It’s The Adversaries Who Are Advanced And Persistent

By Scott Crawford & Nick SelbyThere has been much talk recently about the “Advanced Persistent Threat.” According to Richard Bejtlich [1] and others, the term originated with the US Air Force around 2006, which explains why Bejtlich and others with an Air Force pedigree, such as Mandiant founder Kevin Mandia, have made much of the term.

There has been much talk recently about the “Advanced Persistent Threat.” According to Richard Bejtlich [1] and others, the term originated with the US Air Force around 2006, which explains why Bejtlich and others with an Air Force pedigree, such as Mandiant founder Kevin Mandia, have made much of the term.

Recently has it begun to enter into more common use, particularly in the wake of the recent Google incident. Since that story broke, the term can definitely be seen scaling Mount Hype, with high probability of reaching the summit by the RSA Conference. This is, of course, why all those DLP banners were printed one-sided.

We can already anticipate from those headed down the back side of that lofty peak one central question: “What the heck is it?”

The Next Big Nail

Part of our concern is how much the term is likely prone to abuse. Those with a hammer to sell will undoubtedly see APT as The Next Big Nail. Not only does this promote the myth of the “easy button” in security, where a new tool, technology or product emerges to solve the latest headache, it also lumps APT into the FUD bucket of everything we fear we can neither understand nor see today. It doesn’t help that the term itself plays to the U in FUD, particularly when tactics are neither advanced nor seemingly persistent. But this is part of the issue in our view: a good deal of the problem with security today is that we focus our attention on tactics, rather than what is behind them.

What we would prefer to consider, then, is the “Advanced Persistent Adversary,” since “threat” becomes all too easily confused with tactics.

This is not semantics, but it very well could be about Symantec – it is significant that McAfee came out and named the GOOG Thing, and fanned the flames of this new bonfire of mainstream APT-uttering. For example, in the blog post proffering the name Aurora to describe the wave of attacks in which Google found itself playing a starring role [2], McAfee defined APT thusly:

“The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection. These highly customized attacks [are] known as ‘advanced persistent threats’ (APT).”

Clearly, McAfee avers that APT is a new form of, or state-of-the-art in, malware. That is precisely wrong.

Conflating Risk & Threat

This feeds right into another, larger issue in information security: that practitioners often confuse and conflate the terms they use to describe what they’re talking about. We’ve heard high-ranking security executives refer to specific viruses as “risks.” With mainstream use of “APT,” it becomes a “thing” which can be “solved”. By calling a specific threat like an exploit or a technique an “advanced and persistent” one, it makes it sound like a missile: something that must be controlled lest it proliferate. In fact, these exploits and techniques seem more like handguns – more agile, smaller, cheaper, easier to use and carry – and a whole lot more difficult and controversial to control.

If we allow vendors to say that the “threat” is the problem, then, “advanced persistent threat” is relegated, as it has been, to the people we have been paying to clean up what we have typically labeled “threats” [3]. Not only does this play into that “easy button” mentality (which is likely the worst possible way to address the advanced adversary) but also it often draws the focus away from a coordinated incident, and towards individual tactics that may be misleading, if they are detectable at all. It may well be that a specific tool used by the more adept adversary is not at all advanced, and may not appear to be persistent. In fact, if they’re any good at it, their activities will appear to be benign until it’s too late.

A Little Light Musing

To use a classical piano analogy, there are millions of people the world over who feel up to taking a crack at Beethoven’s “Für Elise” – including professional concert pianists. Relatively few, however, can do a competent job with the Hammerklavier sonata, one of the most difficult in the classical repertoire. But here’s the thing: those who can deliver the Hammerklavier can also handle “Für Elise.” The point is, they can call upon the right piece for the moment, regardless of the level of challenge.

The “threat” in APT isn’t about the tools used, or whether they’re common, or dated, or ridiculously simple. (Indeed, if you wanted to call upon a simple tactic as a red herring, why not if it suits the purpose?) It’s the adversary who shows virtuosity, the adversary who shows persistence.

Advanced, Persistent Adversary

The more advanced adversary demonstrates persistence, because it has a larger strategic goal than any individual exploit, or even any individual incident. And the adversary may have the resources to back not only expertise in tactics, but such things as fundamental research which can be called upon as the need arises.

