2019: What we did to fight APTs

The 1982 masterpiece Blade Runner by Ridley Scott is one of my old time favorites. Harrison Ford chases androids in a futuristic, visually stunning Los Angels. The future looks bleak, and technology advances did not make the human race any happier.

The film is set in 2019. I don’t know what the world will look like 8 years from now, but I do remember what it looked like 8 years ago. In 2003 we still had no Banking Trojans; we also had no Twitter, no World of Warcraft and no iPhone.

2003 was the year of Phishing. The early attacks hit the confused financial sector, and IT Security departments found out the fraudsters can empty bank accounts without actually hitting the bank’s infrastructure. They just couldn’t believe it.

The bad guys found a weak link – the end users – and this took the entire banking industry by surprise. IT Security teams did not sleep at night; they had to update the senior management and explain there was no breach of bank security, it’s those stupid account holders that just give away their passwords. Trust in emails as the means of communication with banks has all but dissolved, and even the very notion of banking online was put to the test.

Banks had no understanding whatsoever in Cybercrime. They didn’t know about fraud forums. Law enforcement agencies were even worse; their existing units were not equipped to handle these odd attacks.

Today the industry is in a completely different place. Every major bank has an eCrime unit specializing in combating Phishing and Trojans. Technologies such as risk-based authentication, transaction monitoring, out-of-band authentication, anti-phishing and anti-trojan services, fraud intelligence and secure browsing were developed over the course of just a few years and were deployed in a multiple-line-of-defense strategy. The combination of technology, knowledge and operations deployed by the banks managed to prevent a system meltdown and despite equivalent strides in the dark side – such as today’s high grade Trojans – the risk is reasonably contained.

Corporations, on the other hand, are the opposite end of the learning curve.

The enterprise security industry is making its first steps at understanding that protecting the infrastructure is not enough to protect against Advanced Persistent Threats, because the APTs don’t go after the infrastructure. They go after the employees.

The bad guys found a weak link – the end users – and this took the enterprise by surprise. Rings a bell? Sense of Déjà vu?

Because if you look at the common link between Advanced Persistent Threats like GhostNet, Aurora and Night Dragon, you’ll find one common thread: they all started by attacking the individual employee.

In one of my other all time favorites, the 1983 War Games, Mathew Broderick searches for modems connected to sensitive networks. He mapped networks and found weak spots. His attacks had nothing to do with the employees; he used weaknesses in the infrastructure.

But if Mathew was an APT hacker today, the first thing he’d do is visit LinkedIn. He’ll collect intelligence on the organizations’ people, not infrastructure. Then he’d send a spear phishing email to the employees of interest.

Spear Phishing was indeed used in all three attacks – GhostNet, Aurora and Night Dragon – to trick specific employees within specific organizations to download a piece of malware. This allowed the attacker to take over the employee’s PC, and get straight into the network.

To allow deep penetration, the install a back-connect Remote Administration Tool that pulls commands from the attacker’s C&C server. But from a network perspective, all commands are received from the employee’s PC. It’s the perfect crime.

And that’s the new thing about APTs. Advanced? Well, yes, but things always advance. Just think back to 2003. Persistent? True, but lets not discredit folks like Kevin Mitnick and other hackers of legend. To call them non-persistent would be an insult.

So the one new element to APTs is the fact they attack users, not machines. And this opens up a whole new world of challenges. It means protecting the infrastructure won’t do. Your users will just create tunnels for the bad guys to penetrate through all the defenses. It means you have to start thinking in terms of risk management: how do I balance the need of letting the employees download stuff, connect from unmanaged machines, use web 2.0 applications and social networks – but on the other hand protect against those employees bringing the bugs into the house.

Clearly the industry needs a new defense doctrine against Advanced Persistent Threats.

Hopefully in 2019 when we look back at what had transpired in the last 8 years, we’ll see an industry that has put up a good fight against the bad guys. My own projection is that we’ll see virtualization and risk-based, adaptive security management being the two main pillars of the defense strategy, coupled with the creation of core eCrime intelligence capabilities inside major corporations, and real-time attack information sharing between the various security operation centers. We’ll also see a more structured way of looking at risk.

So while the industry isn’t ready right now to protect itself against APTs, I’m confident that it will be done. Just think what Harrison Ford would have done against rampaging APTs. Hunt them down and kick their behind!