In this RSA Conference 2011 preview video, SearchSecurity.com News Director, Robert Westervelt, moderates a discussion on the state of the advanced persistent threat (APT). Speakers include SearchSecurity.com's Senior Site Editor, Eric Parizo, and Research Director, Josh Corman of The 451 Group.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
RSA Conference 2011 preview: State of APT
Robert Westervelt: Hi. I'm Robert Westervelt, the News Director of SearchSecurity.com.
Thanks for watching this video as part of our 2011 RSA conference coverage.
Joining me today is Joshua Corman. Josh is Research Director for Enterprise
Security at the 451 Group. Thanks for coming, Josh.
Joshua Corman: Thank you.
Robert Westervelt: And Eric Parizo. Eric is Senior Site Editor of SearchSecurity.com.
Eric Parizo: Thank you.
Robert Westervelt: So, let's start off talking, Eric Parizo. Let me ask you. 2010 started with
the Aurora attacks. It kind of put the advanced persistent threat on the
map, didn't it?
Eric Parizo: It did, as a term, sure. The Aurora event was a big, scary incident.
It affected a lot of high profile companies and it really was the first
time that the advanced persistent threat phrase was bantered about in a way
that could be widely understood. Of course, as a result of that, vendors
and pundits and such latched onto it and used it as a way to sell products,
push their agendas, what have you. In reality, though, I think the term has
faded throughout the year, and with good reason. I think that particular
attack was largely not applicable to most of the enterprises out there
simply because it was mostly targeted at specific organizations but by and
large, an advanced persistent threat, as dangerous as it can be, isn't
something that most organizations need to worry about today. There are a
lot of other low-hanging, more significant threats that need to be at the
top of the radar screens.
Robert Westervelt: Josh, do you necessarily agree with that? And I wanted to ask you
about the definition of an advanced persistent threat. Has that kind of changed a bit?
Joshua Corman: We have the echo chamber and they say it’s not always our problem with
information security. The timing of Aurora right before RSA last year
didn't help because everyone was defining it and messing with it before
they understood it. So we think it's been pretty abused and we're hoping
2011 starts to have more responsible, consistent use of what this really
means. I would agree that some of it's been hyped and fud, but I think
the hype and fud masks some really serious changes in adversary strategy.
So I actually think the term APT is horrible. Advanced? More advanced than
what? Persistent was good. That's a good part of the phrase and threat
made people think this might be a vulnerability or a piece of malware, when
really, it's not a what, it's a who or a how. We all have our own private
definitions. What I try to do is raise the signal level and drown the noise
and I really refer to this as an adaptive persistent adversary. Again, it's
not a what, it's a who. It's a methodology. I think the reason it's a
little more significant, perhaps, than you described, granted, not everyone
needs to worry about the Chinese military, is there industrial espionage
against me. There's quite a bit more than you think. I've been doing that
for years and a lot of us have been following up after stolen intellectual
property for more than 10 years now. The prevalence is getting higher, so
in a fud free way, the notion that someone is going to be patient,
determined, persistent, adaptive, and goal-oriented is a pretty subsident
change. Almost all of our info sec defenses are predicated on a casual
attacker who's going for volume of infection instead of quality of
infection. If you can really over-simplify the notion of an adaptive
persistent adversary, it's the notion that they have chosen you as their
target and they will do 1 through n things patiently and quietly, to secure
that. Pretty much, if someone tries hard enough and long enough, the very
low bars of industry best practices can and have been defeated.
Eric Parizo: The issue I have, I think, with advanced persistent threats, and
enterprise perception of it is that enterprise is, by and large, in terms
of devoting resources and putting spending out there, to try to defend
against specific attacks or types of threats. They need proof that this
attack could happen, has happened, will happen, or reasons to believe that
they could be in an attacker's crosshairs. My question is, How does an
enterprise know, or can it figure out if it is at significant risk from an
APT style, again, as we kind of described it, sort of attack? Is it even
Joshua Corman: We've been encouraging in the technologies that we think are the most
applicable to this different type of adversary. Is broader visibility, less
specific, less brittle? So when you look at something like an anti-virus or
even an IDS and IPS, the life cycle is: Someone or enough people say
"ouch"; we make an anti-virus or a signature. It gets broadly distributed
because those things that used to make you say "ouch" would hit everybody.
Think Blaster, think Welchia. It's the same piece of malware, the same
worm, hitting millions of systems. Now, flip that on its head. You have
millions of variants hitting one system each. So Patient Zero is Patient
Z. whoever says "ouch", an inoculation will help anybody else. So when
the stratagem changed, some of those basic life cycles for counter-measures
changed, so instead of having a rapid deployment mechanism for your
signatures or whether it's IDS or anti-virus. We're rather encouraging that
you develop more eyes and ears to notice more risk present echoes and
having a more prompt and agile response. It's kind of like Colonel Boyd's
OODA loop in the military. It's "Observe, Orient, Decide, Act". And for the
most part, we're fairly blind. We put very specific sensors in anti-fu,
anti-ex in our environment, such that once one person or one organization
was hurt, we could inoculate the masses. If, in fact, the strategies change
and they're going to use more custom, more boutique, more stealthy attacks.
It's less about noticing something specific and noticing more in general.
So this is why some of the more serious organizations are looking at
network forensics tools, capture every packet, analyze them. This is why
people are using a SIM. Not so much as a honey-do list for IT or as a
compliance dashboard, but really to try to do the correlation that SIMs
were once promised to do. Instead of just having logs they collect, they
might be paying a third party to look through their logs for that needle in
the haystack. So it's less about buying an anti-APT. It's more about being
more observant, mindful, and having the chance to notice that anomaly and
do something about it more quickly.
Eric Parizo: And, in a way, I think that supports my over-arching belief, which is
enterprises shouldn't worry about the advanced persistent threat. They
should be worrying about anything that could be seen as an anomaly.
Joshua Corman: If you have good situational awareness, you'll stop the mass worm and
the stealthy worm. To me, it's less about anti-fu or anti-ex, and more
about observing more sooner with a prompt and agile response. We're not very
agile right now. It's a mind shift. It's almost "what's your ready posture"
Eric Parizo: What was interesting to me, in particular, about going back to the
whole Google/Aurora incident in particular. Was that Google found out about
the incident in the first place through a deep inspection of its DNS logs.
What I wonder is how many other organizations, should they be put in a
similar situation, are prepared to have the tools and the manpower or know-
how, to put action behind that kind of initiative.
Joshua Corman: The biggest gap to adopting this OODA loop kind of ready posture
that's really necessary for a more determined adversary is that we have a
skill shortage. If you don't have really good analysts that can comb
through these network captures or these system logs...
Robert Westervelt: It costs a lot of money.
Joshua Corman: Anomalies. And they cost more. We think we have a supply chain of
capable technologies to assist, but that needs to be combined with the
skill sets to extract value from that. This is one of the reasons why the
conversation simultaneously has to reduce the distraction of our time,
budget, and energy on compliance low watermarked things. To liberate time
and budget and skill sets to tackle some of the harder things. Basically,
for an adversary, they know you are compliant, and don't care. Even a
friend tells me and they're counting on it. We've kind of homogenized and
normalized. This is pretty much what all of us are going to do. We're not
going to do a whole lot more, because we don't have the time or budget. If
you just do a little bit extra, a little tweak here, or double pack your
virus or use a metasplitidation, you're pretty much going to succeed.