This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind. Pieces and parts, this tactic or that, some new tool for every new emerging exploit, without considering that the adversary thinks far more strategically than we do.

We would hope that this also shifts thinking in the security market toward a more systematic approach to defense. For Pete’s sake, the rockyou.com breach alone ought to demonstrate that we’re still unable to build a decent foundation for our efforts, let alone ready ourselves for the more advanced, persistent adversary.

Things That Can Help

Many still-accepted approaches that are successful in producing revenue for security vendors will have little or no bearing on dealing with the advanced adversary, but there ARE things we can do to improve our current situation, which today we clearly do not.

Let’s think like the adversary and assess ourselves accordingly – and we’re not just talking about vulnerability scans. How do our companies appear to the world on the Internet? How do our employees and business units communicate with the world, and how do our applications expose ourselves to the Internet at large? And how aware are we really about what goes on in our environment? Are we monitoring as widely and well as we could be? Are we making use of the information we collect and doing what amounts to pre-incident forensics on the data? If not, or if such techniques seem beyond our reach, where can we look for expertise that will help, and what does that need say about where security management needs to go in the future?”

It’s high time we began setting our security goals to align with defense of what we hold dearest. All too often we set our security goals to align with those of compliance with regulatory or industry rulesets.

One thing we believe will not help: more of the same. The advanced, persistent adversary has been here for some time [4]. Here’s some time-worn advice that’s been around for a while as well: there is no panacea, there’s no magic bullet, there’s no boxed solution ready for cash and carry.

While many rightly raise that the Google incident is the first time the issue has made the mainstream press, there’s lots of experience out there on the user side, and we applaud experts like Richard Bejtlich, Mike Cloppert and others (like Will Gragido at Cassandra Security who’s been writing about another, different way to describe this, Subversive, Multi-vector Threats, or his business partner John Pirc, who presented on many related issues at ToorCon 2009) who have come forward to share at least the anonymized takewaways of their work. As we went to Press, Andy Jaquith published similar thoughts at Forrester.

We need more experienced practitioners to come forward and share. As you read this, information security pros are sitting, wide-eyed, in banks, insurers, card processors, chemical firms, all kinds of industries, analyzing the latest – that is, today’s – onslaught. Sharing our common experience makes us all stronger.

McAfee was right when it said that, “Everyone’s threat model now needs to be adapted to the new reality…” Organizations sharing information with one another is one great way to speed our time to insight as we grapple with just what that new reality comprises.

—-

* Scott Crawford is Research Director at Enterprise Management Associates (EMA), a leading IT industry analyst and consulting firm based in Boulder, Colorado. The former head of information security for the Comprehensive Nuclear-Test-Ban Treaty Organization’s International Data Centre in Vienna, Austria, Scott has been an IT professional in both the private and public sectors, with organizations including the University Corporation for Atmospheric Research and Emerson (Fortune #94 in 2009).

* Nick Selby is co-founder and Managing Director of Trident Risk Management, where he consults Fortune 1000 clients on information security, data protection, penetration testing and vulnerability and risk assessment. TRM also consults with government and law enforcement agencies on intelligence issues and tools. He was, in 2005, the founder of the Enterprise Security Practice at industry analyst firm The 451 Group, and is a Faculty Member at IANS. He is a regular contributor to FudSec and ThreatPost.

—-
1. Bejtlich himself has massive experience in facing down all kinds of threats from advanced and persistent adversaries, in several distinguished roles. He has been raising awareness of these issues, as has Kevin Mandia, for several years

2. The use of the name itself confusing, because “Aurora” has been used for three years to describe an Internet-based attack against rotating generator equipment and was recently highly publicized in a controversial CBS 60 Minutes segment. Yes, McAfee had a reason to name it that, but that doesn’t mean it should have. Nick’s wife makes and sells tremendously good baked goods, but that does not mean she should call them “Oreo”s

3. And how’s that working out for you, hmm?

4. Of course it is enough to make one physically ill to hear that MSFT had long known of the problem that caused GOOG so much angst. In fact, if you want to raise your blood pressure, consider just how long it took for McAfee and Symantec to begin to address APT – and now consider that they’re trying to dominate the talking head space, issuing punditry and thought leadership around APT to sell, wait for it, anti-APT products. Thanks, guys!

