|Home > News & Events > MITRE Publications > The MITRE Digest >|
Cybersecurity: Defending Against Advanced Persistent Threats
Note: In October 2010, the MITRE Digest explained how individuals can protect computer systems—their own and their business's—from falling prey to cyber attacks. In this article, a member of MITRE's technical staff explains how the government and other organizations deal with cyber threats.
In the ceaseless cybersecurity battle, the attackers have almost every advantage over the defenders. For that reason, the defenders have to maximize the few advantages they have. By building resilient computer systems and by diligently studying the tactics of their foes, organizations can make themselves difficult targets for cyber attacks.
One prominent example: A coordinated cyber attack in January 2010 that security experts dubbed "Operation Aurora" targeted at least 34 companies, including Google and Adobe. The hackers used a sophisticated strategy of stealth and programming savvy to tunnel into company networks and hide their presence as they scoured the system for information to steal.
In his blog "TaoSecurity," Richard Bejtlich—director of incident response for General Electric—describes this kind of cybersecurity threat as an APT, an Advanced Persistent Threat. Advanced, in that attackers wield a complete arsenal of resources and skills with which to compromise an organization's computer system; persistent in that the attack is not an opportunistic, one-time assault, but one dedicated to a obtaining a goal; and threat in that the attackers are not a mindless piece of malicious code, but a group of people targeting a specific organization for a specific purpose.
An APT attack generally unfolds in the following way. First, the attackers gather intelligence on the target organization, gathering information on employee rosters, project names, email addresses, organizational relationships—any information that will allow them to craft an email authentic enough to fool a recipient within the organization. That email will contain a link or an attachment designed to insert a malicious code into the recipient's computer that will gain the attackers control of the computer. Organizations can receive millions of emails a day, so even with the most advanced spam filters, the attackers are almost sure to get their email through.
Blocking Is Not the Same as Stopping
Once the attackers have gained control of a computer in the organization, they immediately begin branching out from that computer across the organization's network. The more computers they can reach throughout the organization, the better. Their goal: to infect as many machines as possible before their presence is detected.
After their presence is widespread across a network, the attackers will prepare to steal the information they came for, whether it be restricted documents, source code, financial records, etc. They will select a computer with access outside of the organization's network and load it with the targeted information. When the time is ripe, away the information goes.
Staff in MITRE's Cyber Security Operations Center explore the effectiveness of cutting-edge IT security tools and processes for mitigating cyber threats. And through our Mission Assurance Against Advanced Cyber Threats initiative, MITRE advises our sponsors to reassess what cybersecurity means in light of today's advanced threats, even redefining what "winning" means. Because blocking a cyber attack is not the same as stopping one.
The Good, the Bad, and the Ugly
For an organization under attack, there are three outcomes. The first is that the organization spots the attack early or is forewarned of it, and they block it. This time.
The second is that the organization catches the attackers in the act. Now the organization has to puzzle out the full scope of the breach. What machines were compromised? How far through the network did it reach? Do the attackers still maintain a presence on the system? Many late nights of pizza and Red Bull can be spent investigating the attack and cleaning up its aftermath.
The third result? A successful attack. The attackers compromise the computer system and steal the target data. The organization, once or if it becomes aware of the attack, now has to invest a vast amount of time and money to fix the mess the attackers left behind.
As bleak as this scenario sounds from the organization's perspective, it's even bleaker when you consider all the advantages the attackers enjoy. The investment in time, tactics, and money for an attacker is a fraction of what an organization has to invest. Attackers can assault at any time with the weapons of their choice against a single system they have the leisure to study, while an organization must defend constantly against unknown tactics coming from an unknown direction. And the attackers can launch assault after assault until they finally succeed. If an organization fails once in its defenses, the consequences can be crippling.
Preparing the Battlefield
So what is an organization to do in the face of this seemingly hopeless struggle? First, don't panic. An organization does have one advantage over its attackers: the organization controls the battlefield of the attack. By making that battlefield as inhospitable as possible to the attacker, an organization can dissuade attackers from ever launching their assaults.
So, what makes for an inhospitable battlefield?
Of course, the best defensive asset an organization can invest in is people who are familiar with emerging technology and are capable of applying it to the never-ending task of cybersecurity. For while technology will constantly put new weapons in the hands of attackers, it will also provide diligent organizations the means to defuse those attacks.
—by Wesley Shields
Articles and News
Technical Papers and Presentations
Page last updated: February 11, 2011 | Top of page
Solutions That Make a Difference.®