SAN FRANCISCO -- Attackers using persistent targeted campaigns against enterprises and government agencies continue to exfiltrate data, but have yet to escalate attacks to the point where they're destroying systems or manipulating stored data. A panel of security experts Thursday at RSA Conference 2011, however, cautioned that such escalation remains a possibility and debated, on a state level, what retaliation would look like.
"With these threat actors, we've never seen them be destructive other than changing log files," said Kevin Mandia, CEO of Washington, D.C.-based security services firm Mandiant Corp. "Attackers are not changing things yet. We'll see if it gets more intolerable if we see deletions and changes."
The panel, which included Google Inc. Information Security Manager Heather Adkins, McAfee Inc. Chief Technology Officer George Kurtz, and SRA International Inc. Senior Cybersecurity Engineer Adam Meyers, shared their experiences from real-world instances where advanced persistent threat attacks were detected. They explained some of the attack techniques used, their varying levels of sophistication and offered advice on how to lessen the risk of exposure to targeted attacks.
You need a deicated set of people who can make hard decisions about remediation after the fact.
Attacks on Google, made public in January 2010, introduced APT into the security lexicon. Adkins said Google has since created an A Team backed by an APT incident response plan that spells out who needs to be involved in the event of a breach, and how and when the status of a breach is escalated internally and to law enforcement.
"You need a crisis manager -- two of them in fact, because one of them is going to get tired," Adkins said. "You need forensics analysts and malware analysts. You need a deicated set of people who can make hard decisions about remediation after the fact."
APT is about the perpetrators, according to experts such as Richard Bejtlich, director of incident response for General Electric Co.; these attackers are funded and organized. They do quality control on their code and have deep teams rich in expertise who are patient and determined to exfiltrate intellectual property and trade secrets. Despite this level of organization, their means of initial compromise are sometimes less sophisticated. The initial compromise of Google came from an instant message, which sent the victim to a malicious website. With Stuxnet, infected USB sticks led to the compromise of an Iranian nuclear facility.
"The point is to secure a foothold on the network, then execute the attack and go after data," Meyers said. "If the attack is successful and not detected, they will go dormant. They'll leave the malware there, and have it call home again in three months. At that point, they'll assess whether to task the malware with something else."
If the attack is successful and not detected, they will go dormant. They'll leave the malware there, and have it call home again in three months.
SRA International Inc.
Kurtz equates this persistence to a penetration test, one where the adversary has a bigger team than what a typical internal pen-test team may look like. "The difference is that a pen test has rules of engagement, [attackers] don't. There is no timeline, no report to draw up. They can sit there for months, and that's scary. It amounts to a permanent pen test."
Unlike some of today's automated pen tests, APT incursions almost always include intelligence reconnaisance on the victims. These are usually carried out over social networks where target profiles are built, or more simply, attackers can create phony Twitter or Facebook profiles and induce the victim to download a malicious application. The malware then enables remote control of a machine and allows the attacker to assume the victim's legitimate credentials on the corporate network.
"A victim's social footprint is just like network reconnaisance," Kurtz said. "It's just like mapping a network. If you understand it, you have a much better chance of breaking in."
Mandia added that attackers almost always target people over operating systems. For example, the Windows platform's inherent insecurities are almost an after-the-fact thought, he said. Web-based attacks against online applications, or even attacks against copy machines running unpatched versions of embedded versions of Windows, are also other platforms attackers can target.
In terms of advanced persistent threat detection and prevention, the panel recommended DHCP, DNS and Web access logging, as well as authentication on source code repositories, monitoring of content moving through email systems and access to data repositories. Organizations should also identify and monitor individuals with elevated privileges, enhance patch management processes and think about strong authentication rollouts for sensitive applications. They also put a renewed emphasis on user awareness, especially for social networks. It's important, Meyers said, that users become aware they are targets, and companies should encourage them to forward suspicious emails to IT or security; it could be useful in identifying attacks under way.
"Make it expensive for the adversary," Mandia said. "Make them earn it."