Posts tagged apt
Anticipating Cyber Threats Beyond APT
Some organizations have encountered Advanced Persistent Threat over 5 years ago—earlier than most of us. Because of the types of data they process, these initial APT victims were exposed to carefully-orchestrated, espionage-motivated attacks before they spread to a wider range of targets.
Now, half a decade later, might the time to look at the attacks that the initial APT victims are fighting nowadays to forecast the threats that will eventually reach other companies. I am wondering:
- Will traditional APT actors eventually disengage from early APT targets, perhaps after obtaining the necessary data, finding the cost of maintaining presence too costly or deciding to focus on easier-to-attack victims? Have they done this already?
- Will APT groups remain engaged, but drastically change tactics according to new goals and in response to new defensive elements? How have these tactics changed in the recent years?
- What can we learn by treating initial APT targets as predictors of threat dynamics that will eventually affect a broader set of victims? What attacks are effective today against the organizations that had the time and skills to adapt to initial APT tactics?
It’s hard to answer these questions without first-hand access to the companies that witnessed the first wave of APT attacks. Furthermore, the dilution of the term APT by marketing departments makes it harder to differentiate between reliable APT insights, such as what Mandiant has been publishing, from generic APT-themed sales collateral peppered throughout the web.
Based on public information and observations, I suspect the threat landscape over the next few years will involve:
- A greater use of purchased non-public exploits. (See Reuters’ article on the trends in the exploits market.)
- More professional oversight of multiple aspects of attack operations and logistics to improve effectiveness and efficiency.
- Smarter mining of stolen data (“big data”) to derive intel for subsequent attacks, discover relationships and spot other valuable information.
- The adoption of the techniques seen in “military-grade” malware, such as Stuxnet, by a broader range of attack groups. (See Eugene Kaspersky’s concerns over military’s use of malware.)
- Increased use of anti-forensics and evasion techniques to conceal attackers’ capabilities and motives. (See Eugene Rodionov and Alexandr Matrosov’s overview of anti-forensics malware features.)
These are just conjectures. I don’t have the answers to the questions I posed above; however, I thought I’d at least ask them and explore the idea of looking at early APT targets’ current state to anticipate advanced threats that will later affect other organizations.
Related articles you might like:
Indicators of Compromise Entering the Mainstream Enterprise?
The need to define custom, incident-specific signatures is slowly gaining traction in the mainstream enterprise. A few years ago this concept, often called Indicators of Compromise (IOCs), was mostly discussed by government organizations and defense contractors who were coming to terms with Advanced Persistent Threat (APT) attacks.
Madiant began popularizing the term IOC around 2007. Kris Kendall’s paper Practical Malware Analysis mentioned IOCs in the context of malware reversing at Black Hat DC 2007. For a precursor to this, see Kevin Mandia’s Foreign Attacks on Corporate America slides from Black Hat Federal 2006. At the time, few organizations saw the need to go beyond antivirus-based detection by analyzing the adversary’s artifacts to define custom host-level signatures.
Now, several years later, the term IOC is pretty well-known in the infosec industry. More companies are adding malware and related analysis skills to incident response teams. As Jake Williams put it, such firms know how to examine new malware and extract IOCs. “These are then fed back into the system and scans are repeated until no new malware is found.” Automated analysis products from vendors such as Norman, Mandiant, FireEye and HB Gary are being increasingly positioned as IR triage-enablers.
That said, the knowledge and skills for deriving and using IOCs is far from being mainstream. Anton Chuvakin highlighted the distinction between security haves and have-nots along the lines of this capability. The haves know how to reverse-engineer malware to “extract the IOCs FAST (or get those IOCs shared with you by trusted friends) and then look for them on other systems.”
IOC techniques haven’t entered the mainstream just yet. But we’re heading in that direction, as more people attain forensics skills and as more tools become available for defining and making use of such custom, incident-specific signatures.
To learn how to define and make use of IOCs, take a look at:
APT is a geopolitical problem.
We commonly see APT shift to using stolen credentials and no malware at all.
Why I Make Fun of Advanced Persistent Threat (APT)
If you follow this blog, you may have noticed that I made fun of Advanced Persistent Threat on several occasions. I published APT haiku (thanks to all who contributed) and a series of APT cartoons. I established the Certified APT Nerd (CAPTN) professional credential with an exam. I also launched the APT Merchandise Store, where the most popular item is the “My APT Can Beat Up Your APT” t-shirt.
Why do I make fun of this serious topic? Because I care.
Many computer security incidents result from mass-scale attacks. Some incidents result from targeted attacks. A subset of targeted attacks, affecting relatively few organizations, is being called APT. (This is a form of malicious market segmentation.)
APT attackers are highly-skilled, determined and have a long-term perspective on their mission. As the result, it is difficult to detect and respond to such incidents, with the IR process spanning months or even years. Dealing with APT is expensive. The impact of the data loss resulting from an APT incident is costly, too.
The media’s attention to high-profile APT incidents has turned APT into a marketing buzzword. It is simply too convenient for security product and service vendors to use APT as part of sales and marketing efforts, even though the majority of these offerings don’t directly deal with APT.
I make fun of APT in the hopes that this will make it harder to use APT as a generic marketing buzzword or a boogeyman du jour. I also make fun of it because FUD-based marketing techniques, when taken to an extreme, can be quite humorous, and the job of an information security professional is too hard if it is always taken seriously.
And with that in mind, I present to you APT cartoon #6: APT Goes Mainstream on TV.
The world’s first Advanced Persistent Threat (APT) Merchandise Store is now open for business!
You can now order APT-related t-shirts, buttons, mousepads and other items for all your APT needs.
The store’s merchandise carries insightful slogans such as:
- “I Was Breached by APT” (Sweatshirt)
- “My APT Can Beat Up Your APT” (Dark T-Shirt)
- “APT is a Who!” (Trucker Hat)
- “I Have APT” (Light T-Shirt)
- “APT: Mysterious, Not Anonymous” (Mousepad)
And more! Buy now, while APT is still hot.
For more Advanced Persistent Threat goodness, see APT haiku, Certified APT Nerd (CAPTN) and APT cartoons.
‘Cause APT is too serious to be taken seriously.
APT cartoon #5: Scientists. “If you think this is advanced, how do you expect to deal with APT?”
Caption by Lenny Zeltser. Based on a drawing by sabine voigt. Got a better caption?
For more Advanced Persistent Threat cartoons, see #1, #2, #3, #4 and #6.
APT cartoon #4: Sad Elephant. “APT ate my homework.”
Caption by Lenny Zeltser. Based on a drawing by Willee Cole. Got a better caption?
For more Advanced Persistent Threat cartoons, see #1, #2, #3, #5 and #6.
APT cartoon #3: Monster and Humans. “Having consumed all data in the world, APT turns on humans.”
Caption by Lenny Zeltser. Based on a drawing by sabine voigt. Got a better caption?
For more Advanced Persistent Threat cartoons, see #1, #2, #4, #5 and #6.
- Page 1 of 2
- Next »
