About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
The MITRE Digest
Advanced Research
Aviation Systems
Defense and Intelligence
Federal Sector Modernization
Health Transformation
Homeland Security

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > MITRE Publications > The MITRE Digest >

Cybersecurity: Defending Against Advanced Persistent Threats

February 2011

Cybersecurity: Defending Against Advanced Persistent Threats
View PDF of this article

Email link to this article

Note: In October 2010, the MITRE Digest explained how individuals can protect computer systems—their own and their business's—from falling prey to cyber attacks. In this article, a member of MITRE's technical staff explains how the government and other organizations deal with cyber threats.

In the ceaseless cybersecurity battle, the attackers have almost every advantage over the defenders. For that reason, the defenders have to maximize the few advantages they have. By building resilient computer systems and by diligently studying the tactics of their foes, organizations can make themselves difficult targets for cyber attacks.

One prominent example: A coordinated cyber attack in January 2010 that security experts dubbed "Operation Aurora" targeted at least 34 companies, including Google and Adobe. The hackers used a sophisticated strategy of stealth and programming savvy to tunnel into company networks and hide their presence as they scoured the system for information to steal.

In his blog "TaoSecurity," Richard Bejtlich—director of incident response for General Electric—describes this kind of cybersecurity threat as an APT, an Advanced Persistent Threat. Advanced, in that attackers wield a complete arsenal of resources and skills with which to compromise an organization's computer system; persistent in that the attack is not an opportunistic, one-time assault, but one dedicated to a obtaining a goal; and threat in that the attackers are not a mindless piece of malicious code, but a group of people targeting a specific organization for a specific purpose.

An APT attack generally unfolds in the following way. First, the attackers gather intelligence on the target organization, gathering information on employee rosters, project names, email addresses, organizational relationships—any information that will allow them to craft an email authentic enough to fool a recipient within the organization. That email will contain a link or an attachment designed to insert a malicious code into the recipient's computer that will gain the attackers control of the computer. Organizations can receive millions of emails a day, so even with the most advanced spam filters, the attackers are almost sure to get their email through.

Blocking Is Not the Same as Stopping

Once the attackers have gained control of a computer in the organization, they immediately begin branching out from that computer across the organization's network. The more computers they can reach throughout the organization, the better. Their goal: to infect as many machines as possible before their presence is detected.

After their presence is widespread across a network, the attackers will prepare to steal the information they came for, whether it be restricted documents, source code, financial records, etc. They will select a computer with access outside of the organization's network and load it with the targeted information. When the time is ripe, away the information goes.

Staff in MITRE's Cyber Security Operations Center explore the effectiveness of cutting-edge IT security tools and processes for mitigating cyber threats. And through our Mission Assurance Against Advanced Cyber Threats initiative, MITRE advises our sponsors to reassess what cybersecurity means in light of today's advanced threats, even redefining what "winning" means. Because blocking a cyber attack is not the same as stopping one.

The Good, the Bad, and the Ugly

For an organization under attack, there are three outcomes. The first is that the organization spots the attack early or is forewarned of it, and they block it. This time.

The second is that the organization catches the attackers in the act. Now the organization has to puzzle out the full scope of the breach. What machines were compromised? How far through the network did it reach? Do the attackers still maintain a presence on the system? Many late nights of pizza and Red Bull can be spent investigating the attack and cleaning up its aftermath.

The third result? A successful attack. The attackers compromise the computer system and steal the target data. The organization, once or if it becomes aware of the attack, now has to invest a vast amount of time and money to fix the mess the attackers left behind.

As bleak as this scenario sounds from the organization's perspective, it's even bleaker when you consider all the advantages the attackers enjoy. The investment in time, tactics, and money for an attacker is a fraction of what an organization has to invest. Attackers can assault at any time with the weapons of their choice against a single system they have the leisure to study, while an organization must defend constantly against unknown tactics coming from an unknown direction. And the attackers can launch assault after assault until they finally succeed. If an organization fails once in its defenses, the consequences can be crippling.

Preparing the Battlefield

So what is an organization to do in the face of this seemingly hopeless struggle? First, don't panic. An organization does have one advantage over its attackers: the organization controls the battlefield of the attack. By making that battlefield as inhospitable as possible to the attacker, an organization can dissuade attackers from ever launching their assaults.

So, what makes for an inhospitable battlefield?

  • Resiliency and Mitigation: When an attack succeeds—and one will eventually succeed—a computer system must be designed so that it can quickly either recover from an attack or shift its operations to a backup system.
  • No Border-only Defense: Why erect firewalls between the organization's network and the outside world but allow everyone on the network to connect anywhere on the network they please? Isolate important data centers and laboratory machines from workstations.
  • Record Everything: Outfit your system so that everything that happens on it can be recorded and reviewed. When it comes to studying the tactics, whether successful or unsuccessful, and the goals of your attackers, there is no such thing as too much data.

Of course, the best defensive asset an organization can invest in is people who are familiar with emerging technology and are capable of applying it to the never-ending task of cybersecurity. For while technology will constantly put new weapons in the hands of attackers, it will also provide diligent organizations the means to defuse those attacks.

—by Wesley Shields

Related Information

Articles and News

Technical Papers and Presentations

Websites

 

Page last updated: February 11, 2011   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us