Schwartz On Security: Advanced Threats Persist And Annoy

It was the advanced persistent threat that done it. So said RSA's executive chairman, Art Coviello, describing the security breach that stole some yet-to-be-disclosed aspect of his company's SecurID two-factor authentication system.

Helpfully, in his breach notification letter to RSA's customers, Coviello offers to promulgate "lessons learned" once RSA figures out how it got nailed by an APT. "As appropriate, we will share our experiences from these attacks with our customers, partners, and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat," he said.

How's that for spin, especially from a company that has so far refused to detail which aspects of its SecurID system were breached, leaving customers to prepare for the worst-case scenario. Will RSA use itself as a case study for selling future, anti-APT products to its own customers?

As Gartner Group analyst John Pescatore titled a recent blog post: "Sorry, The Computer Is Down and The Advanced Persistent Threat Stole Your Data -- But Your Business Is Important to Us!"

Pescatore, among others, questions the usefulness of the "APT" term altogether. For reference, the Ponemon Institute has defined the advanced persistent threat as "a methodology employed to evade an organization's present technical and process countermeasures, which relies on a variety of attack techniques, as opposed to one specific type."

If the definition of APT doesn't sound ultra-precise, you're correct: it's a catch-all term for attacks designed to defeat existing security controls, oftentimes using "long and slow" techniques to help evade detection. But haven't attacks designed to defeat existing defenses through unconventional means been around for years?

Companies, RSA included, need to do better if they want to stay in business. Of course, they're facing difficult odds, given that botnets and spam networks -- for infecting targeted PCs -- are within reach of even the most common criminal.

That fact was highlighted by federal authorities announcing on Monday that they'd busted a penny stock "pump and dump" scheme backed by botnets. That's to say, rather than running a telephone boiler room, the two men arrested allegedly contracted with hackers who rented or ran their own botnets and spamming operations. How difficult is it for criminals to send lots of spam, for example, to illegally manipulate stock prices? In an e-mail, Kaspersky researcher Dmitry Bestuzhev said that "the price depends on the spam provider and the quality of the penetration" but averages about $100 per 130,000 e-mails sent. Compare that to just one pump-and-dump scheme, operating for a month, which allegedly netted one promoter at least $150,000.

How's that for affordable? In fact, that's the problem where APTs are concerned. According to remarks made by Bestuzhev at a recent press event, building a good botnet requires an initial investment of only about $5,000, at least for a do-it-yourself approach.

Here's how to build a botnet: First, spend $750 on average to buy a top-notch malware toolkit, such as SpyEye. Or upgrade to the Phoenix exploit kit 2.4 ($2,200) or BlakHole Exploit Pack ($1,550) for even more automated attacks. Next, spend $480 per year to subscribe to a site such as Virtest.com, which tests whether the malware you've built can be detected by current scanners. Also contract with a bullet-proof hosting service -- a really good one will set you back $3,600 per year -- for storing malicious code as well as purloined data. Finally, pick a good phishing pack -- these are free -- to ferry your malware via e-mail to unsuspecting victims.

What if you don't have time for DIY? Good news: "There's another service available called 'pay per install,'" said Bestuzhev. In this scenario, you contract with other criminals to install malware on PCs for you. Rates for 1,000 installations (zombies) vary by country, from an average of $20 in the Netherlands to $150 in the United States (thanks to its residents using more credit cards per capita). "So, building a 30,000-bot, high-quality botnet can cost you $27,000," he said.

For hackers with coding chops, there's an even cheaper and more direct option: Knock off an existing botnet by taking control and locking out the current owners. Bestuzhev says this tactic isn't uncommon.

But the bigger issue is that criminals without computer savvy -- even penny stock price manipulators who previously relied on phone and fax boiler rooms -- have easy access to botnets, either directly or through intermediaries with affordable rates. As a result, anyone can launch millions of spam e-mails, mass infection campaigns, and spear-phishing attacks, using the latest malware plus APTs to bypass many defenses.

Accordingly, let's dub ATP the "new normal" in security attacks. Because as Bestuzhev describes the problem, using a popular Russian phrase: "You have money? You don't need brain."