Suggested articles

Discussion

  • Gunnar on

    "One thing we believe will not help: more of the same."

    Correct. Will a real change happen? Probably not

    http://1raindrop.typepad.com/1_raindrop/2010/01/what-infosec-should-learn-from-apt.html

    "This also helps shift the focus where it needs to be. We have been far too lax, for far too long, in the way we think about how to counter threats of any kind. "

    Doubtful, vast majority of infosec people come from network ops background. When confronted with a problem they run back to their comfort zone - the network. But this is a big problem because

    "It's high time we began setting our security goals to align with defense of what we hold dearest."

    What almost every company hold dearest is NOT their network (but that's where infosec spends all its time/money), what they hold dearest is customers, users, identity, transactions, apps and data. Those don't get any focus from infosec, its a people problem, regardless of the threat infosec has the wrong background training, skills and focus to provide security to the enterprise. Expect more of the same.

  • Russell Thomas on

    Excellent!   APA is a nice refinement.  Even so, I see plenty of security professionals who are saying that it doesn't pay to think too much about adversaries.   For example, see Gunnar Peterson's post: http://1raindrop.typepad.com/1_raindrop/2010/01/what-infosec-should-learn-from-apt.html .

    What we, the security industry, need is some sort of concrete "use case" where knowledge of APA as a credible threat agent will lead to significantly different investments, practices, policies, or architectures.   If the existence of APA implies just "more of the same" security practices, then it doesn't matter as much.

    So, what about security will change significantly or dramatically in the face of APA??

     

  • Will Gragido on

    Great post guys.  I wanted to let you know I enjoyed it and agreed with the messaging.   There is an evolution revolution occuring within the industry right now.  A separation of the wheat from the chaff in respect to experiential knowledge base from those on the sidelines.  Much of this is a akin to a metalurgical refinement of the industry; a much needed occurrence.  I believe that as you pointed out change is necessary and as I and my colleagues have written and presented upon over the years, there is a need to re-evaluate the conventional wisdom associated with threat analysis and points of orginiation. 

    In my opinion, it can be assumed that adversaries are any and all who -- by official or unofficial declaration or decree of a nation state, subnational entity (criminal, terrorist, mercenary etc.), or individual willfully engage in activity which would be considered unlawful were it to occur in  a dimension other than that of the cyber realm.   For example, were someone to break into your home, effectively map your residence taking note of all ingress and egresss points, areas which offer cover and shadow for the avoidance of detection while allowing you access (as unfettered as possible so as to not cause anyone's attention to fall upon you), you'd consider (as would), this to be an act of criminal origin regardless what the reasoning or philosophy was behind.  Such activity and access could and would likely allow for the free flow of exfiltrated property (tangible and intangible) from your residence or worse; place you and those you hold dear at risk.

    Clear and concise comprehension of subversion is key in gaining intelligent insights into the motivation and intentions of those who devise and carry out these missions.   Due to the fact that human beings are involved (as I was taught long ago in a US military occupational school far far away), one must expect the unexpected and preparing for the obvious and abstract to used by the enemy in order to accomplish their mission.  Failure to properly assess oneself and ones enemy is a freshmen mistake yet all too common.  We need to address this, recognizing that there are deficiencies in both the public and private sector which allow for the continual exploitation and abuse of systems, data and people.   The world has changed however human nature has not.   People's actions are predictable as are their motives should one be so inclined to amass the data points and pull together a picture.

     

    All the best!

     

    Will Gragido

    Cassandra Security

  • N Selby on

    Gunnar,
    Thanks for your comment and for your insightful posts here and here. We agree more than you might suspect.

    First of all, and speaking for myself and not for Scott (as both of us are teraveling at the moment and I have not had a chance to discuss this with him), I never implied or thought for a moment that the network is "what's important" to me (I do say that I cannot tell anyone what is important to them, though). In my opinion, the information and the data are what's important.

