threats up to and including the APT. The ultimate goal is raising awareness so organizations can have effective security against the APTv2 and the next generation of threats. A mistake that we have seen organizations make is they focus all their effort on the APT, forgetting about traditional threats and still get compromised.
THE CURRENT LANDSCAPE
Today, one cannot open up a newspaper, read a magazine, or turn on the news without hearing about another organization being compromised. It seems that organizations of all shapes and sizes have been compromised and there is no end in sight. Government, commercial, non-profit, universities, national, and international organizations have all had data breaches that have caused significant impact to the organization.
Hacker groups threatening to target an organization, causes fear and panic because history has shown us that they possess the will and ability to continuously attack an organization until they are successful. One of the goals today is to minimize the chance of being targeted. While an organization cannot live in fear, they should also be careful. It is never the victim's fault but if someone is walking in the bad part of town holding a large sum of money in their hand, the likelihood of being mugged is higher than if one keeps their money concealed and stays in the safer part of town. Many organizations, without even realizing it, are drawing unnecessary attention to themselves either by what employees say or what organization posts on their websites. Think of the impact and exposure social networking sites could cause to an organization. The good news is once an organization understands the threat and the capability of the adversaries, they can better protect themselves. It is important to note that with the APT an organization will always be targeted, but there are steps that can be taken to minimize the impact.
Since many organizations focus solely on fixing random vulnerabilities, for example patching, as their approach to security, they are not protecting against the threats that have the highest likelihood of compromise. This starts to explain why companies that spend millions of dollars each year on security still get compromised. For example, if you are the defensive coordinator for a football team, the team can be number one in the league at defending against the running game. The focus of all practices is fixing and removing the vulnerability of an opposing team running the football against the defense. While this is a noble cause and would take considerable effort, how effective would this team be against a team that primarily passes the football. The answer is not very effective. Many organizations are focusing all of their energy against a perceived threat, but if it turns out to be the wrong threat, they will still be compromised.
It is sometimes hard for people to accept this fact but in this day and age, an organization needs to recognize that they are going to be attacked with a high chance of compromise. While this might seem frustrating it is better to accept reality than live in denial. If someone claimed that they are never going to get sick for the rest of their life, you would probably shake your head and say that is a nice claim but it is not realistic. Saying that your organization will never get compromised is as naïve as saying you will never get sick. Continuing with our analogy, the goal when someone gets sick is to minimize the impact and ultimately not die. While we can eat healthy and take vitamins to reduce the number of times we get sick, when we do get sick the goal is to go to the doctor quickly and deal with the illness when it is still small. The general philosophy that we follow is prevention is ideal but detection is a must. An organization can do many things to minimize the chance of a compromise but it needs to make sure that appropriate measures are in place to detect and deal with an attack in a timely manner.
Briefly looking at APT, the advanced nature of the adversary means that they will usually find a way into an organization. What makes security so exciting is that we have a much harder job than the attacker. For the attacker to compromise an organization, they need to find one vulnerability. For the defense to stop an attack, we have to find every vulnerability. Unfortunately many companies do not understand all of their points of exposure and if the offense knows more than the defense we are going to lose. In addition, the attacker is very persistent. They will keep trying until they are successful.
The main reason the APT is successful is that it is a new threat that many organizations are not prepared to handle. The old threat was visible, went after long hanging fruit and if it failed would move on to its next target. Most of the security we have in place is prepared to handle this level of threat not the APT. While some of the APT attacks are automated, we are dealing with a sophisticated attacker who performs some of the attack with manual intervention. Since a human is involved with planning and potentially executing the attack, the adversary can adapt and utilize human intelligence to extract information from a target.
ORGANIZATIONS VIEW ON SECURITY
Over the years, the evolving and emerging threat has also changed how an organization and its executives view and assess their security posture. Over ten years ago there was a real threat but many executives were not afraid. By the mid-2000s they were afraid but did not know why. Today based on all of the breach data, they know why they are afraid but they do not know what to do about it. Many organizations are also not fully aware of the impact.
It is also common for organizations to not recognize that APT is the silent killer. It could be happening right now to an organization, but since there is nothing visible, they think everything is fine. Executives all of the time state that security has been telling us for the last three years how bad everything is and that we will be compromised, but nothing has happened which leads executives to think that cyber security is overhyped. In essence, executives say that security keeps saying the sky is falling and accuses the security group of being Chicken Little. The problem is that the sky has fallen, but organizations are not receiving the right information to realize that it is occurring. The simple question is: if there was a system on an organization's network that was compromised and slowly extracted information out of the organization, how would you know about it? If a user received an email that looked legitimate but contained embedded malware and clicked on it, how would an organization detect it?
Organizations have heard of the phrase APT and know that it can get around most security measures; they just do not have the proper information to recognize that the problem might be occurring right now. Instead of thinking of APT as a problem that could occur in the future, we have to recognize that it is a current problem that is occurring right now. A key motto of security is to assume the worst and hope for the best. Isn't it better to act as if you are compromised and be prepared, than be ignorant and be compromised? If you assume you are compromised and you are not, you have just gained a better understanding of your organization and improved your security. If you assume you are not compromised and you are, you could go out of business.
While some organizations are recognizing the devastating impact the APT can have, some are still living in denial. What many people think is that bad things happen to other organizations not ours. The number one motivator for someone purchasing an alarm system is they or someone they know very well is robbed. Unfortunately the current motivator for organizations implementing effective security is to take action after a breach occurs. Many organizations do not think bad things can happen to them until it does. In this day and age there is enough data and confirmed attacks that organizations have to recognize it is not a matter of if an attack is going to occur but when.
YOU WILL BE COMPROMISED
We have come to a point in security where organizations have to recognize the fact that they are going to be compromised. It is also safe to conclude that any critical systems that are connected to a network and ultimately connected to the Internet have already been compromised. As a society we must make the paradigm shift that the threat has advanced to the point where no system is safe. One of the key themes that will be echoed throughout this book is Prevention is Ideal but Detection is a Must. While an organization should hope and pray that they do not get compromised, they need to recognize that it is going to happen and put measures in place to detect it in a timely manner. Having a compromise is OK if it is caught quickly and appropriate remediation is taken to prevent reinfection. Having a compromise for 6months is not acceptable.
The ultimate goal is to make sure our organization does not go out of business. Ideally we need to detect any compromise early, react quickly, and minimize the overall damage. Looking at the amount of records compromised in recent breaches shows us that organizations are not doing an effective job at detection. If we were doing proper detection organizations would have 200 records stolen and be compromised for one week. Today it is not uncommon to see millions of records stolen over a several month period.
Saying that an organization will be compromised and most likely has been compromised is hard for some people to accept. However, it is merely the inverse of one of the fundamental truths of security—as soon as a system has any functionality or value to an organization, it is no longer 100% secure. A system that is 100% secure has 0% functionality. To put it another way a system that is 100% secure has minimal value to an organization because there is no functionality. As soon as you take a computer, plug it in to electricity, connect it to a network, and let humans touch the keyboard, the security has dropped below 100%. If the security is below 100%, then compromise could occur, it is just a matter of time.
(Continues...)
Excerpted from Advanced Persistent Threat by Eric Cole. Copyright © 2013 by Elsevier, Inc.. Excerpted by permission of Elsevier Science.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
