The success of advanced persistent threats (APT) is reportedly so pervasive that detecting and defeating them with any consistency may seem to be a hopeless battle.
Based on news reports and multiple statements from U.S. officials, hackers from China breach the systems of all kinds of U.S. businesses, from major newspapers to defense contractors and cutting-edge technology companies, and remain undetected long enough to make off with billions in intellectual property and sophisticated weapon designs.
Defense Secretary Chuck Hagel and officials from the National Security Agency and the Department of Homeland Security have called the power of APTs the security challenge of the modern era.
"Cyber is one of those quiet, deadly, insidious unknowns you can't see," Hagel told U.S. troops in Hawaii. "It's in the ether -- it's not one big navy sailing into a port, or one big army crossing a border, or squadrons of fighter planes ... This is a very difficult, but real and dangerous, threat. There is no higher priority for our country than this issue."
APTs are also no longer solely the domain of nation-states with vast resources, nor are they focused only on espionage or attacks against military and other government entities. They are "living" on networks in IT, energy, news, telecom, manufacturing and other sectors of the economy.
But according to a number of security experts, while it will probably never be possible to eliminate them entirely, it is possible to detect APTs and minimize the damage they cause.
"There are solutions -- the sky is not falling," says Wade Williamson, senior security analyst at Palo Alto Networks. "A lot of times security folks use APTs as an excuse for failure, but it shouldn't be. There are technologies that can help."
Williamson is among those who also argue that detecting and defending against APTs effectively will take more than technology. In general, he says, "the biggest change we need is not one of tactics, but strategy. Security must evolve to become a very creative discipline.
"Historically, security held the view of saying no to requests and blocking 100% of threats. Neither of these maxims is practical today. We need security professionals to be inquisitive -- to be looking out for the things that don't exactly make sense, and to ask themselves what it could mean, and how they should look deeper into the issue.
"We will always need automated security that blocks bad things," Williamson says, "but we also need creative, engaged security experts to be looking for the creative, engaged bad guys on the other end of the connection."
That said, there are a number of practices security experts recommend for organizations that are serious about the battle with APTs. In no particular order of ranking, they are:
1. Use big data for analysis/detection
The word from RSA Executive Chairman Art Coviello during his keynote address at the 2013 RSA conference is, "The whole game here is to shift away from a prevention regime -- big data will allow you to detect and respond more quickly."
That is endorsed by people like Aviv Raff, co-founder and CTO of Seculert, who notes that prevention from the perimeter is impossible; therefore, detection must be "based on the ability to analyze data, which must be gathered from and analyzed over sustained time durations. And that's where big data analytics enters the picture."
Of course, that takes an investment in analysis tools. "IT does not have the automated tools needed to identify infections in a timely manner," says Brian Foster, CTO at Damballa. "Instead they just have a ton of data. The industry needs to provide big-data approaches to IT for detecting infections in their network."
Williamson agrees in part, calling big data useful in detection. But, he adds, "The most important point is that the attack itself has spread out across multiple steps and technologies and our view of security of must break out of its 'silo' view to be comprehensive as well."
2. Share information with the right people
According to Anton Chuvakin, writing on the Gartner blog last year, the bad guys share "data, tricks [and] methods" much better than the good guys. "It is considered acceptable to sit on the 'hard-earned' knowledge of ways you used to detect that proverbial advanced attacker while your peers in other organizations are being owned by the same threat," he writes. "And the cycle of suffering continues!!!"
To get an edge over APTs, he writes, organizations must share information in a way that helps them but doesn't benefit the attackers and doesn't violate laws or regulations governing the sharing of sensitive information.
Beyond the legal considerations, however, there are also economic constraints to sharing information. Brian Krebs, a former reporter at The Washington Post and author of the blog Krebs on Security, says he has seen progress in information sharing, but also efforts to hoard it to exploit it financially.
"The past few years have seen the emergence of several companies that make decent profits selling and exploiting this intelligence, so there remains a fair amount of tension between sharing and hoarding information about threat actors and indicators," he says.
3. Understand the "kill chain"
This is a so-called "phase-based" model to describe the stages of an APT attack. Those stages include reconnaissance, weaponization, delivery, exploit, installation, command & control and actions. As Lysa Myers, a virus hunter for Intego, put it in an InfoSec Institute article, "In essence, it's a lot like a stereotypical burglary -- the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot."
Obviously, the closer to the beginning of the chain that one can detect and stop an attack, the better. Damballa's Foster says attackers "leave a trail of breadcrumbs that can lead right to the infected system. Understanding and analyzing this kill chain can be the key to implementing the appropriate defense controls at the necessary stage."
4. Look for indicators of compromise (IOCs)
This is connected to "kill chain" understanding. No organization can stop every attack, so the IT team needs to know how to look for symptoms -- or breadcrumbs. "This includes looking for the unique ways that an APT might communicate out of the network. Any unique DNS queries or websites it contacts are common IOCs," Williamson says.
"APTs will often customize their tools to their own needs, which will often provide the anomalies needed to distinguish an APT from normal traffic," he says. "They will also use a variety of common applications like remote desktop applications, proxies or encrypted tunnels to communicate.
Unusual use of these and other applications can be key to finding a true APT. This, of course, requires IT to have a very solid baseline for what is normal in their networks."
Williamson says tracking user anomalies can help as well. "For example, users talking to an SQL server may be normal on the network, but very abnormal for a particular user."
5. Test your network
This can include active analysis or sandboxing. "One of the best ways to determine if something is bad is to actually run it and see if it behaves badly," Williamson says.
Blogger Krebs adds that while there are vulnerability management tools to help close obvious holes, "there is no substitute for periodically hacking your own networks (or paying someone else to do it) to find out where you are vulnerable. As the saying goes, everyone gets pen-tested, whether or not they pay for it."
Krebs says he leans toward hiring someone from the outside. "To use a tired but apropos analogy, it is often quite difficult to see the forest for the trees when you are standing on the forest floor. Often, it takes an outsider who has a more holistic -- and perhaps unbiased and APT-trained -- view of things to spot a more systemic problem."
6. Support more training for APT hunters.
Edwin Covert, a cybersecurity analyst and subject matter expert at Booz Allen Hamilton, argued recently in a post on Infosec Island that the industry needs a "new training model" for APT hunters, since the standard skills of an information security specialist are not enough.
"APT mitigation requires the ability to see things that are not readily apparent," he writes. "The CISSP [Certified Information Systems Security Professional] was designed for technical managers, not APT hunters."
Covert isn't downplaying the CISSP designation, since he holds it himself, but he says those with APT training will notice anomalous files that "most administrators and even security personnel" will not.
And the need for specialists is critical. Covert quotes SANS Institute Director Alan Paller as saying there is a need for more than 30,000 APT specialists, but that "only about 1,000 to 2,000 have the necessary skills to combat the numerous real-life scenarios happening in today's organizations."