Schrodinger's APT
Mon 24 Sep 2012
A brief definition of APT
Advanced persistent threat (APT) is usually used as a euphemism attributed to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information, but applies equally to other threats such as that of traditional espionage or attack. Other recognized attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.
excerpt from: Wikipedia
The Weakest Link in the Chain
Typically, nation-state sponsored attacks are targeting defense contractors, organizations with Military ties, and Infrastructure providers.
The above targets are not all that surprising until you realize how they are targeting these organizations. They don't have to attack the target directly. Several high profile attacks are pointed at corporations who supply services to the actual targets. For example, RSA was targeted for their relationship to the industry, and once the adversaries had what they needed, a more direct attack was launched on Lockheed and Raytheon.
Similar stories continue to circulate regarding attacks on other players in the food chain and their impact to the greater targets.
Consider "Operation Aurora" that resulted in IP theft from Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical and Google who discovered the attack. Private political information was also targeted from gmail accounts.
Think about what could a well funded adversary do with the source code related to Juniper Networking devices, or Symantec AntiVirus software...
Am I both compromised and not?
We have discussed the type of adversary out there and we've covered what and who they are primarily after.
The question now becomes: Am I a target? Am I already compromised? How would I know if I was?
Possibly you are, you have, and you might not.
You can probably guess by now that because of the nature of this threat, the answer is potentially nebulous.
Chances are that both states are true at the same time.
It is likely that you have suffered from workstation breaches but it may not be clear whether they were targeted/apt or not.
How much effort could/should I employ to find out?
Start with the low hanging fruit.
Are you a potential target/proxy for an attack?
- Ask yourself what kind of customers you have.
- Are any of them critical players: Are any of them political/government? Do you provide services to critical infrastructure? (power, gas, telecommunications, etc)
How would I know if I have already had an APT compromise?
There are a number of security research firms that you can contact if you are interested in them performing analytics on your existing infrastructure to look for signs of a previously successful APT attack.
Here are some steps you can perform to determine whether or not you should considering pursuing such an engagement.
- Review your malware detection for the last few months.
- Look back on any malware that provides remote access: Trojans, Rootkits, Bots.
- Take note of the users affected and consider what levels of access those users have to critical systems within your organization.
- Make sure to audit administrative activity from the accounts associated with users/systems who have been compromised.
- If you have access to network monitoring statistics, look for these systems generating unexpected traffic from your network destined for China, Russia, etc.
The unfortunate parallel here is that, just like Schrodinger's Cat, if you do open and peer into the box, you may find an answer that you didn't want to hear.
-Enigma