Advanced Threats: The New World Order
Upcoming SlideShare
Loading in...5

Advanced Threats: The New World Order



Cyber-criminals today invest time, energy and resources to tailor their attacks to a particular target. It is no longer plausible to depend on signature-based technologies to protect yourself.

Cyber-criminals today invest time, energy and resources to tailor their attacks to a particular target. It is no longer plausible to depend on signature-based technologies to protect yourself.

Enterprises of all types need to start living in a contested environment where they assume their security has already been compromised, and build out a defensive capability that does not rely on the trustworthiness of any part of their IT infrastructure or personnel.

Read this in-depth resource now to explore the state of advanced threats on the front lines, as seen by the companies, law enforcement officials and government leaders.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Advanced Threats: The New World Order  Advanced Threats: The New World Order Document Transcript

  • AdvAnced ThreATs:The new world orderrsA APT summit FindingsOctober 2011 execuTive summAry in July 2011, rsA and TechAmerica hosted a closed-door meeting with more than a hundred of the most influential security leaders in industry and government on the topic of advanced persistent threats (APTs). The highly interactive event drew out many key insights on APTs, as well as broader advanced threats deployed by today’s most sophisticated attackers. delegates discussed the complex topic of managing the security of end users, who are often the entry point of choice for advanced threats. The summit included a discussion on our industry’s problems with information sharing on advanced threats in both the public and private sector. The lack of threat information exchange allows attackers to beta test attack methods on one enterprise to perfect them before unleashing them on their actual target. Attackers are willing to invest significant time, energy and resources to tailor their attacks to a particular target. This customization makes a dependence on signature-based technologies untenable. As one delegate put it, “They won’t attack you at your defenses. They’ll attack you where you’re weak, whether it’s processes or people or technology.” The direct consequence is that enterprises need to live in a contested environment—assume their security has already been compromised—and build out a defensive capability that does not rely on the trustworthiness of any part of their iT infrastructure or personnel. security threats are not just problems for the organizations they’re directed against; they’re now a problem for whole corporate ecosystems. shoring up the supply chain and gaining greater visibility into vendors and business partners is critical. “Our goal is not to do defense perfectly; it’s to interrupt the bad guy’s life cycle at multiple points,” said one delegate. This paper looks at the state of advanced threats on the front lines, as seen by the companies, law enforcement officials and government leaders. RSA APT Summit Findings
  • rsA APT summit Findings Contents 2011: The year of the Breach? .........................................................................................3 Targeting Trends: From cookie cutter to Adaptive ............................................................4 People: The weakest link ................................................................................................4 The iron curtain of information sharing ...........................................................................5 Attackers Aim for Advantage, not infamy .........................................................................6 cracking organizations through Their supply chains .......................................................7 Threat disclosures: i’ll show you mine only if you show me yours....................................8 The new normal: Act as Though you’re Already hacked ...................................................9 The road Ahead ............................................................................................................10rsA white Paper
  • rsA APT summit Findings 2011: The yeAr oF The BreAch? in a conference room in the heart of washington, d.c., senior officials from the u.s.They won’t attack congress, the FBi, the nsA and top executives from some of the world’s largestyou at your defenses. companies gathered to discuss a mounting security crisis.They’ll attack it was mid-July, but the weather was mild, perfect for an escape during lunch or a break. For hours on this day though, no one opted for sunlight. There had been a spike in cyberyou where you’re espionage—electronic attacks aimed at stealing highly valuable data such as intellectualweak, whether it’s property, product designs and government secrets. The mood in the room was concern and curiosity: how prevalent were these attacks? where were these attacks headed?processes or people or were cybercriminals and hacktivists starting to use similar techniques? were any revelations likely? some delegates listened quietly during the morning as their peerstechnology. spoke; others yelled out from the floor. every voice in the room had experiences worth sharing. This meeting, dubbed