Thursday, February 17, 2011

Understanding Advanced Persistent Threats

This week is the big and uber-cool RSA security conference.  In preparation, I was chatting with Brian Fitzgerald and Nirav Mehta to get a quick synopsis of what they had planned for the show.

Half-jokingly, I asked "what's the big new threat that no one is prepared for?".  A lot of the conversation at the RSA Conference is inevitably along those lines, as you'd expect.

In a millisecond, Brian shot back: "APT -- advanced persistent threats".  I had no idea what he was talking about. He started to explain the basics.  I was fascinated, and asked him to send along some more info. Maybe you'll be fascinated as well -- or at least, maybe a bit concerned?

Some Context
Full disclosure -- I am not a security expert.  I don't even pretend to want to be one.  That being said, as we transition to an information economy, it's fascinating to watch the ever-escalating war between the good guys and bad guys.

Every year, there's more information.  Every year, it's more valuable and hence more attractive as a theft target.  Throw in broader trends like mobile access, virtualization and clouds -- the security war is escalating, and fast.

Historically, many of us have thought in terms of a specific threat: malware, viruses, weak authentication and the like.  And there's still vestiges of old-school perimeter-style security thinking lurking here and there.

Put all of that aside, please ...

Understanding APT

Think back to a favorite big-heist movie.  The plot probably included a large team of specialists, as well as a great deal of patience and planning by the bad guys.  Perhaps there was a systematic exploitation of weaknesses discovered through extensive research.  Maybe even some social engineering angles as well -- targeting specific individuals with specific roles. The perpetrators were likely smart, well-organized, well-funded and very patient.  And they were probably after an extremely valuable target. In a nutshell, that's an advanced persistent threat.  

It isn't a neatly categorized technology issue, more of a systemic pattern of penetration by people who are smart, well-funded, well-organized and very patient -- and going after a very specific target through very specific people.

Is Everyone Vulnerable?

The RSA team has a great soundbite: sooner or later, just like the common cold, just about every organization with something worth stealing will be subject to an APT attack.  

Many organizations have probably been successfully attacked already, and probably don't know it.  Not everyone is highly public in announcing their success in stealing information :)

As I write this from an airplane seat, Fox News is broadcasting a segment on how a group from China successfully hacked into multiple oil companies to steal very specific information using identities of very specific executives.  

More detail will likely come out over time (including the economic impact of the theft, specific means used, etc.) but -- at first glimpse -- it looked like APT to me.

Why Is This Threat Different?

Because APT is essentially a threat based on an organizational pattern, it requires an organizational response.  No specific technology or isolated practice can defeat it -- it requires at least as much investment and effort as the bad guys are bringing to the game!

RSA describes the concept of an "advanced security operations center" (SOC) as a framework for meeting the new threat.  Yes, there are specific technologies identified (including more than a few from RSA), but -- at its heart -- it's an enhanced organization with an enhanced mission to meet a new kind of business challenge.

More importantly, it's how the technologies and processes are used together to combat a persistent threat across multiple fronts using any and all means at the attacker's disposal.

The Road Ahead

I suppose the first question is -- does your organization possess information that's worth stealing?  How valuable (or dangerous) is it in the wrong hands?   Like money in a bank vault, it's a good idea to start with a notion of exactly what's in there.  And -- importantly -- is this likely to be a growing problem over time?

Now, take a hard and cynical look at the governance and risk management processes used by your organization.  I'm not talking about the IT guys, I'm talking about auditors, board of directors, legal counsel and the like.

Does your organization have a strong risk identification and remediation capability at a corporate governance level?  If not, there won't likely be the ability to recognize that the information security game has changed once again, and a new organizational response might be required.

Once the threat is understood, and a leadership response is in hand, it's likely time to start thinking about building (or enhancing) your SOC function.  In particular, their processes (and supporting technologies) must be integrated to support the new style of APT.

Unfortunately, history has shown that many organizations aren't able to recognize and react to new classes of threats.  As a result, they become a likely candidate for yet another prime-time case study for all of us to consider and learn from.

Chuck Hollis
VP -- Global Marketing CTO
EMC Corporation