The traditional approaches to securing critical business data and intellectual property are no longer enough to tackle APTs. Here’s why and what enterprises can do about it
By Sanjay Gupta and Harshal Kallyanpur
For the past few years, a new abbreviation has been frequently thrown about in security circles: APT. Expanded, it stands for Advanced Persistent Threat, but elaborated, it leads one into a complex web of origination, incidents and continuing evolution.
“APTs gained notoriety about 4-5 years back, especially with the media awareness of such attacks as the ‘Aurora’ growing tremendously. Now, APTs are extremely common,” says Felix Mohan, Global CISO, Bharti Airtel.
Aurora or ‘Operation Aurora’ refers to a cyber attack on dozens of global organizations that began in mid-2009 and is believed to have ‘persisted’ through to the end of the year. It was first brought to light by Google, which was one of the affected companies besides Adobe, Juniper, Morgan Stanley, Yahoo, Symantec, Dow Chemical and many others. According to reports, Aurora’s main goal was to gain access to modify source code repositories at the attacked companies. The perpetrator is believed to be Beijing-based Elderwood Group with affiliation to the Chinese army.
More recently and closer home, India’s Defense Research and Development Organization (DRDO) and Defense Research and Development Lab (DRDL) were attacked and it is alleged that critical files were stealthily transferred or copied to a server in China.
Commenting on the Indian attacks for an earlier story in Express Computer, Sharda Tickoo, Product Marketing Manager at Trend Micro, had said that the attacks were “pre-meditated, politically motivated, and nothing short of cyber warfare.”
Worldwide, there is a growing incidence of APTs, which have not spared even those whose business it is to counter such attacks.
No one is immune
If one thinks APTs affect only large organizations and have only political agenda, that would be a wrong assumption to make. “Most organizations are not even aware that their security might have been breached,” says Mohan. He believes that security at more that 85% of companies of all sizes might be breached already.
“No company, whether Indian or non-Indian, can be safe from APTs,” says Satish Warrier, CISO, Godrej Industries.
According to Sandeep Godbole, who is a member of ISACA, a worldwide association of audit and security professionals, as many as 21% of organizations have experienced some kind of APT—with the figure being 19% for Asia. No detailed audits or figures on APTs are available for India, at least not thus far. But it is assumed that they are on the rise and can potentially cause serious damage to the intellectual property and other sensitive data in companies across various sectors, especially BFSI, government and telecom.
In fact, 65% of security professionals believe it is only a matter of time before they are hit, reveals Godbole.
One of the reasons these threats are growing alarmingly is that the motives of hackers are changing—from just feeling powerful at taking control of servers and computers to indeed monetizing their feats. “Now there are well-funded groups and communities for carrying out APTs, with huge resources at their disposal,” says Vishak Raman, Senior Regional Director – India & SAARC, Fortinet.
Warrier offers some interesting observations about APTs, which he says are generally for a social cause (such as the Stuxnet attack that targeted Iran’s nuclear program) or executed by groups that strongly oppose Internet censorship and surveillance.
“All the APTs have happened as a response to certain incidents. In most cases, the primary objective was to create disruption and not monetary gain. In the case of RSA, hacking happened about a month after it announced its CyberCrime Intelligence Service. In the case of Sony PlayStation, the attack was in retaliation for having taken legal action against certain hackers. US security firm HB Gary was attacked after they claimed to know the identities of the leaders of Anonymous,” he says. (Anonymous is a world famous hacktivist group.)
However, Anand Naik, Managing Director – Sales, India & SAARC, Symantec, offers a different view. “Cyber criminals are looking at financial gains mostly by taking advantage of visibility and protection gaps in IT environments. As organizations embrace newer technologies like cloud to evolve their security measures to protect online transactions, attackers are seen constantly adapting to the counter-measures by introducing advanced trojans. In fact, attackers are getting a never-before access to people’s information as employees connect with multiple vendors/parties and friends on various platforms, resulting in greater risk,” he says.
So, the ideas about APTs differ as widely as the attacks themselves. But nobody seems to dispute the seriousness and rise of these threats.
How APTs work
The thing with APTs is that they often come to light at much later stages when the perpetrators have taken out the data they wanted or done the harm they intended. The advanced, persistent and usually well-targeted nature of the attacks implies that they lie hidden from the security lenses of most organizations.