the Advanced Persistent Threats summit, arose from a string of severe security incidents in early 2011. By may, some had already dubbed 2011 “the year of the Breach.” news headlines were dominated by reports of high-profile security attacks, some launched by “hacktivists” such as Anonymous and lulzsec. But something larger was brewing. Amidst hacktivists’ attacks on sony, hBGary and nATo, highly sophisticated, clandestine attackers—the kind with the rarefied expertise, deep pockets and specialized resources typically only seen in nation-state adversaries—were actively infiltrating a broad range of targets. These attacks were different: they were patient, stealthy and leveraged a potent combination of technical skill and social savvy. some used clever social engineering to get a foothold into their target organizations, while others used zero-day vulnerabilities—previously unknown holes in software—to penetrate defenses. while advanced attacks have happened for years, summit delegates observed recent attacks had grown bolder and more frequent. recent attacks were also highly targeted, customized, well-researched and, in many cases, employed both technical and socialDefining [advanced components. The term used to describe such complex, sophisticated attacks was “advanced persistent threats” (APTs), but as delegates quickly pointed out, APTs werethreats] could limit only as advanced as they needed to be to get the job done. A concrete definition isus and lead us to be elusive and, one delegate cautioned, “Defining it could limit us and lead us to be blind- sided. We need to constantly revisit the characteristics because they’re always changing.”blind-sided. we need much of the day’s focus was on the techniques of highly organized attackers. suchto constantly revisit the advanced threats, which include APTs, span from corporate espionage to hacktivism.characteristics because For nine hours, summit delegates discussed, debated, shared and opined on the state of advanced threats. This paper distills certain key insights from those discussions andthey’re always changing. aspires to advance the industry’s dialog on advanced threats, spur disruptive innovation and disseminate learnings from some of the most seasoned professionals in information security.rsA white Paper page 3
  • rsA APT summit Findings TArGeTinG Trends: From cookie cuTTer To AdAPTive in 2000, the iloveyou worm crippled more than 50 million Pcs. The delivery mechanism was simple but effective: an e-mail showed up in your in-box with a subject line of “iloveyou.” when people clicked on the e-mail’s attachment, titled “love-leTTer-For- you,” they were infected with a computer worm. while the damage was significant, a partial solution to this problem came in the form of antivirus software: a signature could be deployed to antivirus agents that would identify the file as malicious and arrest its actions. Today, generic malware is still profuse but signature-based defenses, at either the network or host layer, can greatly decrease the odds of infection. what makes recent advanced threats different is their defiance of a signature. in the world of advanced threats, malware evolves quickly, and summit delegates described several cases of special-purpose malware custom-developed specifically for their targets. some were compiled within hours of launching the attack. it became clear from the testimonials of delegates and speakers the that enterprises targeted by highly organized attackers cannot depend on signature-based “bread and butter” security tools as a sole means of defense. while the payloads of some advanced threats were fairly standard, entry strategies were often custom tailored. Attackers typically used social networking sites to gather intelligence and identify specific users within an organization. some of the main infection vectors the delegates cited were e-mail, skype and instant messages with malware payloads in the form of PdFs, compressed hTml, script files, executables and attachments. customization of attack techniques extend through data exfiltration. Advanced threats often use sophisticated methods for compressing, encrypting and transmitting data to other compromised organizations, leaving little evidence of the origin of the attack or the destination for stolen information. This move from generic to tailored, from cookie-cutter to adaptive, means that security organizations need to think beyond signatures and reevaluate how effective their current defenses are. summit delegates indicated that people, not technology, were the Achilles heel in most defensive strategies. PeoPle: The weAkesT link only 35% of the “People are the weakest link” is perhaps the biggest cliché in information security. summit’s delegates security executives have long understood that users make bad choices, click on links they shouldn’t and install malware through simple ruses. corporate iT departments agreed that it is deploy multiple controls to help deal with this threat: e-mail filtering solutions catch possible to educate many attacks before they make it to users, malicious links are blocked by the network, network scanners look for malicious content, and host-based antivirus (the last line of the workforce to defense) tries to stop what slips through the cracks. This process works well for generic, protect against most shotgun attacks in that signatures can be updated quickly to immunize users. Advanced attackers, however, are now creating highly credible scenarios in which they convince phishing attacks. users to click on dialog boxes warning of fake software updates, retrieve content from quarantined areas and act (unknowingly) on behalf of the attacker. 57% disagreed. The “people problem” emerged as one of the summit’s key themes. delegates were polarized on whether employees could be educated to act more responsibly. when presented with the statement, “it is possible to educate the workforce to protect against most phishing attacks,” 35% either agreed or strongly agreed, 57% disagreed or strongly disagreed, and the rest were neutral.rsA white Paper page 4
