Targeted, Skilled Attacks Shaped 2010 Threats

Even with the intense investigations and research in the wake of targeted attacks against Google, Adobe, Intel, and more than 20 other U.S. firms, then later this year with the Stuxnet worm, little progress has been made in thwarting or decreasing highly targeted attacks, including so-called advanced persistent threat (APT) attacks.

The Operation Aurora attacks, which appeared to have originated out of China, as well as the Stuxnet worm, which was aimed at disrupting Iran's nuclear facilities by sabotaging its PLC equipment, were indeed game-changers this year. Google's public disclosure that it had been attacked and its intellectual property stolen was unprecedented in the emerging age of customer data breach disclosures. And Stuxnet appeared to be the work of a well-oiled machine made up of various players with different areas of expertise from zero-days to the intricacies of PLCs.

But even with all of the forensics work undertaken in the wake of Aurora, Stuxnet, and other skilled targeted attacks, plus the attention and awareness they have raised, these attacks represent only a small fraction of attacks that go undetected every day, security experts say.

"My guess only is that we only have 10 to 15 percent visibility into what these bad guys are doing," says Kevin Mandia, CEO of Mandiant, a forensics firm that investigates APTs for mostly Fortune 100 and other large clients.

"Aurora was nothing. It didn't put a dent in these attacks. Everyone says it raised awareness, but with all we saw prior to [Aurora] and after, there's been no dent in the activity. They keep mowing through people's networks like a tank in a cornfield," Mandia says.

Plenty of misconceptions about APTs exist as well, including the theory that one group of attackers is typically behind this type of targeted intrusion. In fact, most APT victims have been infiltrated by multiple different attackers, most of whom aren't aware of the others, according to Mandiant. "We find multiple attack groups within an environment," says Christopher Glyer, a director at Mandiant.

In one case, Mandiant found eight different APT attacks from eight different groups going on in one victim's network. "There were eight concurrent ones in an environment. They don't appear to know about the other groups there [either]," Glyer says.

Aurora was revealed when Google decided to go public and considered closing its doors in China and no longer censor search results there after the attack pilfered source code from the search giant. The Aurora attack on Google, Adobe, Intel, and others began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.

Stuxnet, meanwhile, is the first-known malware attack to target power plant and factory floor systems, and it also opened the door to a whole new level of attack that could execute the unthinkable: manipulating and sabotaging power plants and other critical infrastructure systems. It's technically not considered an APT, but it does come with some similar characteristics, such as special tactics and intelligence. Experts point to some nation-state link due to its many layers of expertise and the sophistication of the attack.

"Stuxnet was cool," Mandia says. "We got our hands on it immediately ... You don't place four zero-days" in an attack without being well-funded, he says. "This was a real significant event."

Eddie Schwartz, chief security officer at NetWitness, says Stuxnet is an APT. "Many would certainly disagree with me, but I do consider Stuxnet an APT. It's not really an APT by the classic definition pushed by many security pundits, but it's definitely an advanced attack that required the use by the adversary of multiple tactics and intelligence sources, and it's specifically targeted, so it needs to be treated with the same sort of defensive approach and cyberdoctrine as an APT," he says.

Meanwhile, forensics experts say when companies come forward voluntarily and disclose that they've been victimized by these types of attacks, it can go a long way to help connect the dots with related attacks within other organizations, and possibly get investigators closer to the source. But voluntary disclosure, versus legally mandated disclosure, is rare and most experts say it will remain the exception.

NetWitness' Schwartz says he wishes more organizations would go public with their APT experiences. "Then many victim organizations would have a lot more evidence, which could bring to light ... the true source and intent of the attackers," Schwartz says.

But sharing also requires some analysis to put it into perspective. "Even if organizations share that data, there has to be a trusted entity in the middle of all of that that has the technology and people to review that information," he says. "They can then come to some conclusions that they can pass down to organizations."

Google's revelations about Aurora basically exposed the dirty, little secret that's been ongoing against federal agencies, defense contractors, and, in recent years, corporations. "When a new company gets compromised [by an APT], the joke is, 'Welcome to the club, and what took you so long to join?'" Mandiant's Glyer says. "One big shift was Google publicly talking about what happened to them, which was very good for the industry … But I don't see a lot of other companies coming and talking about it even though they are being attacked all the time."

And you can't just patch to protect against an APT. Social engineering is a big weapon in the APT attacker's toolkit, Mandiant's Mandia notes. "It's tough to stop these guys. They don't always use exploits," he says. "To patch every system doesn't mean you won't be compromised by these guys if they are targeting you. Humans are exploiting their own networks" via socially engineered attacks, he says.

Since September, Mandiant has seen 42 percent of APT victims from commercial firms, including cryptography and communications, automotive, space/satellite/imagery, mining, energy, law, investment banking, chemical, hospitality, law, technology, and media industries. Around 31 percent of the victims were defense contractors; 13 percent, nonprofits/think-tanks/nongovernment organizations; 7 percent, foreign governments; 5 percent, U.S. government agencies; and 2 percent, military.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.