Ever since the term advanced persistent threat (APT) burst on the public scene with news of Operation Aurora carried out against Google and other high-tech companies, allegedly by the Chinese, the security industry and media have flocked around this new type of attack. Many believed we made too much of it, that it wasn't that big a threat or no different than other security threats. Many thought that APT was over-hyped by security vendors seeking fame and fortune and security media types looking for something to write about. But over time APT attacks have come into greater focus and their lifecycle has been studied and understood. We now know that APT is real and how they work. Forewarned is forearmed, and the security industry can now respond.
Perhaps a reason for so much of the controversy and confusion around APT was that until we understood exactly what was happening with these attacks, many attacks were attributed to APTs which were in fact not. This led to confusion and doubt. I recently had a chance to sit down with Mitchell Ashley, my podcasting partner, and Michael Sutton, VP of security research for Zscaler, to discuss APT and clear the air. You can hear the entire 20-minute conversation below.
Zscaler has built the largest security cloud in the world, and so has a tremendous amount of data in terms of malware, endpoint protection and security analysis and intelligence. Michael Sutton uses all of this to help Zscaler craft its APT defense solution. The key, according to Sutton, is understanding the lifecycle of the APT.
APT starts with a recon of the target. Unlike other types of attacks, APTs are usually not random acts against the lowest-hanging fruit. Rather, they are targeted against specific targets. Attackers don't want to waste a valuable exotic or zero-day exploit against a target that is not worth it. Once they pick their target and do some recon, the delivery of the payload is next. This can be done by either something like spear phishing or a drive-by download at a "watering hole." In the watering hole scenario, the attackers plant an exploit that can be downloaded and installed by visitors to a vulnerable website. The website is picked because it attracts the kinds of users the attackers are looking for.
Once the delivery is accomplished, the attackers then use Trojans or other remote access type of malware to use the targets computer to reach the goal. They probe the network to find a route towards reaching IP or information that they are seeking.
After reaching the goal the exfiltration process is then initiated. This can take many shapes depending on what is being stolen and how the attackers are getting it out.
As Michael Sutton states in the podcast, this means that a good APT defense can identify and stop an APT at just about any point in this lifecycle. Whether it be stopping the download, defending against the malware or identifying and blocking the exfiltration, an APT defense can stop the attack dead.
Of course, this probably sounds easier than it is, but having the Zscaler cloud behind you is a big help, according to Sutton. Michael also talked about behavioral analysis being a key to identifying and stopping APT attacks.
Zscaler is obviously not the only security vendor with an APT solution. FireEye and others have appliances and other types of solutions that are APT-specific. As always, security in depth and best practices help thwart all types of attacks. APT attacks are real and are a unique class, but as I said at the beginning, forewarned is forearmed. You can help your organization defend against APT.
Have a listen below to the full conversation with Mitchell and Michael Sutton (if you don't see an audio player below, please reload the page)