  • rsA APT summit Findings summit delegates observed that attackers have become dangerously adroit at using our weaknesses and behaviors against us. Attackers are creatively leveraging people inside the company to help accomplish their goals. “Internet scams are supposed to be sloppy,” said one delegate. Advanced threats defy that stereotype. Another delegate put a fine point on it: “The perimeter is not a firewall; it’s our users. They don’t treat their computer as an adversary; they treat it as a tool—an extension of themselves—so they don’t question what it tells them.”The perimeter is not Addressing the people problem will take more than technology. organizations need to drive a sense of personal responsibility for security among employees.a firewall; it’s ourusers. They don’t treat The iron curTAin oF inFormATion shArinGtheir computer as an The discipline of information security is much more collaborative than outsiders expect.adversary; they treat it At an individual level, security professionals are generally open to sharing ideas, best practices and insights. in some areas, however, such as discussing the details of aas a tool—an extension breach or attempted breach, serious challenges exist. Additionally, legal and technicalof themselves—so they frameworks for rapid information sharing among organizations are largely immature. This exposes one of our greatest weaknesses as an industry: the lack of real-time threatdon’t question what it intelligence.tells them. Further impeding progress is a lack of metrics for gauging competence in information security. excelling at defense is not easily recognized, but failure is readily condemned. This harsh, binary environment makes organizations reluctant to share information about security attacks—particularly ones that are successful. sharing timely threat information, however, is critical to adaptation. now more than ever, defenders need to be agile. As one delegate put it, “You can never know enough to defend yourself by looking within your borders. You need to look at the space around you, look at the horizon to see what’s coming.” The dearth of information sharing about security threats among organizations emerged as a key theme of the summit. several explanations were offered for this: the lack of a proper forum where confidentiality would be preserved, the lack of real-time mechanisms for exchanging threat information (a critical need when attacks evolve quickly), concern over how the public would view news of an attack, and a concern about legal liabilities in disclosing an attack. security executives admitted they tend to gain valuable guidance and threat information from informal networks of personal connections. Because many summit delegates knew one another, there was a strong feeling of camaraderie against a rising threat. some talked about the challenges of formal approaches to information exchange, particularly the lack of proper legal frameworks to share threat information without fear of liability. similarly, the point was raised about the value (and risks) in sharing data about security threats among competitors in the same industry. while some mature information-sharing programs such as the Fs-isAc work well, many other collaborative initiatives are struggling. informal networks are king, but their results are often uneven and unscalable, creating significant information gaps that attackers may be able to take advantage of. The security industry needs better frameworks for communicating threat information. we need public-private partnerships like never before. we need to get over the hurdle of legal concerns.rsA white Paper page 5
  • rsA APT summit Findings delegates observed that attackers seem to share intelligence more effectively than legitimate enterprises do. Attackers are not impeded by the legal restrictions, liability concerns and other rules that govern corporations and government organizations. oneyou can never know delegate remarked, “Our attackers are using our behavior against us: our culture, ourenough to defend shareholders and our litigious propensity.”yourself by looking Attendees repeatedly identified sharing timely threat information as a strategic capability that the security community needs to prioritize. According to the attendees, information-within your borders. you sharing frameworks could include standardized reporting processes and lexicons,need to look at the space protection from liability for information sharing or directed action for cyber-security purposes and a technical