The ongoing struggle to define APTs
Spectrami explains why organisations need to concentrate on stopping advanced persistent threats
Since the beginning of 2006, the IT sector has seen a new information security industry with new certifications, job roles and titles. This emergent work force did not grow up with the lore of old nor the curiosity that would push past some of the mystical boundaries imposed on mastering IT by understanding the weaknesses and strengths of one side or the other. This new industry has propelled information security and hacking to new levels of mystical proportion, thus creating a bit of a security bubble and more hysteria.
One would have expected with all the changes put forth into security since the “CodeRed” and “Blaster” worms, things might have evolved. Unfortunately, as an industry not much has changed. We still do not have new vendors explaining what software assurance is, nor sharing the results of a black box penetration test. We still do not have OS vendors openly sharing cryptographically signed binaries in all releases or sharing a “known-good” integrity hash set to baseline against.
The industry has taken off on the term “advanced persistent threat”, yet vaguely defined it as a whole. We have greater financial uncertainty, which in turn gives strength to attackers specifically in organised crime and the digital under world. As uncertain times have grown, I have observed parallel attacks between two distinct groups merging. The first details traditional organised crime groups merging electronic cyber capabilities to their arsenal. In mid 2000s the IT industry observed this a great deal, where the mixture of human and software compromise, related network component and process compromise was utilised in advanced attacks against financial institutions for financial gain. Even the cases that make it public today, this was and still is an advanced threat – a threat much more persistent than your standard Chinese based compromise.
The second threat observed is the hybrid attack of state sponsored attacks as well as organised digital under world and insider threats – industrial espionage but with a twist. Scrolling back in the years, hacking used to just be hacking, but the world has changed and hacking and or cyber warfare can’t always be a commodity. The cost of these threats is much greater than the simple cost of responding and investigating. Competition knows this and they know the cost of response from an initial response assessment and investigation can be thought of as a write off and something to ignore.
As we look into this year, one must pay close attention to the cost of your information, your secrets and the large and small decisions being placed in even the smallest software and hardware purchases. No longer are you threatened by a standard hacker in his basement. You are facing adversaries who want your information, your blueprints, your address book and your business. If ever there is a time to invest in things to provide assurance and some level of integrity, it is now. All of the detection-based products and processes cannot give you assurance, as they do not have a baseline of your known good, to provide a known bad.
More than two years ago, RSA admitted they had been compromised. As the industry reeled from this, we found that the seed files, which are a key component for breaking the encryption of RSA, had been stolen. Recently, reports from the Snowden intelligence dumps had also revealed that the NSA had paid a minimum of $10m for being able to introduce flaws into the random number generator process, which creates these seed files for entropy, thus the basis for RSA keys. Coupling these two events together, one has to assume a primary vulnerability in most random number generators in available encryption algorithms has likely been compromised over the years. The Chinese knew this and quickly exploited this fact in 2011 with the compromise of RSA. If we are concerned about financial security or the GDP of an entire country when state-sponsored actors or sophisticated groups are looking at exploiting weaknesses (that can amass great rewards), we must think of these vulnerabilities that have already been sighted as a warning sign for related vulnerabilities and strategically assess or plan accordingly. n