Ever since the term advanced persistent threat (APT) burst on the public scene with news of Operation Aurora carried out against Google and other high-tech companies, allegedly by the Chinese, the security industry and media have flocked around this new type of attack. Many believed we made too much of it, that it wasn't that big a threat or no different than other security threats. Many thought that APT was over-hyped by security vendors seeking fame and fortune and security media types looking for something to write about. But over time APT attacks have come into greater focus and their lifecycle has been studied and understood. We now know that APT is real and how they work. Forewarned is forearmed, and the security industry can now respond.
Perhaps a reason for so much of the controversy and confusion around APT was that until we understood exactly what was happening with these attacks, many attacks were attributed to APTs which were in fact not. This led to confusion and doubt. I recently had a chance to sit down with Mitchell Ashley, my podcasting partner, and Michael Sutton, VP of security research for Zscaler, to discuss APT and clear the air. You can hear the entire 20-minute conversation below.
Zscaler has built the largest security cloud in the world, and so has a tremendous amount of data in terms of malware, endpoint protection and security analysis and intelligence. Michael Sutton uses all of this to help Zscaler craft its APT defense solution. The key, according to Sutton, is understanding the lifecycle of the APT.
APT starts with a recon of the target. Unlike other types of attacks, APTs are usually not random acts against the lowest-hanging fruit. Rather, they are targeted against specific targets. Attackers don't want to waste a valuable exotic or zero-day exploit against a target that is not worth it. Once they pick their target and do some recon, the delivery of the payload is next. This can be done by either something like spear phishing or a drive-by download at a "watering hole." In the watering hole scenario, the attackers plant an exploit that can be downloaded and installed by visitors to a vulnerable website. The website is picked because it attracts the kinds of users the attackers are looking for.
Once the delivery is accomplished, the attackers then use Trojans or other remote access type of malware to use the targets computer to reach the goal. They probe the network to find a route towards reaching IP or information that they are seeking.
After reaching the goal the exfiltration process is then initiated. This can take many shapes depending on what is being stolen and how the attackers are getting it out.
As Michael Sutton states in the podcast, this means that a good APT defense can identify and stop an APT at just about any point in this lifecycle. Whether it be stopping the download, defending against the malware or identifying and blocking the exfiltration, an APT defense can stop the attack dead.
Of course, this probably sounds easier than it is, but having the Zscaler cloud behind you is a big help, according to Sutton. Michael also talked about behavioral analysis being a key to identifying and stopping APT attacks.
Zscaler is obviously not the only security vendor with an APT solution. FireEye and others have appliances and other types of solutions that are APT-specific. As always, security in depth and best practices help thwart all types of attacks. APT attacks are real and are a unique class, but as I said at the beginning, forewarned is forearmed. You can help your organization defend against APT.
Have a listen below to the full conversation with Mitchell and Michael Sutton (if you don't see an audio player below, please reload the page)
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.