infrastructure to share and analyze threat information ataround you, look at the “machine speed.” “We need to arrive at a rich, dynamic set of indicators,” remarked onehorizon to see what’s summit speaker.coming. ATTAckers Aim For AdvAnTAGe, noT inFAmy Advanced attacks are typically not the product of hobbyists. These attacks often require months of planning, mapping out internal networks by looking at the fringes. The reconnaissance can go much further: targeting key employees, deconstructing their life by scouring social media, custom-crafting an attack so that it is stealthy, patient, and very effective. cybercriminals, the ones who look to steal credit card numbers and other commoditized and sellable data, have become increasingly sophisticated but advanced attacks are different. increasingly, they focus on espionage—stealing specialized data that may be of high value and strategic importance to the commissioning entity, which can be foreign governments, rival corporations and organized crime groups. The entities behind advanced attacks literally mean business. Also, entities perpetrating many advanced attacks are substantively different from the hacktivists groups that have attracted attention in recent times. hacktivists want to embarrass and expose their targets’ activities, taking pride in publishing their conquests.our attackers are using many advanced attackers, in contrast, have the goal of stealth. They do not want to be discovered or seek publicity.our behavior against A suggestion was made at the summit that some advanced threats are nowus: our culture, our masquerading as hacktivist attacks, with the goal being to confuse forensics and placeshareholders and our blame on groups that are often eager to accept it. This pattern makes it difficult to size the scale of advanced threats: a willing scapegoat makes post-incident attributionlitigious propensity. particularly problematic.rsA white Paper page 6
  • rsA APT summit Findings crAckinG orGAnizATions ThrouGh Their suPPly chAins it is possible to Advanced threats have shown that security is an ecosystem problem. Attackers invest time adequately control in infiltrating intermediate targets that are known to be in the primary target’s supply chain, including service providers and business advisors, such as consultants and lawyers. the risk from supply chain security is now a hot topic. often, organizations have little visibility into their employee-owned/ suppliers’ operations and security. contractual attestation about supplier security processes is industry standard, with little to no verification of claims. Attackers are going managed devices farther and farther back in the supply chain to attack their ultimate targets. some APT summit delegates related incidents of attackers targeting suppliers of suppliers—two steps Strongly agree 0% removed from the end target. This raises many interesting questions about trust, policy, Agree 32% outsourcing and our ability to gain visibility into the extended supply chain. Neither agree nor disagree 7% security is a weakest-link problem: we’re only as secure as our must vulnerable supplier. Disagree 40% The problem is one of ecosystem—companies inherit not just their suppliers’ advantages, Strongly disagree 21% but their vulnerabilities and risks, too. we do a decent job of assessing supplier benefits but still struggle to assess supplier risk. in the world of advanced threats, we need to take a secure ecosystem approach. Adversaries will invest the time to cultivate vulnerabilities in trusted vendors; therefore, monitoring a supplier’s security is a huge need and challenge. contractual attestations are not enough. Attendees proposed various approaches that companies can utilize to reduce their risk: – Communal reputational ratings of vendors. A summit delegate recommended creating a public database that captures information on the security practices of vendors and rates them according to a rating scale applicable for various vertical sectors. The ratings approach may require some contractual tooling. such a system could not only help organizations make more informed risk choices, but the increased visibility could also be a strong incentive for vendors to improve their security practices. – External monitoring of vendors to evaluate their security posture. one large corporation shared its practice of assessing a vendor’s public profile: monitoring how vendor employees shared information through public networking sites, performing raw scans against their systems and similar practices. This process was baked into the pre- engagement vendor vetting process. Fortifying the supply chain was a pervasive theme during the summit, arising as a concern across multiple sessions and discussions. one security executive at the summit shared this provocative point: “Some companies are good at being assessed but are notsome companies so good at being secure”. summit delegates expressed the need not only for greaterare good at being visibility into suppliers, but also for standardizing supplier assessments and establishing a real baseline to facilitate apples-to-apples comparisons on security. This will entailassessed but are continuous monitoring as suppliers evolve over time.not so good at being A secure ecosystem approach is essential and has wide-ranging benefits. it’s driven notsecure. just by advanced threats but also by the growth of hacktivism, the maturation of cybercrime, and the expanding focus of audits.rsA white Paper page 7