According to a guide book on next-generation threats by Steve Piper, CEO of research and marketing firm CyberEdge Group, APTs—also known as ATAs or advanced targeted attacks—are sophisticated network attacks in which an unauthorized person gains access to a network and stays undetected for a long period of time. The intention of an APT, writes Piper, is to steal data rather than to cause damage to the network. Further, APTs target organizations in sectors with high-value information, such as credit card processors, government agencies, and financial services.
The hackers and cyber criminals associated with APTs are said to be experts at flying below the radar to avoid being caught while “exfiltrating” data from the targeted organizations.
While the way APTs are executed may vary, this is broadly how an APT works: the attacker first chooses a target and makes an initial intrusion through system exploitation. Next, malware is installed on the compromised system and an outbound connection is established. Alongside this, the attacker spreads the “tentacles” laterally or horizontally within the organization, affecting more machines. Finally, once the data sought is accessed and compiled, it is extracted or exfiltrated to the desired remote server or location.
“An APT is a composite of multiple attack vectors,” says Raman of Fortinet. This is in contrast to the traditional or uni-directional attacks.
Explaining the mode of operation, Symantec’s Naik says, “In targeted attacks, hackers typically break into the organization’s network using social engineering, zero-day vulnerabilities, SQL injection, targeted malware, or other methods. Incursion is often accomplished through the use of social engineering techniques, such as inducing unsuspecting employees to click on links or open attachments that appear to come from trusted partners or colleagues. Unlike the typical phishing attack, such techniques are often fed by in-depth research on the target organization.”
Social engineering is often cited as one of the most common tools employed in an APT. Information available about individuals and their habits in the public domain often comes in handy to attackers. “Social media is a good place where criminals pick up information that can help them in making an attack,” says Mohan.
“Once the hacker finds the weakest link, he will exploit the weakness, gain an entry and move inside the organization. He knows exactly what he wants and he will then execute the attack which could span over months,” says Avinash Kadam, Adviser, ISACA.
There are some who think that zero-day vulnerabilities are essential components of APTs. However, Michael Sentonas, Vice President and Chief Technology Officer – Asia Pacific, McAfee, debunks this. “It would be very wrong to say that zero day is the only way of launching an attack by an APT. It could be through breakdown of a process or engineering, or the attack could happen through traditional techniques or existing malware,” he says. “An APT is unique in the sense that it tries to compromise specific targets, and the attackers will use a combination of whatever attack methods are easiest for them to compromise that target.”
Govind Rammurthy, MD and CEO, eScan, is of the view that APTs cost money, time and manpower. “Because these threats have got to be really organized for them to succeed, they are planned and executed by highly motivated and affluent organizations and individuals,” he says.
Going unnoticed
The amazing—and quite worrying—aspect of APTs is that they can remain undetected for weeks, months or even years. How is that possible in a world full of anti-virus software, firewalls and sundry other security tools and solutions?
For one, by their very nature, these threats are “designed” to go unnoticed. According to the RSA report When Advanced Persistent Threats Go Mainstream, typically, APTs are highly targeted, thoroughly researched, amply funded, and tailored to a particular organization—employing multiple vectors and using “low and slow” techniques to evade detection. So it is not that some highly ambitious or fame-hungry attacker is trying to make a splash with their exploit; rather, an APT involves a complex web of low-lying tactics, and attackers work cautiously and gradually.
According to Kartik Shahani, Country Manager, RSA, in case of APTs, the attackers are very patient. The focus is on information gathering (so as to develop a well-planned attack) and keeping this process low and slow such that it is not evident. Unlike malware or other traditional forms of attacks that are quick to spread, APTs have all the time in the world to build and launch an attack.
Another reason given for the failure of organizations to detect APTs is that the traditional way of protecting the network relies on what is called the “signature-based” approach. In this approach, signatures of known viruses and malware that have been reported to wreak havoc on networks are matched by security software before access is allowed. The traffic or request is blocked in case of a match.
What the attackers typically exploit for APTs are zero-day vulnerabilities in software—loopholes that are as yet undiscovered by developers and can be used by hackers to insert malware or gain unauthorized access to systems. (It is believed that the Stuxnet APT simultaneously exploited as many as four separate zero-day vulnerabilities.)
