Cybersecurity: Defending Against Advanced Persistent ThreatsFebruary 2011
In the ceaseless cybersecurity battle, the attackers have almost every advantage over the defenders. For that reason, the defenders have to maximize the few advantages they have. By building resilient computer systems and by diligently studying the tactics of their foes, organizations can make themselves difficult targets for cyber attacks.
One prominent example: A coordinated cyber attack in January 2010 that security experts dubbed "Operation Aurora" targeted at least 34 companies, including Google and Adobe. The hackers used a sophisticated strategy of stealth and programming savvy to tunnel into company networks and hide their presence as they scoured the system for information to steal.
In his blog "TaoSecurity," Richard Bejtlich—director of incident response for General Electric—describes this kind of cybersecurity threat as an APT, an Advanced Persistent Threat. Advanced, in that attackers wield a complete arsenal of resources and skills with which to compromise an organization's computer system; persistent in that the attack is not an opportunistic, one-time assault, but one dedicated to a obtaining a goal; and threat in that the attackers are not a mindless piece of malicious code, but a group of people targeting a specific organization for a specific purpose.
An APT attack generally unfolds in the following way. First, the attackers gather intelligence on the target organization, gathering information on employee rosters, project names, email addresses, organizational relationships—any information that will allow them to craft an email authentic enough to fool a recipient within the organization. That email will contain a link or an attachment designed to insert a malicious code into the recipient's computer that will gain the attackers control of the computer. Organizations can receive millions of emails a day, so even with the most advanced spam filters, the attackers are almost sure to get their email through.
Blocking Is Not the Same as Stopping
Once the attackers have gained control of a computer in the organization, they immediately begin branching out from that computer across the organization's network. The more computers they can reach throughout the organization, the better. Their goal: to infect as many machines as possible before their presence is detected.
After their presence is widespread across a network, the attackers will prepare to steal the information they came for, whether it be restricted documents, source code, financial records, etc. They will select a computer with access outside of the organization's network and load it with the targeted information. When the time is ripe, away the information goes.
Staff in MITRE's Cyber Security Operations Center explore the effectiveness of cutting-edge IT security tools and processes for mitigating cyber threats. And through our Mission Assurance Against Advanced Cyber Threats initiative, MITRE advises our sponsors to reassess what cybersecurity means in light of today's advanced threats, even redefining what "winning" means. Because blocking a cyber attack is not the same as stopping one.
The Good, the Bad, and the Ugly
For an organization under attack, there are three outcomes. The first is that the organization spots the attack early or is forewarned of it, and they block it. This time.
The second is that the organization catches the attackers in the act. Now the organization has to puzzle out the full scope of the breach. What machines were compromised? How far through the network did it reach? Do the attackers still maintain a presence on the system? Many late nights of pizza and Red Bull can be spent investigating the attack and cleaning up its aftermath.
The third result? A successful attack. The attackers compromise the computer system and steal the target data. The organization, once or if it becomes aware of the attack, now has to invest a vast amount of time and money to fix the mess the attackers left behind.
As bleak as this scenario sounds from the organization's perspective, it's even bleaker when you consider all the advantages the attackers enjoy. The investment in time, tactics, and money for an attacker is a fraction of what an organization has to invest. Attackers can assault at any time with the weapons of their choice against a single system they have the leisure to study, while an organization must defend constantly against unknown tactics coming from an unknown direction. And the attackers can launch assault after assault until they finally succeed. If an organization fails once in its defenses, the consequences can be crippling.
Preparing the Battlefield
So what is an organization to do in the face of this seemingly hopeless struggle? First, don't panic. An organization does have one advantage over its attackers: the organization controls the battlefield of the attack. By making that battlefield as inhospitable as possible to the attacker, an organization can dissuade attackers from ever launching their assaults.
So, what makes for an inhospitable battlefield?
- Resiliency and Mitigation: When an attack succeeds—and one will eventually succeed—a computer system must be designed so that it can quickly either recover from an attack or shift its operations to a backup system.
- No Border-only Defense: Why erect firewalls between the organization's network and the outside world but allow everyone on the network to connect anywhere on the network they please? Isolate important data centers and laboratory machines from workstations.
- Record Everything: Outfit your system so that everything that happens on it can be recorded and reviewed. When it comes to studying the tactics, whether successful or unsuccessful, and the goals of your attackers, there is no such thing as too much data.
Of course, the best defensive asset an organization can invest in is people who are familiar with emerging technology and are capable of applying it to the never-ending task of cybersecurity. For while technology will constantly put new weapons in the hands of attackers, it will also provide diligent organizations the means to defuse those attacks.
—by Wesley Shields