Friday, July 10, 2009

You Down with APT?

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During the course of the conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to the Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him. I decided to do some searching on the Web to see what was available regarding APT.

Helpfully, BusinessWeek just published Under Cyberthreat: Defense Contractors this week. The article begins like this:

Northrop Grumman's info security chief addresses the "well-resourced, highly sophisticated" attacks against makers of high-tech weaponry...

The defense industry faces "a near-existential threat from state-sponsored foreign intelligence services" that target sensitive IP, according to a report by the Internet Security Alliance, a nonprofit organization on whose board McKnight sits...

[BusinessWeek asked:] Are defense contractors being singled out in highly targeted attacks?

[McKnight responded:] It's gotten to a point where it has a name for itself: the APT or "advanced persistent threat," meaning that they are well resourced, highly sophisticated, clearly targeting companies or information, and they're not giving up in that mission.


Incidentally, McKnight practices NSM:

[BusinessWeek asked:] What kind of tools do you use to keep your network secure?

[McKnight responded:] We've focused a lot on... capabilities where you're capturing all traffic, not just bits and pieces of it.


Security company Mandiant devotes an entire site to APT, saying:

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

The intruders responsible for the APT attacks target the Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry.

The attacks used by the APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and they tend to generate more activity than wanton “drive by hacks” on the Internet.

The intruders also escalate their tools and techniques as a victim firm’s capability to respond improves. Therefore, the APT attacks present different challenges than addressing common computer security breaches.

Combating the APT is a protracted event, requiring a sustained effort to rid your networks of the threat.


I briefly mentioned APT in my post last year Thoughts on 2008 SANS Forensics and IR Summit.

Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of the full capture vendors out there) mentioning APT, there's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post).

APT is one of those subjects that is very important but not well understood outside the defense industry. Your best bet for a public introduction to APT is to watch for the next Webinar offered by Mandiant. Ask them to do another soon; I listened to their Webinar in May and realized many participants had never heard of APT before. If you're not down with APT, you need to be.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

11 comments:

Anonymous said...

NDA's and Clearances tend to reduce the amount of information that can be shared about APT. Their should be a better unclassified information sharing forum to help spread the word (tools, techniques and recent findings). -R

Keydet89 said...

Their should be a better unclassified information sharing forum to help spread the word (tools, techniques and recent findings). -R

Just out of curiosity, better than what? With all of the resources available, what could be done better? What would you recommend?

Redacted said...

Yeah you know me.

Matthew Tripp said...
This comment has been removed by a blog administrator.
Security4all said...
This comment has been removed by the author.
Security4all said...

Someone started an "Operation Aurora" LinkedIN group. Maybe some good unclassified information will be shared there?

http://www.linkedin.com/groups?home=&gid=2677290&trk=anet_ug_hm

Richard Bejtlich said...

That's hilarious. Yeah, let's share what we know with a faceless LinkedIn group!

freedomfiles said...

Richard:

"That's hilarious. Yeah, let's share what we know with a faceless LinkedIn group!"

I've created the group, and use it to share non-confidential information regarding the Aurora incident.

I don't understand your reaction - everything in the group is public information which can be found on the web, and there's nothing shady about it.

Kind regards,
Niels Groeneveld

Richard Bejtlich said...

Niels, if you're sharing "public information which can be found on the web," what's the point?

freedomfiles said...

I was collecting a lot of information regarding the Aurora incident for my work, and thought it would be a waste of time not to share it with others who could also use the same information for further investigation as most information was open source and non-confidential.

Apparently a lot of people understood the point, as 300+ people joined, and I got a lot of positive feedback.

The group contains technical reports, news stories, translated Chinese materials to show Chinese reactions on the incident, and so on.

What's the point of not sharing information, and not trying to make the life of others who need similar information easier by putting it all together, whether that's on a blog, on twitter, or in a linkedin group ?

Richard Bejtlich said...

Well, that's great if you think "Aurora" is relevant to advanced persistent threat. Recent revelations have confirmed that McAfee didn't know what it was doing and others who based research on their work followed poor leads.