You Say Advanced I Say Structured
Security professionals, industry heavyweights, forensics experts and others in the security realm are expounding many differing views of APT, which is becoming a more known buzzword thanks to media outlets (we’re no better). Many of these views are often confusing, and the fact that many in the industry aren’t privy to the full scope of an “APT” based attack is not helpful either. When I wrote the article “Defending Against the Advanced Persistent Threat”, it was based on publicly available information. Many professionals took shots at how I called it (I said that it was nothing new to see, so move along), and I still hold my ground when it comes to my views: There is nothing advanced here, so move along. Security professionals are highly competitive and rather than take cheap shots or call names, I will pick up from where I left off.
The beauty of “hacking,” from my perspective, is the passion that “hackers” have for being able to think outside the box. This “beauty” gets lost in translation for many professionals who may often overlook the technicalities involved with “hacking.” Hacking is and never will be a measurable metric. There is not and there never can be a “risk metrics” based approach to tackle hacking. Security managers can continue to throw up numbers in what may be meaningful algorithms to themselves and their superiors, but at the end of the day you cannot measure or determine the risk of being “hacked.” The mind of a motivated and determined hacker can never be measured. Everyone has a different point of view on this issue (APT) and any writing – especially mine – is based on what is available at the time. So if there is skepticism, do not confuse this for “stupidity” or “underclued.”
With this rambling out of the way, I now turn to this article “Defending Against The Threat.” Whether structured, advanced or persistent, many of the “publicly known” attacks being disclosed could have – and should have – been prevented. You can’t say something is “white” yet also “black,” especially when there are alternatives. Grey perhaps? What if someone is color blind? How do you explain this to someone who has no concept of color? You say advanced; I say structured. After reading Mandiant’s M-Trends report [1], there is nothing that is “publicly available” in that report or any other that I have read, that stands out as “advanced” from a “hacking” or “hacker’s” perspective. I chose to replace the term “advanced” with “structured,” and the use of “persistent” is on point and evident — however, it is also irrelevant. There is nothing “advanced” in using spear phishing. There is nothing “advanced” in backdooring a machine. While there is an “advancement” in what is done afterwards – exfiltrating specific data – we might as well say that “any” compromise is “advanced.” Nothing to see here, so move along.
M-Trends reports: “One of the key executive’s systems was compromised when he clicked on the link embedded within the e-mail, which then downloaded and executed a malicious file. The malicious file installed a fully functional command and control backdoor on their system that allowed the APT full access to the system from the Internet.“ This is not a new attack nor a new attack vector, as virus and worm writers have been doing this for quite some time. Sending malicious payloads in the hopes that someone will “click that link” or “run this program” is old news. Is the word “advanced” being used by media and or security companies because a hacker created a “snippet of code” that’s obscure, which makes security professionals scream: “They used advanced code, therefore it’s an advanced attack!”? If so, that would make all “code” used in a compromise, by definition, advanced. The attack vector described by the M-Trends report could have been defended against by training staff to avoid opening certain emails. It could have also been defended against using strong email filtering. Imagine that? An advanced defense – readily available!
First of all, filtering on an email server could have and should have blocked this threat (spearphishing), no matter what. Even if the “snippet of malicious code” had no known or unknown signatures. Where did this e-mail come from? “How come John Smith who works out of Yourtown USA is sending me a PDF file from Guandong, China?” Filter, filter, block, block. Secondly, if filtering wasn’t in place, educating staff on the dangers of e-mail could have potentially stopped this particular attack dead in its tracks. “What is John Smith talking about and, if it’s that mission critical, how come he didn’t pick up the phone, and instead he sent me an email with a PDF? Should I open this?” Thirdly, security controls play a big part. If the company used something like S/MIME, or PGP keys, the e-mail wouldn’t have been validated and the attack would have been thwarted. Many of these controls can be had for free. The cost of configuration and deployment is another issue. There are plenty of options in how to defend against these attacks and they have long been available and established.
Moving along in Mandiant’s report, it states: “More than 30 user account and password hashes were obtained from the law firm’s domain controllers. Using those valid credentials, the attacker was able to extract thousands of e-mail messages and their attachments by downloading the information from the firm’s mail servers.” This attack – called passing-the-hash – is also not new; in fact, it dates back to 1997 [2], it has many publicly available exploitation tools [3] and it can be defended against and or minimized by using Kerberos [4]. The issue then becomes one of configuration and deployment. There is nothing advanced about this attack nor is there anything advanced in defending against it.
