2019: What we did to fight APTs
The 1982 masterpiece Blade Runner by Ridley Scott is one of my old-time favorites. Harrison Ford chases androids in a futuristic, visually stunning Los Angeles. The future looks bleak, and technology advances did not make the human race any happier.
The film is set in 2019. I don’t know what the world will look like 8 years from now, but I do remember what it looked like 8 years ago. In 2003 we still had no Banking Trojans; we also had no Twitter, no World of Warcraft and no iPhone.
2003 was the year of Phishing. The early attacks hit the confused financial sector, and IT Security departments found out the fraudsters can empty bank accounts without actually hitting the bank’s infrastructure. They just couldn’t believe it.
The bad guys found a weak link – the end users – and this took the entire banking industry by surprise. IT Security teams did not sleep at night; they had to update the senior management and explain there was no breach of bank security, it’s those stupid account holders that just give away their passwords. Trust in emails as the means of communication with banks has all but dissolved, and even the very notion of banking online was put to the test.
Banks had no understanding whatsoever of cybercrime. They didn’t know about fraud forums. Law enforcement agencies were even worse; their existing units were not equipped to handle these odd attacks.
Today the industry is in a completely different place. Every major bank has an eCrime unit specializing in combating Phishing and Trojans. Technologies such as risk-based authentication, transaction monitoring, out-of-band authentication, anti-phishing and anti-trojan services, fraud intelligence and secure browsing were developed over the course of just a few years and were deployed in a multiple-line-of-defense strategy. The combination of technology, knowledge and operations deployed by the banks managed to prevent a system meltdown and despite equivalent strides in the dark side – such as today’s high grade Trojans – the risk is reasonably contained.
Corporations, on the other hand, are still on the opposite end of the learning curve.
The enterprise security industry is making its first steps at understanding that protecting the infrastructure is not enough to protect against Advanced Persistent Threats, because the APTs don’t go after the infrastructure. They go after the employees.
The bad guys found a weak link – the end users – and this took the enterprise by surprise. Dos this ring a bell? Give you a sense of Déjà vu?
Because if you look at the common link between APTs like GhostNet, Aurora and Night Dragon, you’ll find one common thread: they all started by attacking the individual employee.
In one of my other all-time favorite movies, the 1983 War Games, Mathew Broderick searches for modems connected to sensitive networks. He mapped networks and found weak spots. His attacks had nothing to do with the employees; he used weaknesses in the infrastructure.
But if Mathew was an APT hacker today, the first thing he’d do is visit LinkedIn. He’d collect intelligence on the organizations’ people, not infrastructure. Then he’d send a spear phishing email to the employees of interest.
Spear Phishing was indeed used in all three attacks – GhostNet, Aurora and Night Dragon – to trick specific employees within specific organizations to download a piece of malware. This allowed the attacker to take over the employee’s PC, and get straight into the network.
To allow deep penetration, they install a back-connect Remote Administration Tool that pulls commands from the attacker’s C&C server. But from a network perspective, all commands are received from the employee’s PC. It’s the perfect crime.
And that’s the new thing about APTs. Advanced? Well, yes, but attackers always advance. Just think back to 2003. Persistent? True, but let’s not discredit folks like Kevin Mitnick and other hackers of legend. To call them non-persistent would be an insult.
So the one new element to APTs is the fact they attack users, not machines. And this opens up a whole new world of threat challenges. It means protecting the infrastructure won’t do. Your users will just create tunnels for the bad guys to penetrate through all the defenses. It means you have to start thinking in terms of risk management: how do I balance the need of letting the employees download stuff, connect from un-managed machines, use web 2.0 applications and social networks – but on the other hand protect against those employees bringing the bugs into the house.
The industry needs a new defense doctrine against Advanced Persistent Threats, and a new RSA Security Brief created by RSA, VMWare and EMC security folks outline the roadmap which the industry should consider following.
Hopefully in 2019 when we look back at what had transpired in the last 8 years, we’ll see an industry that has put up a good fight against the bad guys. My own projection is that we’ll see virtualization and risk-based, adaptive security management being the two main pillars of the defense strategy, coupled with the creation of core eCrime intelligence capabilities inside major corporations, and real-time attack information sharing between the various security operation centers. We’ll also see a more structured way of looking at risk, such as the one described by RSA Marketing CTO Sam Curry in his recent blog post, “Keep Your Eye on The Ball: it is all about controlling access to the data.”
So while the industry isn’t ready right now to protect itself against APTs, I’m confident that it will be done. Just think what Harrison Ford would have done against rampaging APTs – Hunt them down and “retire” their existence!
Attacking users is not new. Social engineering has been used for millennia. Why insist on looking for a new element? It’s fine to write a blog post about APTs, but there’s no need to have your entire post hang on a false point.
Wow this was a bold post. Now it seems that your own tools that you sell to others should be used in your own home with your own children.
Or simple risk management such as no local admin on user’s machines, regular education of employees and blocking of non business websites.
Of course hindsight is 20/20. I hope that you continue being transparent with the whole breach situation.
The “security industry” has had twenty-five years to find a way to defeat viruses …. on Windows boxes. Now, we have 100,000 novel viruses a week … about one every six seconds. The next twenty-five years are unlikely to be any better until Microsoft builds a decent secure operating system. In the meantime, buy a Mac or run Linux and use nothing — at all! — from Microsoft.
This is logistically complex from a CIO CSO resource management standpoint: How things change endlessly and you have to be on your feet and firefight security within an enterprise.
As you manage and project employee time management for the growth of the enterprise, there are often no considerations for sudden newly discovered weaknesses in a particular company. As new exploits arise around the Internet, IT staff needs to be dynamic in time planning for daily, weekly, monthly and annual updates.
While it is surprising to hear the RSA was caught – they also have the same problems that all enterprises have – never knowing which exploit will take hold – it is resource management issue, an internal politic issue, a training issue (have any idea how hard it is to bring employees into IT security presentations?) and it requires the upper management intestinal fortitude to see how the overall plan is failing, figure new ways to deal with it, and adding these new plans to the existing plans and projections to make future adjustments into internal auditing.
20/20 hindsight says – yeah, Adobe PDF readers are endlessly pre-configured to trust and allow javascript. Just update them all the time and work out those zero day exploits with your SPAM filters!
But reality says years passed when this was not a concern like other forms of malware, suddenly it IS the ‘exploit flavor’ of the year. So while you are building out updates to your current malware defense deployment, you also have to start the research and work to protect against this new thing.
Adobe continues to update their readers; this is not just once a month but sometimes twice a month. As CIO –
How do you overhaul your laptop platform twice a month when there are 100 or 200 of them, and you only have a staff of 7 designated for this kind of work?
How do you install SPAM defense updates to your VPN clients when 30% of your laptop deployments are unavailable during corporate hours?
I am not down playing the seriousness of this, but I highly doubt these comments within the blogs actually deal with these issues on a daily basis.