Thursday, February 04, 2010

Answering APT Misconceptions

There's finally some good reporting on advanced persistent threat appearing in various news sources. A new Christian Science Monitor story, one by Federal Computer Week, and one by Wired are making progress in raising awareness. Unfortunately, there's plenty of Tweeting and blogging by people who refuse to understand what is happening or are not capable of understanding what is happening. From now on, rather than repeat myself trying to answer these misconceptions, I decided to consolidate them here.

  1. Myth 1. APT is a "new term," invented by Mandiant. Reality: Mandiant did not invent the term. The Air Force did in 2006. More info: What Is APT and What Does It Want?

  2. Myth 2. APT is "not new." Reality: APT is only new to people who have not been involved with the problem. If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong. Just performing an Attribution Using 20 Characteristics exercise helps demonstrate that APT is not like organized crime or other structured attackers. More info: Two-Dimensional Thinking and APT

  3. Myth 3. APT is "marketing hype." Some companies with little to no experience with APT are clearly jumping on the counter-APT bandwagon, even registering domain names related to APT. That is sad but not unexpected. However, companies like Mandiant are not suddenly releasing reports because of Google v China. Mandiant offered a public Webcast (which I attended) in March 2009 called State of the Hack - Addressing the Advanced Persistent Threat. They and certain other companies have been public about APT for a while, but a lot of people were ignoring them. More info: You Down With APT?

  4. Myth 4. APT is a "class of attacker." Reality: Most of the counter-APT community uses APT to refer to specific threats or "threat agents" if you prefer that term. Those threats are associated with a certain country. In some cases, certain counter-APT community members prefer to include other countries with similar capabilities. If required to differentiate during discussions, I prefer to prefix APT with the named country.

  5. Myth 5. APT is "FUD." Reality: Fear can be healthy if it helps reallocate resources away from wasteful and ineffective compliance regimes like FISMA. No one I know who fights APT sleeps very well. Regarding uncertainty and doubt, what more do you need to know? Read my post Is APT After You? to get a better sense if you should worry. It's better to prepare your defenses now than to start once a Federal agent comes knocking. More info: DNI Blair Leads with APT as a "Wake-Up Call"


I may add more myths as they appear, but for now those five seem sufficient.

By the way, I appreciate the private communication and public comments from people genuinely interested in learning about this issue. It helps focus my attention away from the critics who refuse to align with reality. It's also clear that many of you understand why I use certain phrases or address this subject in the manner that I do. I am glad those of us with similar backgrounds can at least share in that sense of solidarity. Thank you.

9 comments:

Guilherme Macedo (@macedogm) said...

Nice post, Richard, thanks for sharing your knowledge and experience.
By the way, is there a change of doing a podcast about APTs, in the future? Or talk more about the "Attribution Using 20 Characteristics" post?

Thanks.

Guilherme

Eric Hutchins said...

Hi Richard, I'm a firm believer in Myth 4 that APT is best used as a category rather than a synonym. To use it as a synonym implies a level of specific attribution is necessary before you can call it APT. Or, put another way, until you could demonstrate attribution, someone could challenge that it is APT or discount the significance.

True, we all have specific threat/threat actors in mind, but we need the general classification to identify, and most importantly, prioritize newly discovered threats. Looking for similar TTPs, similar levels of targeting, similar sophistication will reveal new APT.

To paragraph the quote at the beginning of Iron Chef, "tell me what you exfiltrate, and I'll tell you what you are."

Regards,
Eric

Richard Bejtlich said...

Hi Eric,

Knowing who you are, I definitely respect your opinion. In some respects it is helpful to think your way because our defenses will be similar against these sorts of threats, as compared to criminal organizations or mundane intruders.

Joe said...

Richard,

Keep focused on this and ignore the critics. APT is very real and something we all need to take seriously.

Keydet89 said...

Richard,

Perhaps with respect to Myth 2, one of the issues may be that there's been nothing discussed publicly by those companies that are encountering this issue that appears particularly new. I mean, honestly...looking at the Christian Science Monitor article, I don't see anything that hasn't been seen before.

The fact that organizations are being targeted and attacked is nothing new. The means by which organizations are being attacked are nothing new. I just examined a system managed by a defense contractor...the system was managed remotely via RDP, and the Administrator password was easily guessed. Chris just posted on something similar.

If you look solely at offender and motive, and exclude defender, means, and opportunity, you're likely to think APT is not new; you'd be wrong.

What if you're looking at this from the perspective of defender-means-opportunity, particularly defender and means? By defender, who's being attacked? Is that really anything new? Many of us have responded to environments across the board...private, public, federal gov't, etc...and found evidence of already-embedded attackers. Means and opportunity, in many cases, goes back to what we've been talking about for years...anyone want to open pictures of Anna Kournikova?

Keydet89 said...

Again, with respect to Myth 2, consider this...the attackers were "advanced" for the time, they were "persistent", and they were a "threat". Focusing on the defender, the means and the opportunity, rather than, as you say, the offender and motive...again, how is this new?

Greg Hoglund said...

I have the source code to over 500 remote access tools, all of them are written by criminals. Over 50% of this source code are the same 20 tricks written in code. The other 50% is the various C&C protocol schemes, antidetection whims, and whatever CVE-exploit-of-the-month when the code leaked. Seriously, APT is new? The only thing that is new is the term. Two years ago I got a half million dollar grant from DHS and they called it 'Botnets'. The sad truth is - our computing infrastructure is and has always been insecure, and the day we plugged that morass of code into the Internet is the day the bad guys went into the cyber business. Like I said before, I like the term, but when people get all 'spun up' about it -- it just comes across like pouring a layer of Magic Shell on the problem.

bobby fletcher said...

Richard, Joe Stewart's "China code" claim seems to have some problem:

1) A follow-up published by The Register on 1/26 contradicted the claim the CRC algorithm was not known outside China. The 4-bit CRC code has been around for over a decade in the device application arena. Once this fact is public, several code samples outside China have been located by bloggers discussing this issue.

2) Mr. Stewart seems to have neglected the fact variable names are stripped out during code compilation when he alluded to a variable name in the Aurora machine code. There is absolutely no link between the "crc_ta[16]" variable he identified as Chinese, and the machine code in Aurora.

BTW, Google "crc_table[16]" turns up lots of code snippet outside China.

3) Upon closer examination of Mr. Stewart's citations, the alleged Chinese white paper containing the algorithm, and code snip found by Googling the identified variable name, both turned up different code than what's in Aurora.

Specifically, the Aurora code contains a 12-bit shift optimization (found as early as 1988 according to The Register article):

t = crc16 >> 12

however the code passed around in Chinese sites is unoptimized code using two divisions:

da=((uchar)(crc/256))/16

Will Gragido said...

Great list, I believe it's important to keep things real with respect to APTs etc. It is not something which should be (though it has become), a marketing ready topic...I hope to see you at RSA or Security BSides San Francisco, take care.

Will Gragido