From a technical perspective, the hacker’s slash security engineer’s perspective, nothing explained in “documented” APT compromises is “advanced” in the sense that these attacks are – and have been – around for some time. From the “security manager’s” perspective, or someone outside of a “hacker’s” mindset – these attacks elicit a “that’s really advanced!” stance. From those in certain industries, while they may not have seen a particular attack, this does not mean it is more or less advanced than any other attack. The bottom line is: an attack is an attack is an attack, ad-nauseum. “But they changed from normal text to base64! Surely that’s an advancement!” Nonsense.
From a “security vendor” perspective, an “advanced persistent threat” is horrifying and capable of crippling a company. This is not incorrect, but it alludes to a notion that this fatalistic threat can be stopped only if you hire the right experts or buy the right software. More nonsense. This is a big gripe of mine when I see a company report on “threats,” especially from a security company. I always take a skeptical point of view when it comes to these reports, because companies almost always promote their “wares” in this fashion. So the notion of getting an unbiased view from a security vendor regarding security is almost non-existent. Many companies tweak information to their liking and, whether professionals publicly admit to this, one would have to be naive to think it doesn’t occur. For example: “Statistics show that…“, “One out of every three people…”
Richard Bejtlich [5] has perhaps the most outstanding and informative information on the subject of Advanced Persistent Threats [6], and I sincerely respect his knowledge, approach and expertise in the security arena. However, as stated, I believe some people tend to isolate themselves, which can lead to chest-thumping, misinterpretations, misunderstandings, etc… whatever the case may be. If you ask me, I will tell you: “Advanced Persistent Threats” are nothing new. Governments, companies, even husbands and wives have performed “targeted” attacks for eons. The explanations of APT – at least most of what is publicly available – still make me wonder how companies managed to make it through compliance using such highly vulnerable software listed in the Mandiant report. Almost all “commercial off the shelf” vulnerability analysis tools would have flagged the software described in report. This given the fact that APT – for all that is publicly known - is actively attacking OLD software. Regardless of the method of payload delivery (PDF, IE, e-mails), it is actively attacking exploitable software which has had security advisories going back almost half a decade. These are pure facts. If hackers are actively attacking specific versions of software, perhaps it’s time to rid yourself of that threat. You would be the fool to continue using that software–period. Many security professionals have been pounding their hands on the table now concerning the use of certain products. Maybe it’s time those in suits take a step back and listen to their staff?
For those security professionals thinking about “creative responses” such as: “We can’t update this legacy system because of…” or “You don’t know what’s involved in an enterprise…” I suggest that you take a logical approach: Would you apply a band-aid to a wound that has been bleeding for years now? Don’t you think it’s time you sought medical attention? The band-aid is obviously doing nothing, isn’t it? So whether it’s a browser, PDF reader, e-mail client, etc., security solutions are available to fix the problem. However, the fixes may involve a level of resources that may not be immediately available, due to time constraints or lack of training. Move away from using “exploitable” software or suffer the consequences. You cannot have it both ways: Choosing to use exploitable software – and staying secure. It’s one or the other. This is not “advanced“, “perplexing” or “complicated” logic; it is just common sense. Anything else is marketing, either by way of someone touting a security product, or someone who is not creative enough to find a solution to the problem.
My recommended solution would be to rid oneself of the offending (exploitable) program, install strong SEIM and have the staff tasked with monitoring the SEIM understand what they need to look for. Surely, if a connection is being made in a suspect fashion (out of the blue) to China or anywhere else, act on it. Again, if China or any other country is the threat, one could go as far as enabling strong firewall rules both on the host and the perimeter. Case closed: Nothing to see here, so move along. For those whining about it by saying “it would cost a fortune!”, I ask them: What’s worse, the cost of implementing a fix or the cost of your business being compromised? For those whining about “legacy” apps, I ask you, at what point do you look for an alternative? Force the vendor’s arms to implement changes. You are after all the consumer paying the vendor. In this economy, I’m sure there are plenty of vendors willing to work with your business. Anything else is just an “Advanced Persistent Excuse” not only from your vendors, but from inexperienced individuals who aren’t willing or able to think outside the box.
“You have no clue, you can’t block China!” sayeth the manager. Why can’t you? Surely, if there is no reason for your machines to be making random outbound requests to China at odd hours, there is no reason why you cannot have time based rules to block that or any other country. I suggest security managers and professionals take a realistic view of security as a whole instead of following the herd. Speak with your team. For the sake of your business, I hope that there is no ‘I’ in that ‘team.’ Good luck!
[1] http://www.mandiant.com/products/services/m-trends
[2] http://www.securityfocus.com/bid/233/info
[3] http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2008-11/msg00087.html
[4] http://oss.coresecurity.com/projects/pshtoolkit.htm
[5] http://taosecurity.blogspot.com/
[6] http://taosecurity.blogspot.com/search?q=apt