    Your point, though, that infosec people are often network people, and all things being equal when someone's challenged by something they often run to their comfort zone is well taken. I have done a lot of thought leadership on the issue of siloed security operations (here, here, here and in propaganda here for example) and I would state that the most important security measure any company can take is to force its physical security, information security, network, database, application and even select business teams or leaders to spend time together and communicate with each other more.

    We must all stop spending our time trying to be right, and start spending our time trying to understand one another's goals, challenges and successes. This is hard.

    Like many things in security, there's no direct, measurable ROI for this activity, so most organizations are loathe to undertake the effort. However the rewards that redound to the benefit of such collaborators can be monumental. Several of us have now said that fighting the advanced persistent adversary does not come down to some box or software. Now let's join forces and create some tangible steps on how organizations CAN fight this issue. You've started to do this, as have Richard, Will and John, Kevin Mandia, Rich Moguill, Andy Jaquith and several others.

    I propose a vendor-neutral conference on the topic during which we can discuss these issues, hear from end users in commercial and government organizations, and non-profits and from vendors in a balanced, FUD-free environment (that is to say, heavily moderated) on tangible, pragmatic steps we can offer to raise our overall level of awareness and defense. I'll be speaking with all the names mentioned herein and more to see if we can make this happen.

    Thanks, Gunnar, again, for your comments and work.

  • N Selby on

    Will and Russell,

    Thanks so much for the comments and the thoughtful remarks. Much obliged!

  • Scott Crawford on

    Thank you all for the time and the thoughtful comments.

    Gunnar, as we have discussed and as Nick suggests, I am fundamentally in agreement with you in general.  As Nick points out, we would not disagree with your take on how the evolution of IT has in many ways been a detriment to truly effective security. But if the advanced and persistent adversary means that our initial reaction is to focus on incident response and forensic analysis, I think that has as much to say about where we are beginning to see more concrete evidence of the real nature of risk in what we have today. Past incidents that have been primarily disruptive have not reflected the real potential of impact – nor, for that matter, have been those incidents of PII theft that have not had a lasting impact on the victim businesses. What awareness of the advanced adversary raises is just how serious our weaknesses really are.

    If the initial reaction of infosec is to focus on the network, I think that says as much about where we are seeing this evidence as it does about response - but there are a couple of points you make that I think we need to take more seriously. For one thing, the functional aspects of security are segmented among those who monitor, detect and respond in security, those who build, those who operate and manage. You raise an entirely valid point that greater sanity is needed in the building. This is one area where I think better bridges could be built between those who build and those who have more direct intelligence re the nature of threats and actual incidents. Nick and I have both been very active in advocating the breaking down of silos that would contribute to such an approach.

    But to your main point: Will real transformation actually happen? It seems unlikely that the level of “ctrl-alt-del” you see needed in IT would likely occur without sufficient motivation to engage real “governance” at this level. I take little comfort from noting that throughout the history of risk management, transformational change has so often been motivated by transformational events (read: disasters), and we in IT have not yet had the equivalent of safety-of-life types of events that motivate building better systems in the aerospace industry, for example (and hopefully, I haven’t touched off a powder keg by alluding to the role of regulation in that example).

    Which begs Russell’s question: “So, what about security will change significantly or dramatically in the face of APA??” As Nick suggests, we could certainly start by being more active about sharing the information we do have, both inside and outside our organizations (Adam Shostack’s and Adam Stewart’s “The New School of Information Security” has much to say about this), since many of the examples of poor practices in building IT that Gunnar cites in his work often reflect ignorance as much as the fragilities of legacy. As Will describes, the insight gained from those who have dealt directly with the more advanced and persistent adversary, as well as from professionals like you, Gunnar, who have the knowledge of how to better integrate learnings more directly into systems, would be a good place to begin.

    Scott

  • Scott Crawford on

    and pace Andrew Stewart for the typo in the above - apologies!

  • Rob Lewis on

    Russell Thomas asks, "So, what about security will change significantly or dramatically in the face of APA??"

    Gunnar says, "Expect more of the same."

    The authors say, "One thing we believe will not help: more of the same.

    Perhaps the question to ask is, "what about security should change significantly or dramatically in the face of APA?"

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.