Wednesday, January 20, 2010

Is APT After You?

Jeremiah Grossman made the following request via Twitter today:

@taosecurity blog post request. Signs that an individual or organization is or may be an APT target. + other threat naming conventions

Tough but great questions. I better answer, or Jeremiah will find me and apply Brazilian Jiu Jitsu until I do. Let me take the second question first.

As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the popular term for one "intrusion set" involving certain actors. DoD applies various codewords to intrusion sets, and Titan Rain became popular with the publication of the Time article I referenced. If you read the Time article again you'll see at least one other reference, but I won't cite that here.

Some of you may remember "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open reporting links the former to Russia and the latter to an Israeli named Ehud Tenenbaum. These are other examples of "intrusion sets," but they are not related to the current threat.

As far as other names for APT, they exist but are not shared with the public. Just as you might maintain code names for various intrusion sets or campaigns within your CIRT, various agencies track the same using their own terms. This can cause some confusion when different CIRTs try to compare notes, since none of us speak of the private names unless in an appropriate facility. The Air Force invented "APT" as an unclassified term that could be used to quickly keep various parties on the same page when speaking with defense partners.

Regarding who may be an APT target, I liked Steven Adair's Shadownserver post. The way most organizations learn that they have a problem is by receiving an external notification. The FBI and certain military units have been fairly active in this respect for the previous three years. This marks quite a change in the relationship between the US government and private sector, and it's not limited to American companies. A little searching will reveal reports of other governments warning their companies of similar problems.

If your organization has not been contacted by an external agency, you might want to look at the potential objectives that I posted in What is APT and What Does It Want? Does your organization possess data that falls into one of the political, economic, technical, or military categories that could interest this sort of threat? Overall, my assessment of APT progress can be summarized this way:

  • Phase 1, late 1990s: mainly .mil

  • Phase 2, 2000-2004: .gov added to target list

  • Phase 3, 2005-2009: cleared defense contractors, research institutes, political and infrastructure added to target list (significant expansion)

  • Phase 4, 2010- ? : expansion only limited by resources?


Probably the next best way to determine if you are a target is to join whatever industry groups you can find and network with your peers. Develop relationships such that your peers feel comfortable sharing threat information with you. Do the same with government actors, especially the FBI. Many times these agencies are just sitting on data trying to figure out the right contacts.

I would beware of organizations that claim any product they sell will "stop APT" or "manage APT" or act as another silver bullet. We're already seeing some vendors jump on the counter-APT bandwagon with little clue what is happening. There's a couple consultancies with deep knowledge on this topic. I'm not going to name them here but if you review the Incident Detection Summit 2009 agenda you can find them.

The degree of counter-APT experience on the speaker list varies considerably, but you can try using that list to validate if Company X has any relationship whatsoever to this problem. That doesn't mean companies or organizations not listed as speakers are "clueless;" a lot of counter-APT activity is simply "good IT." However, you shouldn't expect a random consultant to be able to sit down and explain the specifics of this problem to your CIO or CEO. Incidentally this is NOT a commercial for my company; I run an internal CIRT that only protects our assets.

1 comment:

Russell Thomas said...

Questions:

1) If an organization is facing APTs, don't they need to redefine their security strategy away from "avoid being the weakest link" that might be appropriate if you are only facing opportunistic threat agents?

2) If "yes", wouldn't this imply the need to make *major* changes in their information security strategy, investments, priorities, metrics?

3) If "yes" to both, then doesn't that imply that systematic threat intelligence would have a major payoff because it would help decision makers rationally choose between one security regime and another?

-------

These aren't trick questions. I really want to know what you and others think.

Of course, some folks might say that "you'll never have good enough threat intelligence to know if you are a target of APT or not, so you are wasting your time". But this sort of thinking can only lead one way: Every organization would have to adopt the most severe, restrictive security policies on the assumption that they were targets of APT.