According to Sentonas of McAfee, in many cases, network security and the architectures in place are so basic that people looking to penetrate the network and compromise information have done so using trojans that were developed three or four years ago.
“If the attacker can use a 5 to 10 year old technique and penetrate the network and get access to the intellectual property that’s a pretty concerning scenario to me. That being said, there are examples of attacks that are very complex and used techniques that are very hard to discern,” he says.
According to Ramsunder Papineni, Regional Director – India & SAARC, FireEye, a startup that is aggressively positioned in the APT space, “Traditionally, players like Symantec and McAfee have all been using signatures matching to secure networks. Those were the times when the hackers’ agenda was to bring the victims’ network down. However, in times of cyber wars and corporate espionage, the objective of the attackers is to intrude into the victims’ network to get confidential data.”
Papineni claims that vendors such as FireEye offer differentiated solutions that rely not just on signatures and monitoring but that go beyond. “We put the box on the network behind the firewall and for this reason we are also referred to as the last leg of defense. We have multi-vector virtualization engine (MVEX) that detects and blocks attacks across all vectors—web, email, file and mobile. We prepare signatures on the fly without depending on the cloud,” he says.
What FireEye does is essentially replicate the organization’s infrastructure on the virtual machine, so in the event of an attack, while the hackers believe they have hit the system, it is only the virtual machine that gets affected.
In fact, a new stream of vendors has flowed in recently to fill the APT space with their specific solutions: Mandiant, CloudStrike, Damballa, among many others.
The niche players make tall claims about what they can do to tackle APTs, but vendors such as Fortinet dismiss them as marketing spiel. “It is not possible to offer complete mitigation; all you can do [in the event of an APT] is post-mortem,” says Raman.
Given that India is still new territory when it comes to tackling APTs, it remains to be seen how the new solutions fare compared to those offered by traditional vendors. Nevertheless, most people Express Computer spoke to agree that in security, any new tool supplements rather than replaces any previous solution—and enterprises need to take a layered approach by using multiple solutions at various levels.
What CISOs should do
There is no silver bullet to kill an APT—not the least in the bud. At best, organizations can be extremely cautious, conduct a lot of training (for both IT and non-IT employees) and adopt best practices, in addition to deploying security solutions in a layered defense mechanism.
According to Amith Nath, Country Manager, Trend Micro, “APTs look for a point of entry from where they can spread within the network. They are often very customized in nature and one attack can differ vastly from another. That is why organizations are looking to adopt the custom defense approach to APTs.”
The vendor has come up with Deep Discovery, which takes a “sandboxing” approach and also manages outbound communication to assess a threat pattern.
Raman of Fortinet suggests that CIOs and CISOs should take a three-pronged strategy to prep their organizations to tackle APTs. “They should have a good back-up plan, should look to increase their threat intelligence, and deploy smart monitoring systems to detect any suspicious traffic or patterns.”
“Information security heads need to understand that they cannot fully secure their enterprises with yesterday’s technologies,” says Mohan of Airtel. “They must deploy tools that can analyze the anomalies in the flow of network traffic. In addition, a very focused approach to end user awareness and training is essential.”
Information security is heading toward what Mohan calls Infosec 2.0. “The focus of Infosec 1.0 was on protection; risk management became important in the Infosec 1.5 phase; now, it is all about business enablement,” he says.
Observes Sentonas of McAfee, “When you’re dealing with organized cyber crime groups, there could be tens or thousands of attackers working together to penetrate an organization. An IT staff of 20 or even 250 people would be fighting against an adversary that could be better skilled and better trained, which makes it very hard to deal with.”
He suggests that while there are many security technologies to help protect against attacks, it largely comes down to what the focus of the organization is. Ultimately, the organization needs to work out as to what are the ‘crown jewels’ that it’s looking to protect and focus on technologies that can help it protect them.
In the opinion of Sameer Ratolikar, CISO, Bank of India, the current solutions are focused on detection rather than prevention. “However, if organizations need a preventive approach, they would need to invest in such solutions, resources and manpower—which would mean increasing the security budget from the current range of 4-8% of the total IT budget,” he says.
According to Ratolikar, however, such days are coming and the top management is becoming increasingly sensitive to the issues related to security.
(With contributions from Mehak Chawla and Heena Jhingan)