  • rsA APT summit Findings ThreAT disclosures: i’ll show you mine only iF you show me yoursin this age of data loss Although the terms advanced threats and APTs may be overused, there is no question that sophisticated, targeted cyber attacks are more widespread than even today’shack fatigue, they will frequent headlines suggest. many attendees shared that they had been the intendedforgive the breach; victim of an advanced threat or APT within the last year.what they won’t forget while such attacks are new to some industries, summit participants representing the defense industrial base, u.s. government agencies and critical infrastructure industriesis silence. reminded delegates that espionage threats, particularly APTs, have been their way of life for a long time. despite many organizations’ long history with advanced threats and APTs, very little information is shared publicly about specific incidents. companies get inducted into “the club” after an attack and only then realize the wealth of information available from peers. security executives from organizations recently hit with highly targeted attacks said they became privy to the wealth of threat information guarded by other attacked organizations only after disclosing their own breaches. organizations tend to stumble upon informal information-sharing networks only after an attack, not pre-event, which nullifies the potential of threat information in helping prevent attacks. Beyond information sharing, few organizations are building a real competency around incident response and crisis communication. some delegates warned that crisis plans give a false sense of security. such plans cannot be a static, one-time exercise. instead, organizations need to execute drills at least once or twice a year to help iron out kinks, identify people in appropriate roles and adapt plans to the current environment. Another delegate suggested maintaining all your incident response capabilities and plans in both online and offline media and keeping telephone numbers of your team on paper, because if there’s a network outage, you need resilience. during a detailed discussion on incident response planning and breach disclosures, one delegate, a lawyer, offered this advice on communicating a breach: “Lawyers should be on the bus, but they shouldn’t be driving the bus.” his point was that lawyers specializelawyers should be on in mitigating risks, which often means they favor not sharing information. But risk mitigation should be only one consideration. others include an organization’s ethicalthe bus, but they responsibilities to customers and to the public, as well as the reputational damage ofshouldn’t be driving information leaking out about undisclosed security incidents. one delegate cautioned, “In this age of data loss hack fatigue, they will forgive the breach; what they won’t forgetthe bus. is silence.” Another delegate wrote this comment: “Security professionals and industry leaders need to support anyone attacked to encourage the sharing of information so others may benefit quickly. Why? [Attacked companies] fear the press will hammer them. The risk is impact to marketing and reputation. Benefit: more [information sharing] is better. There is no security in obscurity.”rsA white Paper page 8
  • rsA APT summit Findings The new normAl: AcT As ThouGh you’re AlreAdy hAcked The events of the past year have shown that determined adversaries can always findPresume you’re hacked, exploits through people and in complex iT environments. it’s not realistic to keeplive in a contested adversaries out. organizations should plan and act as though they have already been breached. “Presume you’re hacked, live in a contested environment,” advised a notableenvironment. security leader at the summit. Three foundational principles of security are compartmentalization, defense in depth and least privilege. in combination, these three tenets dictate that if one system (or person) is compromised, it should not result in a compromise of the entire system. while simple in concept, these tenets have proven complicated to implement in practice. organizations have long relied on the notion of a “perimeter,” where a big thick wall—in the form of firewalls and gateway defenses—guards the organization, with good guys (insiders) on one side of the wall and attackers on the other. security perimeters are now considered a construct of the past. Boundaries are nearly impossible to define in modern organizations. The inclusion of partially trusted users such as customers, suppliers, contractors, service providers, cloud vendors and others have made organization boundaries very porous. Beyond the eradication of traditional organizational boundaries, the consumerization of iT has brought a rash of unmanaged devices into the enterprise and exposed the organization to services (and suppliers) that are opaque. iT consumerization has also blurred the line between the business lives and the personal lives of employees. we have moved from the illusion of a perimeter-driven defense to living in a state of compromise. Accepting that some systems, some people, and some services may