« In search of... Foreign Language Spam Filter for Apple Mail (Mail.app) | Main | SOPA: a great example of failing to know your enemy...or your friends »

Thursday, 08 December 2011

A practical resource for managing advanced persistent threats (APTs)

You don't have to search very hard to find some Chicken Little fluff piece heralding sky-falling doom in the form of an advanced persistent threat (APT). If your experience is like mine, however, fewer than one in ten of the resources you find do more than tell you what an APT is, warn you that you are already a victim or a victim in waiting, or promise you that you'll be better protected if you buy *this* product.

ChickenLittleAPT
Photo by Lori

Kudos to the folks at Public Safety Canada for compiling a concise report entitled Mitigation Techniques for Advanced Persistent Threats. They helpfully deconstruct APT by offering a practical, consumable interpretation of each term. 

Advanced

The context for Advanced, for example, is further broken down into sub-contexts. The Report explains that malicious software is not always advanced in the sense that it is "sophisticated" but that it is often readily available exploit code that is simply better leveraged than earlier attacks. Advanced applies more to the growing body of evidence that indicates that state actors and sponsors "select their targets and refine the attack such that selected individuals in targeted organizations become the conduit to the organization's information assets".

Persistent

The context for Persistent is also broken into aspects. The reconaissance aspects is a panoply of P's: the attackers are patient, painstaking, precise, purposeful, and persevering. The execution aspect of a APTs is very "spy" oriented: clandestine and credibly socially engineered.

Threat

The threat is simple: exfiltration of information of a sensitive or secret nature that provides an APT sponsor with "a strategic, diplomatic, military, competitive, technological or economic advantage." 

Most online resources I've found stop here (feel free to recommend any in a comment). This Report goes on to explain the chronology of an APT attack, describing each stage - reconaissance, social engineering, establishing backdoor and C&C, achieving the objective, and maintaining presence. This chronology is a great segue to the remainder of the Report because it gives context for the strategies Public Safety Canada recommends that potential target organizations should take, how to monitor for and detect potential APT activity, and mitigation measures.

The information Public Safety Canada shares in these sections is not radically new; in fact, there isn't a single monitoring, detection, mitigation or remediation measure that hasn't been recommended before. The value of these sections, however, is twofold: first, Public Safety Canada's taken the initiative to gather this information from reputable sources (Aus DSD, McAfee, RSA, GAIC...), consider the growing body of work, and then condense the information into a single reference. More importantly, by creating a single reference, it allows us to realize that defending against APTs is as much a matter of doing better what we do today, with existing instrumentation, as it is introducing new techniques or technology.  

I'm always excited to share when I find a resource that is FUD free and full of useful information. This Report doesn't contain a silver bullet, but it will lend clarity to APT discussions and it may help you define a better strategy for defending against APTs than you have today.

Posted at 09:43 AM in Anti-Malware and Anti-phishing, Malware |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories