The industrialization of hacking is today the number one cyber-threat to most organizations and according to one estimate, it’s an industry which rolls $1 trillion annually. Not surprisingly, hackers are focused on optimizing their activity to increase revenue, while automating their processes in order to decrease costs.
However, another major threat, as Stuxnet and Operation Aurora demonstrate, is state-sponsored cyber attack or Advanced Persistent Threat (APT). This threat has been in the background for several years now. However, in the past few years we have seen this threat increase. Why? As public and private organizations have moved infrastructure online to help commerce or facilitate government the administration of services, data and intellectual property are likewise exposed to foreign adversaries. So what is exactly APT, what directions are the attackers taking, which organizations are prone to be a target and what can be done to defend against APT?
Before we clearly define APT, let us take a look at classic APT attacks to get a clearer picture.
* May 2007 – A massive DDoS attack against the state of Estonia. Whether or not the attack command came from the Russian government or the hackers were working under the guidance of Russian authority, one thing is certain: the attacks originated from Russia.
* August 2008 – A massive DDoS attack against the state of Georgia. Similar to the DDoS against Estonia, IPs (and fingers) pointed to Russian addresses.
* January 2010 – Google released a statement that the employee accounts of their Chinese-based operations were hacked into. Major companies such as Adobe followed heed claiming they too have been victimized by then same attack. Server logs have showed the perpetrators to originate from mainland China. As the news of the attack made headlines around the world, the hack campaign came to be known as “Operation Aurora”.
* January 2011 – The Tunisian government victimizes its own citizens by intercepting communications to social networks.
As its name represents, an Advanced Persistent Threat is broken into three components, each clearly defined.
Advanced - The source of the attack is one of a selected few – government, political or even a terrorist organization - whereas the adversary has no direct financial motivation.
* Attack source - it is possible to pinpoint several attack sources:
- Friendly nations – In this cyber-era, Machiavelli’s statement “Keep your enemies close and your friends closer” takes on a new meaning. Many times the source of attack is a friendly nation where as the goal is usually espionage.
- “Frienemies” – These are states with maintained stable relationships yet the threat of a potential breakdown keeps these nations on their toes. For example, China and Russia are such countries with respect to the United States.
- Adversarial nations and other foes – These countries are in a declared state of war one with the other. Also included in this group are terrorist organizations and “hacktivists” (i.e. cyber-attackers who demonstrate their protest through different hacking methods). While “hacktivism” is many times opportunistic in nature, it sometimes takes the shape of APT. For example, in a recent attack campaign, dubbed Operation Payback, there was a chosen set of targets (such as PayPal and American Express). The attack started with a traditional “voluntary” infection where participants knowingly downloaded attack malware, and escalated to the use of commercial involuntary botnet.
* No direct financial drive. This is certainly contrary to the Industrialization of Hacking where monetary gain is the single motivator of the attacker. Yet with APT, we see that the adversary size and the importance of the target are the key factors.
Persistent - unlimited budget together with a valuable target makes these attacks persistent.
* Attack target. APT victims are carefully selected. Typically, targets control the national infrastructure such as power plants, banks, government agencies and government contractors, and the military.
* Attack goal. The adversary associates a goal for each target and attack campaign. For example, in Stuxnet, Iran’s nuclear reactor was targeted for shut down. Large enterprises, such as Google’s database of potential Chinese dissidents, can also be a target.
* The attack is a process. The attack keeps changing until success is achieved. This means that the attackers attempt to infiltrate across different layers: through the IT infrastructure, the network and the application. Each of these layers contains potential penetration points: different network segments, different applications as well as client and server side vulnerabilities. For example, in Operation Aurora the actual penetration was the Chinese segment of the Google network which was more vulnerable than other network segments. In addition, we saw that the perpetrators infected certain Google employees in order to gain access to the systems.
Threat - In general, we consider APT as being one of two threats:
* Control/ Take down –
- Control: When the objective is controlling infrastructure, the hackers hope to maintain a covert ability to control the target only upon demand, or take down the target at will.
- Take down: Ultimately the objective is to deny communications, disrupt civilian life, and even provoke a collapse of financial infrastructure.
* Espionage – Motivation for this type of threat could be diplomatic, military or industrial. To perform a successful attack, the adversary has to create an effective covert channel and will eventually tap into the needed information. Additionally, a “hit-and-run” scenario focuses on obtaining as much existing information in a single operation.
Recently, we have seen APT attacks borrowing techniques from the hacker industry, such as automation and viral distribution. APT also seems to take the shape of regular botnets and standard malware. These approaches achieve cost reduction. The following are examples where APT attackers adopted some commercial hacking techniques:
* Mid 2010, Stuxnet – This worm specifically targeted SCADA systems. The worm is believed to be created by specific government agencies. Commands are issued to the worm only when the malware payload lands at the designated target. Undoubtedly, Stuxnet is very much an APT attack. However, Stuxnet spread via distribution techniques taken from the “professional” hacker industry.
* Mid 2009, North Korea DDoS – On this occasion, botnet armies targeted US government institutions. When those did not fall prey to the attack, the attacks started targeting private US sites.
Knowing the characteristics of APT allows us to define the necessary steps required to defeat APT:
* Risk assessment – Before jumping ahead and applying controls across all layers, it is first necessary to consider a few aspects. The first question to ask is whether the organization is a potential target. The next question should define what would be the potential goal and target systems. Responding to these questions is crucial in understanding where to apply the necessary the resources.
* Deploying countermeasures –Perimeter defenses such as firewalls and Web Application Firewalls (WAFs) should be augmented with data source defenses such as Database Activity Monitoring (DAM) and File Activity Monitoring (FAM). In addition, server side defenses should be incorporated together with client side protection, where possible. This includes enterprises enforcing the use of anti-virus and anti-malware on workstations. Last, technical controls must be enhanced with physical security and organizational controls such as employee screening.
* Continuous reassessments – Since APT is a process, the victim should realize that the attacker is in fact re-assessing the failure or success of an attack to hone future techniques. To react, set up the proper tools to store and analyze the alerts in order to ensure that a major attack is not part of a bigger campaign. It is important to correlate the alerts across all layers.
* Performing security audits – As the persistence of the attack may open backdoors, it is important to perform periodic security audits of system components. This is not a compliance audit. Rather, this is a true security investigation to close backdoors and block any attempts to use these backdoors as attack channels.
* Government assistance – APT is a political, national, state-backed attack. So requesting assistance from the government is appropriate.
APT is a serious and ongoing threat which continues to increase. Unfortunately, the term has become widely abused, seeding fear, uncertainty and doubt. It is important to take a step back and assess: is the institution in fact a target of these threats? To defend against APT, organizations need to perform the correct risk assessment in order to set up the correct controls.
Imperva is exhibiting at Infosecurity Europe 2011 – the No. 1 industry event in Europe – where information security professionals address the challenges of today whilst preparing for those of tomorrow. Held from 19th – 21st April at Earl’s Court, London, the event provides an unrivalled free education programme, with exhibitors showcasing new and emerging technologies and offering practical and professional expertise.