PHILADELPHIA – The term “advanced persistent threat” is often maligned by battle-weary enterprise infosec pros who believe it's overused, overhyped and too broadly applied.
You will not be successful preventing all APT activity, but you can step up your game.
Joe Bentfield, AT&T
However, according to a top security strategist for AT&T, advanced persistent threats (APTs) are a stark reality, and organizations that aren't preparing new defensive tactics to detect and defend against them are already losing ground to attackers.
During a presentation Tuesday at the 2012 (ISC)2 Security Congress, Joe Bentfield, AT&T's executive director of security technology discussed the telecommunications giant's APT defense strategy. Calling APTs "very much a real threat today," Bentfield defined APT as a "game-changing" use of custom malware and cyberattack tactics to defeat multiple layers of defense, achieve a specific desired objective, and evolve over time to remain undetected.
"This is not run-of-the-mill, smash-and-grab, pump-and-dump phishing, spam and crimeware," Bentfield said. "This is focused on stealing your core assets and impacting your business in a negative way." Most APTs are intended to destroy or disrupt organizations, he added, but with the recent reemergence ofhacktivists, some attackers aim to embarrass or shame their victims.
Bentfield said AT&T's APT research began a little more than a year ago when his boss, AT&T CSO Ed Amoroso, asked him to lead the effort to determine the effect APTs were having on the company and what could be done to stop them. The urgency of the effort was soon underscored by the cyberattack against RSA, in which attackers employed APT-style tactics to steal proprietary data on its SecurID authentication product.
"We've seen some companies basically brought to their knees in public APT incidents, but there are plenty of private APTs that we don't hear about," Bentfield said. "In the grand scheme of things, you will not be successful preventing all APT activity, but you can step up your game."
AT&T's process to do just that began with research into a variety of APT events: RSA, Operation Aurora, Stuxnet, and more recently the 2011 attacks against Sony and a variety of government entities. Then it conducted a series of tabletop modeling exercises, simulating what objectives attackers would want to achieve, which data the company was concerned about losing, and how successful attackers might employ techniques that worked against others. It wasn't long before Bentfield's team realized the risk exposure was worse than anyone thought.
"By the time we got to the fourth or fifth one," he said, "it was clear it was going to be a depressing exercise."
New attack detection and response tactics
But the effort to shed light on AT&T's attack surface turned out to be beneficial. For instance, Bentfield said the company learned exactly how the successful mining of user account information could lead to targeted attacks, as well as the ways in which attackers may seek to obfuscate their efforts by targeting its security administration infrastructure. More importantly, he said, it led to a new initiative to identify and prioritize new attack detection and response tactics.
Some of those tactics – like encrypting valuable data, subscribing to threat intelligence feeds and more protections for executives and other high-profile human targets – are common in enterprise information security programs today, but Bentfield said AT&T has also explored many new non-traditional controls.
For one, it became clear that AT&T needed to lock down its internal file shares, but Bentfield said that led to the realization that broader governance was needed for its intranet infrastructure, where every day employees use Microsoft SharePoint to create new spaces to share data. Now, AT&T has a program that discovers new shared spaces, tests them for open access and follows up with business owners when additional security is necessary.
Another new control was to run all internal applications through the same kinds of Web application analyzers and source code evaluation processes used on Internet-facing applications. Even though those applications, in theory, would never be accessible to attackers, Bentfield said the added rigor serves as an extra layer of security should an APT incident get past its first line of defense.
Other techniques Bentfield said are being brought to bear include user correlation; collecting data on who is using an IP over time and feeding it into threat recognition processes; providing each user upon login with information about his or her previous login, so a user can alert IT if someone else logged in using their credentials; sandboxing Web browser and file-viewing activities to reduce the threat posed by Web surfing and email; and implementing endpoints with immutable BIOS built in to defend against rootkits.
Defensive deception, keystroke encryption concepts
Bentfield said AT&T has a number of other interesting concepts still on the drawing board. One is defensive deception: technical measures that could, for example, trick malware that is designed to hide in virtual machine (VM) environments to "wake up" and be detected. Another is encrypting keystroke logging data to render keylogger malware useless. He also said the company is debating the idea of a "tiger team" that would conduct regular exercises playing the role of an attacker using APT attack tactics.
One idea that had nothing to do with technology was to improve AT&T's brand position on hacktivism. Bentfield said in order to engender goodwill within the hacker community, the company this year sponsored a series of hackathons around the country.
"The idea is to promote a positive brand image in the communities that might decide to be mad at you, so you can head off some potential issues," Bentfield said. "It's an example of out-of-the-box thinking."
Joel Cummings, an attendee who manages security and compliance with a large North American supermarket chain, said he was intrigued by many of the ideas AT&T had implemented or discussed. He said his organization is similarly trying to improve its threat awareness capabilities, specifically in regard to protect laptops, see attacks more quickly and respond appropriately.
Despite making numerous advances in advanced persistent threat protection, Bentfield admitted the battle against APTs is a daunting challenge that, some days, doesn't seem winnable.
"I'm fortunate in that I have the resources to apply to the challenge, and I'm still demoralized," Bentfield said. Still, he encouraged all organizations to focus on the importance of rapid APT detection and response.
"If you're ready when the smoking gun shows up, it's a short runway to get that check signed so you can go do the things that'll really make a difference."