Friday, July 10, 2009

You Down with APT?

Today I had shared a phone call with a very knowledgable and respected security industry analyst. During cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 course of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conversation he made a few statements which puzzled me, so I asked him "do you know what APT means?" He might have thought I was referring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Debian Advanced Package Tool or apt, but that's not what I meant. When I said Advanced Persistent Threat, it still didn't ring any bells with him. I decided to do some searching on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web to see what was available regarding APT.

Helpfully, BusinessWeek just published Under Cyberthreat: Defense Contractors this week. The article begins like this:

Northrop Grumman's info security chief addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "well-resourced, highly sophisticated" attacks against makers of high-tech weaponry...

The defense industry faces "a near-existential threat from state-sponsored foreign intelligence services" that target sensitive IP, according to a report by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet Security Alliance, a nonprofit organization on whose board McKnight sits...

[BusinessWeek asked:] Are defense contractors being singled out in highly targeted attacks?

[McKnight responded:] It's gotten to a point where it has a name for itself: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT or "advanced persistent threat," meaning that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are well resourced, highly sophisticated, clearly targeting companies or information, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're not giving up in that mission.


Incidentally, McKnight practices NSM:

[BusinessWeek asked:] What kind of tools do you use to keep your network secure?

[McKnight responded:] We've focused a lot on... capabilities where you're capturing all traffic, not just bits and pieces of it.


Security company Mandiant devotes an entire site to APT, saying:

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

The intruders responsible for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks target cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Defense Industrial Base (DIB), financial industry, manufacturing industry, and research industry.

The attacks used by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruders are not very different from any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r intruder. The main differentiator is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y tend to generate more activity than wanton “drive by hacks” on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

The intruders also escalate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir tools and techniques as a victim firm’s capability to respond improves. Therefore, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT attacks present different challenges than addressing common computer security breaches.

Combating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 APT is a protracted event, requiring a sustained effort to rid your networks of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat.


I briefly mentioned APT in my post last year Thoughts on 2008 SANS Forensics and IR Summit.

Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 full capture vendors out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re) mentioning APT, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post).

APT is one of those subjects that is very important but not well understood outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 defense industry. Your best bet for a public introduction to APT is to watch for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next Webinar offered by Mandiant. Ask cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to do anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r soon; I listened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Webinar in May and realized many participants had never heard of APT before. If you're not down with APT, you need to be.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Late Las Vegas registration ends 22 July.

11 comments:

Anonymous said...

NDA's and Clearances tend to reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 amount of information that can be shared about APT. Their should be a better unclassified information sharing forum to help spread cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word (tools, techniques and recent findings). -R

H. Carvey said...

Their should be a better unclassified information sharing forum to help spread cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word (tools, techniques and recent findings). -R

Just out of curiosity, better than what? With all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resources available, what could be done better? What would you recommend?

*Redacted* CIRT said...

Yeah you know me.

Matcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365w Tripp said...
This comment has been removed by a blog administrator.
Security4all said...
This comment has been removed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 author.
Security4all said...

Someone started an "Operation Aurora" LinkedIN group. Maybe some good unclassified information will be shared cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re?

http://www.linkedin.com/groups?home=&gid=2677290&trk=anet_ug_hm

Richard Bejtlich said...

That's hilarious. Yeah, let's share what we know with a faceless LinkedIn group!

freedomfiles said...

Richard:

"That's hilarious. Yeah, let's share what we know with a faceless LinkedIn group!"

I've created cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group, and use it to share non-confidential information regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Aurora incident.

I don't understand your reaction - everything in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 group is public information which can be found on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's nothing shady about it.

Kind regards,
Niels Groeneveld

Richard Bejtlich said...

Niels, if you're sharing "public information which can be found on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web," what's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point?

freedomfiles said...

I was collecting a lot of information regarding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Aurora incident for my work, and thought it would be a waste of time not to share it with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who could also use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same information for furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r investigation as most information was open source and non-confidential.

Apparently a lot of people understood cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point, as 300+ people joined, and I got a lot of positive feedback.

The group contains technical reports, news stories, translated Chinese materials to show Chinese reactions on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident, and so on.

What's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point of not sharing information, and not trying to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 life of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who need similar information easier by putting it all togecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r that's on a blog, on twitter, or in a linkedin group ?

Richard Bejtlich said...

Well, that's great if you think "Aurora" is relevant to advanced persistent threat. Recent revelations have confirmed that McAfee didn't know what it was doing and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs who based research on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work followed poor leads.