Perimeter
8/16/2010
12:37 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Advanced Persistent Threat: The Insider Threat

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of three years ago, then you will lose. APT allows organizations to focus on the real threats that exist today -- with the biggest threat being the people problem who already have access and are inside your network.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzzword, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.

APT is the new way attackers are breaking into systems. APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. The following are the important things to remember:

1) APT focuses on any organization, both government and non-government organizations. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites. When it comes to the Internet, the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2) While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly, and utilizing encryption to avoid detection.

3) Many organizations make the mistake of thinking of attacks like the weather, with some stormy days and some sunny days. On the Internet, it is always a storm. In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4) Attackers want to take advantage of economies of scale, and break into as many sites as possible as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5) Old school attacks were about giving the victim some visible indication of a compromise. Today, it is all about not getting caught. Stealth and being covert are the main goals of today's attacks. APT's goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.

6) The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore, the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7) Attackers do not just want to get in and leave, they want long-term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

You will be constantly attacked and compromised, making it necessary to always be in battle mode. Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months. Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know?

Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, here are key things organizations can do to prevent against the threat:

1) Control the user and raise awareness. The general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2) Perform reputation ranking on behavior. Traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3) Focus on outbound traffic. Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization.

4) Understand the changing threat. It is hard to defend against something you do not know about. Therefore, the only way to be good at the defense is to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5) Manage the endpoint. While attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "know thy system/network." The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.

The key to making this successful is to always get explicit approval; run benign attacks; make sure the people running the test are of equal expertise to the true attacker; and fix any vulnerabilities in a timely manner. The good news is, by focusing in on understanding the threats and an organization's vulnerabilities, you can properly defend against the APT. Always remember to make sure you focus on the trusted insider. While you cannot stop stupid, you can properly control and limit what they can do.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?