Defending Infrastructure and Data
It's 11:30 pm. One of the employees of your boutique marketing firm is working feverishly to finish a presentation that is due to be given first thing in the morning. An instant message chat request pops up from his Facebook account: “Hey bud! I know you love Ironman, check out this IronMan 2 video. It’s awesome!” The employee clicks the link, but the browser crashes. Nothing else of interest happens.
Eager to get his work done, he returns to his chart data, and thinks nothing more of it. Unfortunately, that exchange actually was the beginning of a data breach. The link wasn't to a movie trailer, but to a specially crafted web site that was designed to inject attack software into a victim’s system. Because the employee was using his work laptop, the attacker was able to use a foothold gained in the employee’s system to access the primary business network the next day. Now the attacker has persistent access to the primary business network.
Over the next few days, the attacker leverages that access to place back doors into several locations throughout the network. This way, should the business close one entry point, the attacker can use another. When ready, the attacker will use the access gained within this small business to infiltrate the real target: a Fortune 100 international pharmaceutical company. The main target relies on this small firm for marketing support. Within a few days, the attacker has full access to his or her target network and begins downloading intellectual property, sales lists, marketing plans, and drug research.
The Advanced Persistent Threat Defined
Meet the Advanced Persistent Threat, or APT. Essentially, the APT is a cyber attacker (motivated by money, or hoping to gain a competitive edge, or even sponsored by a government) who is well funded, skilled, patient, and (of course) persistent. However, the attack techniques generally don’t have to be that advanced; hackers and criminals have been using these same infiltration methods for years, and the threat of cyber attacks has existed for decades.
The term APT began making headlines earlier this year when Google revealed that it had been compromised by systems originating in China in what has been dubbed “Operation Aurora”. The attackers used targeted phishing e-mails to trick workers into clicking on a link that led them to a maliciously crafted web site. That web site then used an exploit to infect the victims' systems through a vulnerability in a web browser, in this case Internet Explorer. From there, the attackers gained access to systems deeper within Google's systems.
It's important to note that the best we can tell from what was released publicly is that there wasn't anything entirely new in the Aurora attacks. They may have tweaked some of the attack software to be more effective, but essentially we saw the Aurora attacks as the same mix of social engineering and technical attack techniques that we've seen for years.
So what has changed? The nature of the attackers themselves. They're better trained. They are better funded. And they have more motivation to infiltrate business systems. These attackers include criminal organizations, industrial spies, and foreign governments all looking to steal intellectual property and data that can be sold on the underground market.
When you read about cyber attacks and APTs, one term you are likely to hear over and over is going to be 'malware.' Malware is a catchall term that refers to everything from software used to attack system vulnerabilities, known as exploits, to viruses and worms that spread on their own. However, APTs do not employ worms or viruses as their primary weapons. No. There is not much money to be made, or information gleaned, by corrupting data and downing systems just because it can be done. Modern attack techniques are much stealthier than the viruses that just want to replicate from system to system to clog communications and damage data. The malware APTs use attempts to fly under the radar of traditional antivirus and personal firewalls, as well as other defensive technologies.
The covertness of the attacks does not necessarily have anything to do with little known software vulnerabilities or powerful encryption breaking capabilities. It is more about how they will turn to a broad pallet of attack possibilities to achieve their objectives. For instance, they will try to penetrate their targets through web sites. They will probe and poke the corporate network. They'll e-mail executives and even executive assistants with mail that, if clicked, could lead to compromise. They will glean social networking sites for data to sharpen their social engineering efforts. And if those techniques don’t work, they’ll try, just as they did in our example above, to attack a trusted partner to gain access.
ith attackers utilizing every angle that they can to infiltrate systems, protecting data and the IT infrastructure may seem out of reach. So what can organizations do to protect their infrastructure and intellectual property? There are no easy answers and certainly no silver bullet. Adequate security does not come from a single security product – in fact, you can't just buy yourself IT defense. Success is found by having the right processes in place and by applying the persistent security controls needed to stop as many successful attacks as possible. It's also having the right controls in place to mitigate the risk and the damage associated with any successful attacks.
The fact is that most organizations don't need to reach a state of uber-security, but they do need to be more secure than most other businesses. They must treat every endpoint as if it is already compromised. This level of security will deter most attackers. Here's how to pull it all together:
The first line of defense is to make sure the basics are in place. Make certain that the servers, desktops, and applications are patched properly and that end-point firewalls and anti-malware software is up to date and running. Another staple is to have a vulnerability management program in place designed to ensure that systems always are set to security policy and that software patches are kept up to date. It also means installing IDS/IPS systems to monitor and hopefully block any potential intrusions.
Think of those defenses as the baseline. They essentially are the locks on the doors. They don't keep hardened criminals out, but they do disturb the lazy attackers enough to move on to some other, less prepared organization. However, because the APT will continually adjust tactics to find weaknesses, including human weaknesses, employees need to be constantly trained and reminded of the little things they can do to remain secure – such as not opening attachments or using work systems to access risky web sites or services from PCs they use for work. Ongoing security awareness training is essential.
While none of that advice is especially different or out of reach for most organizations, the biggest challenge to success isn't always in implementing any particular process, security technology, or awareness program. Rather, it's making sure those controls are consistently in place and functioning properly. Typically, this will require feedback from how the security systems, servers, and endpoints are functioning, and that feedback flows in as near real-time fashion as possible. That's achieved best through having in place effective system log monitoring and Security Information and Event Monitoring (SIEM). This way, you will gain deep insight into people's actions on the web sites and thus be able to identify any behavioral changes that could indicate something has gone awry.
Of course, not all companies can afford to build that kind of information security program – certainly not immediately. Depending on where an organization is today, it can take years to build a great security team and get all of the necessary technologies and processes in place. That's why it often makes sense for organizations to consider outsourcing the expertise they need – and is one of the reasons why Managed Security Service Provider businesses are booming.
The reality is that many MSSPs have very talented security experts on staff, and have more resources available to keep systems secure. The trick is to pick the right security services provider, and make sure it has the resources necessary to secure your infrastructure and is willing to provide adequate SLAs to do so.
Clearly, there's no way to make any business entirely safe from the threats, but there is much that can be done to significantly reduce the risks associated with security threats. It is very similar to the physical world – while law enforcement can't eliminate all crime, it can manage it through crime prevention measures, enforcing laws, and gathering intelligence about potential crimes underway. Here, instead of policing IT systems with beat cops, it's done by enforcing the policies of anti-malware and end-point firewalls, monitoring logs and SIEMs to gather intelligence about what is going on throughout the IT infrastructure – and then making certain that risks are kept to a minimum.
Ben Goodman is Principle Strategist in Novell’s security area.