Understanding and defeating APT, Part 1: Waking up to the who and why behind APT
The SANS Institute is introducing a course to train security personnel to detect and remediate Advance Persistent Threats (APT), sophisticated and surreptitious attacks, generally to conduct industrial/commercial/government espionage. Security Bistro spoke with security, incident response and forensics expert, Rob Lee, instructor for the course, “Advanced Computer Forensic Analysis and Incident Response,” about understanding and combating APT. In the first of two posts, Lee speaks about the nature of APT, who is behind it and why.
Security Bistro: The term APT gets thrown about pretty loosely. Some people use it to describe almost any targeted attack. Why the confusion?
Rob Lee: It depends on who you are talking to. Most people in the security community understand generically what the APT potentially represents. But for the at-large population, there seems to be a little bit of confusion, mainly around the history of the name, whether it’s truly advanced or not in terms of techniques. You end up using very generic way of approaching it: It means advanced logistics coming after you, meaning that there are paid people, funded by a nation state, probably, that have R&D, training, recruitment, management, intelligence-gathering, target selection, etc. A lot of individuals, including me, are starting use terms like advanced adversary for a nation state attacker, but to a certain extent APT rings to a very specific set of groups out there who are committing these style of attacks.
SB: What kind of groups? How do they differ from the attackers who or stealing credit card data or capturing credentials to clean out bank accounts?
Rob Lee: When people say generically, ‘how do you differentiate between what’s going on in China and what the Russians and Ukrainians are doing?’ I reply: One is for profit, a quick win, quick stealing of cash, anything that can go for a cash reward. The APT is after long-term economic and industrial espionage win; it’s more of the strategic versus the tactical. The tactical side is from the Russians; they want a quick email to get as much as possible, whereas the Chinese and other nation states are looking to this as “our way to maintain our dominance in the cyber world, plus overall economically across the planet to maintain our hegemony.” If you read their doctrine, it’s truly what they believe, that it is not even illegal; it is within their right to equalize themselves on the playing field among nation states.
SB: Are Flame, Stuxnet and Duqu examples of the kinds of weapons being used in APTs?
Rob Lee: I think what we are seeing with Stuxnet, Duqu and Flame is what serious-level nation state adversaries can put together: probably not widely deployed but definitely utilized in the ongoing cyber conflicts. You cannot have a smaller hobbyist group out there create something like Flame, Duqu or Stuxnet. This has to be through concerted multi-year R&D, testing its requirements and, of course, operational capabilities — what you are using it for. Those types of things are highly advanced. It’s almost like one step above APT is what we are seeing. Actually, two steps above what APT brings.
SB: Why aren’t we seeing more of this type of ultra-sophisticated and complex malware?
Rob Lee: There are many group that use APT characteristics, — some really good teams and some so-so teams — but their primary approach is they will use the least capable methodology to get the job done. If you leave the door open, they will just walk through it, versus if you put just put a door lock on it they will pick the lock, but if you put a bolt on it, they will use a drill. But they not blow it up with explosives if they can just open the door. And that’s one of the key differentiations.
But with the latest malware we are seeing out there on the cyber conflict side, it’s clear that nation states are ramping up their capabilities, and one can only assume that China has capabilities they are not pushing out widely as well. Why risk it? Now, as soon as something like Flame or Stuxnet gets exposed, it completely loses its effectiveness.
SB: Besides the obvious targets, such as defense contractors and government agencies, what organizations really should be concerned about APT?
Almost every industry vertical at this point I know has been exposed to it. Even movie companies. If there is competitiveness, if there is trading, if that organization is creating some sort of new technology, new widgets, new partnerships, it doesn’t really matter which industry it is. Some industries are obviously more focused than others: defense, government, technology, and chemical energy probably rank up there. But then you start getting into, “Heck, why is media company ‘X’ targeted?” Well, do they do things overseas that financial interests are tied to? There may be some interest in foreign governments about the way those executives can be thinking, what they will be doing next, so they can position themselves better.
It’s a matter of gaining a better advantage for yourself, knowing how to attract that seller. For example, if you knew you were going into a bidding war on house, if you knew what that house would sell at, all you have to do is bid $1 above that without risking any additional funds. It’s a huge advantage.
Then you get into stealing technology. Across the board, adversaries are using this as a way in their minds to gain equalization. It’s within our doctrine that we are supposed to equalize our nation compared to yours. We are at a disadvantage until we are able to show that we are equal to you. So this is a means to accelerate that.
SB: So it’s not just about stealing technology?
Rob Lee: Partnerships, mergers and acquisitions, who they see as competitors, pricing, anything that would give an advantage. For example, Apple makes screens for iPhones in China. All the adversary has to do is figure out what the lowest price is a U.S. company can do and bid lower.
SB: Are the less obvious target sectors waking up to the threat?
Rob Lee: Manufacturing and other verticals that have not been targeted as much until most recently are slowly waking up. They are astonished by what has been going on; they are even more surprised that they have not been able to detect it after all the money they poured into their organization’s IT security. And there is not a lot of sharing among the groups that do know how to deal with it because as soon as the information gets out on how to effectively counter the APT, that technique becomes less effective. As a result people end up not widely sharing their unique tricks that they are using to help counter it — not completely eradicating the APT from the network, but severely degrading the effectiveness of the campaign that they are detecting. Or, maybe their detection mechanisms: How they are detecting them inside their network. So, the newer groups are finding themselves at a disadvantage because they have to learn from scratch how to do it and usually have to reach out to my former company, Mandiant, or others, and say “Help me” and have to pay through the nose for that type of help.
Next: Fighting the forever war against APT
Rob Lee is an entrepreneur and consultant in the Washington DC area, specializing in information security, incident response, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response training at the SANS Institute in addition to owning his own firm. Rob has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention and incident response. Rob was also a director for MANDIANT, a company focused on investigating advanced adversaries, such as the APT, for four years prior to starting his own business.