already be under the our organization control of attackers changes information security strategy. it forces a return to the core principles of compartmentalization, defense-in-depth, and least privilege. organizations has a specific threat need to focus on closing the exposure window and limiting damage through efforts to management strategy compartmentalize systems, stop sensitive data egress and contain malfeasance. This new model also demands that we rethink old habits of sharing sensitive corporate for APT’s. information—such as source code, product plans and strategic roadmaps—using collaborative processes that presume perimeter defenses can keep attackers out. True 46% security improves through greater situational awareness: gaining the ability to False 54% understand what’s happening beyond our network boundaries to detect threats on the horizon. organizations get smarter by looking beyond their infrastructure and observing the ecosystem. The ecosystem approach to security relies on organizations actively sharing information with other organizations about threats. it also demands greater visibility into the security of suppliers and service providers within one’s supply chain. The key is to know what digital assets are important to protect, where they reside, who has access to them and how to lock them down in the event of a breach. This ability to tighten the net before and during an attack is key, and it requires a mature process for incident handling. incident response should not be considered exclusively a security function. instead, it is an organizational competency that must be developed andour goal is not to do continually honed well before an attack occurs. if organizations are planning responses as an attack unfolds, they are too late. A competency approach allows remediationdefense perfectly; it’s to activities to kick in automatically—like a reflex.interrupt the bad guy’s one senior security executive advised his peers to “use your peace time well.” The periodlife cycle at multiple before a breach is the most critical. it pays to model threats and drill incident response exercises to ensure that working relationships between functional teams and keypoints. personnel are well established. As one attendee put it, “Our goal is not to do defense perfectly; it’s to interrupt the bad guy’s life cycle at multiple points.”rsA white Paper page 9
  • rsA APT summit Findings The roAd AheAd The reality of advanced threats demands a disruptive approach to defense—one whereincident response enterprises can be agile and thrive in a contested environment. This approach must be applied holistically: approaching advanced threat defense not as a discrete function butshould not be as a natural consequence of robust but agile security.considered exclusively iT complexity is our enemy. As one delegate advised, “For every $1 we spend on security,a security function. it we should spend $9 retiring systems, cleaning stuff up, going back to document it and really understand our existing environment.” many of the holes that exist today comeis an organizational from an unmanageably complex iT infrastructure. Given that information security is acompetency that must “weakest link” problem, only through understanding our assets, processes and endpoints do we have a chance at effective defense. unraveling complexity and fielding abe developed and successful defense means that we also need to think creatively about the range ofcontinually honed well attacker motivations, which can extend far beyond data theft. Poisoning, disruption or embarrassment can also be end goals of an advanced threat—as well as other types ofbefore an attack occurs. digital attacks. with every new technology, we have the ability to weave security into its fabric, to begin anew. we are at the start of an industry-wide move to cloud-based services and systems. we stand on the precipice of a sea-change in technology. As one delegate phrased it, “If we can’t get it right with cloud, shame on us.” Today more than ever, security is an ecosystem problem in which every constituent has a responsibility. Attackers are collaborating, sharing information, going after the supply chain, co-opting careless insiders and evading our long relied-upon defenses. we need disruptive collaboration and innovation in defense. Through collaboration, information sharing and increasing our agility, we can successfully fend off APTs and other advanced threats.if we can’t get it rightwith cloud, shame on us.rsA white Paper page 10
  • rsA APT summit Findings ABouT rsA rsA, The security division of emc, is the premier provider of security, risk and compliance management solutions for business acceleration. rsA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. combining business-critical controls in identity assurance, encryption & key management, siem, data loss Prevention and Fraud Protection with industry leading eGrc capabilities and robust consulting services, rsA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and emc2, emc, rsA and the rsA logo are registered trademarks or trademarks of emc corporation in the united states and other countries. All other trademarks used herein are the property of their respective owners. ©2011 emc corporation. All rights reserved. Published in the usA. h9038-aptnwo-wp-1011