Security trends tend to focus on technology: terminology such as malware (on the exploit side) and data leakage protection (on the security solutions side) describe the issue in terms of their most salient technical characteristics. Botnets, drive-by downloads, and Trojan horses add further color to the technical aspects of key security threats.
The “who” behind these security threats is generally thought to be less interesting. Yes, we think we know that certain botnets are controlled by the Russian mafia, and certain exploits tend to be perpetrated by insiders. But it’s the technology behind these threats that we in the high-tech security business use to identify them and their remediation.
Advanced Persistent Threats, recently made trendy by security vendors’ marketing departments, seem fundamentally different. If you look to technical descriptions of advanced, persistent threats (APTs) you will have trouble distinguishing them from botnets. FireEye, for example, describes various command and control systems that bots and APT have in common. Shared characteristics between botnets and APT include stealth, polymorphism (continuously altering malware as it goes from host to host), and automatic updating (including new malware and even patches to protect against rival botnets).
What differentiates ATP from most botnets and other security threats is the “who”: the ATP exploit tends to be targeted, and brings to bear resources (and patience) indicative of a well-funded actor – most often a nation state. In fact, Greg Hoglund, CEO of HBGary, says ATP is a nice way to not have to say "Chinese state-sponsored threat." Attacks against Google and the U.S. DoD thought to have originated in China
Michael K. Daly of Raytheon, speaking at LISA’09, defines APT more broadly, as increasingly sophisticated cyber attacks by hostile organizations with the goal of:
- Gaining access to defense, financial and other targeted information from governments, corporations and individuals.
- Maintaining a foothold in these environments to enable future use and control.
- Modifying data to disrupt performance in their targets.
But Eddie Schwartz, chief security officer at NetWitness, disagrees that modifying data to disrupt their targets is a universal ATP trait: "A real APT never really damages anything. They tweak a log file here and there ... They are stealing stuff, but you still have your copy. You never see them taint it," he says.
There is no question as to the level of sophistication involved, nor of the value of the assets under siege. Raytheon presents a hypothetical but representative scenario in the diagram below, showing multiple stages, multiple teams, extraordinary stealth and patience, and the exfiltration of well-protected and valuable information assets:
Well-funded APT perpetrators also have the means to compromise insider threats as well as the external threats shown above. Additional "insider threat" and "trusted connection" vectors are shown below:
Advanced persistent threats are in the news these days, and many security vendors are going to great pains to explain how their product (or more likely, the next greatest release of their product) is the ideal solution. But most experts agree that the organizations perpetrating APTs are well-funded, determined, and willing to take as long as necessary to preserve their covert activities. Is it likely that such unique security threats can be adequately addressed by the same technology that was originally developed to solve a different problem? Stay tuned for emerging start-ups such as Cyphort that bring a radically different approach to detecting and remediating advanced persistent threats.
No comments:
Post a Comment