This APT stuff is getting out of hand, this is what Mandiant says CISOs need to think about:
No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone.
Really? Really?!? This is what you want your CISO to be thinking about? Seriously, how may spy novels can these people squeeze in in between status updates, PMO meetings and rounds of golf?
Then we are told thisClassic “prevent and detect” techniques do not effectively counter the APT. The attackers can easily defeat normal defenses. They successfully evade anti-virus software, network intrusion detection and under-equipped incident responders. They use sophisticated techniques to conceal their presence: hiding malware on their target’s own hosts and exfiltrating data in its own network traffic. A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.Wow! Ports 80 and 443! They must know how to use the Web!!!!! This is a whole new level of sophistication! Don't our firewalls protect us from this?!?!? Its almost like we've super-imposed an outdated network-centric security model that relies on firewalls and forgot to protect our real assets - users, apps, and data. But no let's not revisit our security model....
If I am a shareholder of a company, let's say Salesforce.com (I'm not), what percentage of that CISO's time do I want them reading Tom Clancy versus what percentage of their time do I want them to figure out how to deploy more secure integration with their customers? I am gonna go with zero and 100.
I realize the compliance gravy train has run down and the infosec industry needs to find another funding source, but this ATP thing is redonkulous. You want all 500 CISOs across the F500 to engage in keeping the Chinese threat out of their systems? This is like Palin saying she had foreign policy and security experience because she could see Russia. Come on. Please explain to me how telling the CISOs that they are now going to fight off "ATP" is different than this:
PALIN: And, Charlie, you’re in Alaska. We have that very narrow maritime border between the United States, and the 49th state, Alaska, and Russia. They are our next door neighbors.We need to have a good relationship with them. They’re very, very important to us and they are our next door neighbor.
GIBSON: What insight into Russian actions, particularly in the last couple of weeks, does the proximity of the state give you?
PALIN: They’re our next door neighbors and you can actually see Russia from land here in Alaska, from an island in Alaska.
GIBSON: What insight does that give you into what they’re doing in Georgia?
PALIN: Well, I’m giving you that perspective of how small our world is and how important it is that we work with our allies to keep good relation with all of these countries, especially Russia
...andandand you know when the Chinese ATP clicks a mouse button, that data comes RIGHT OVER TO OUR SERVERS! IT'S LIKE WE ARE ON THE SAME NETWORK!!!!
Now, to his credit Andy Jaquith sees through the hysterics and is right that more precision is called for, and he is also right when he says to think about
Enterprise CISOs worried about "APT" should use the Google incident as justification for examining their counter-espionage strategies. Do not waste time wondering “do my endpoint security products have anti-APT features?” Ignore the term “APT.” It is better to be precise: think instead about industrial spies, saboteurs, thieves, unscrupulous competitors and nation-states — what they want, and about whether these actors will seek to achieve their goals by targeting your intellectual property.But here is the thing, this is what you should have been doing all along - focus on the assets. The infosec industry is obsessed with threats because they like to get paid to play cops and robbers on the shareholders' dime. I get it, its fun, but its not what 499 of the F500 CISOs are paid to do. Getting all spun up over some supposed new threat is silly and loses credibility for infosec in the long run. You know infosec has zero chance at stopping APT, when they define the "A" in Advanced as someone who attacks over Port 80.
Security's job is not some ad hoc militia to defeat threats du jour, its job is to enable the strategic intent of the business through protecting its assets.
Yes, focusing on asset protection does make things a lot easier.
This assumes that you would not do security any different if you faced APTs (however you define it) vs. opportunistic threat agents. If that's true, then the APT stuff is a distraction.
If it's not true, and defense against APTs requires major changes or different investment priorites, then threat intelligence suddenly becomes a required capability.
It would be interesting to hear from people in organizations who have been defending against APTs for a long time, and also from those who have only recently decided reorient their security to defend against APTs.
Posted by: Russell Thomas | January 25, 2010 at 04:32 PM
Its not about making it easier its abot making it cost effective. Your local police department is not armed, trained and provisioned the same the USMC or Army is
Posted by: Gunnar | January 25, 2010 at 04:35 PM
Yeah... when I said "easier", I was thinking two things: 1) not requiring sophisticated analysis and 2) cost-effective.
Not to be snarky about your example, *some* police departments do have some military-like capabilities. I'm thinking specifically of NYPD's anti-terrorism unit.
Posted by: Russell Thomas | January 25, 2010 at 05:30 PM
@Russell,
Aside from defense or intelligence communities, just who do you think has been defending against APT for a long time?
Amit Yoran just said: "“Advanced stuff is getting through pervasively,” he said. “It’s simply impossible to protect an enterprise today.” and Allan Paller adds, " “The story is about: ‘Oh shoot, they are already inside’. The attacks are one level too sophisticated for the current tools."
Kudos to Gunnar since he has commented regularly on the need to use things that work inside the network like reference monitors and authorization.
Posted by: Rob Lewis | January 26, 2010 at 11:50 AM
The report that you are referring to appears to be written in the style of an intelligence briefing and not a treatise on end-to-end information security. As someone who has fought APT threats for over 6 years, I believe that it would serve the community well for people to thoughtfully consider the nature of the threat and decide how to alter its plan for, as you put it, asset protection. This is not a hyped-up threat the demands new technologies. This reinforces the same infosec song that has been played for at least 2 decades.
You speak of sensitivity to cost and deriving the greatest value from your actions. In every security and intelligence field a cornerstone of that evaluation is understanding the threat and modeling an appropriate response. In many ways, a good security model serves as a solid foundation. Occasionally this foundation does fail, and pat academic answers shouted with a sense of authority drives poor decisions. Poor decisions lead to excess cost - you are cleaning up two messes at that point.
The "A" in APT has nothing to do with your infosec world. The choice of TCP ports over which to run C2 channels is not advanced, the fact that properly configured and layered firewalls and proxies have not been an impediment is not advanced. The fact of active exploitation of users and their accounts who have access to assets well-protected with traditional security models is not advanced.
Honestly it comes down to simply the material that is sought, the efficiency of their operation and the depth of penetration into the Fortune 500 that some bloggers so blithely state should be more concerned with simple customer security.
When considering the whole picture, not just a few choice points, it is actually a bad thing for a CISO to ignore the problem. That's the type of thing that gets CISOs fired.
Posted by: intelguy | January 26, 2010 at 01:10 PM
@Rob I don't exactly know who, besides defense and intell, has been defending against APT for a long time. That's why I asked.
If I had to guess, I might guess some in Financial Services, non-defense aerospace, certain segments of IT (e.g. Intel, Microsoft), on-line gambling (many reports of DDoS and extortion against them), and maybe human rights groups like Amnesty International.
I'd really like to know how widespread it is and how long it takes an organization to effectively adapt their InfoSec to the APT (or APA) reality.
Posted by: Russell Thomas | January 29, 2010 at 01:10 PM
Gunnar - you're about the only person who gets APT and that FUD du jour that it represents.
Keep it up, dude.
Posted by: Andrew van der Stock | February 03, 2010 at 12:40 AM