Tuesday, August 16, 2011

To APT or not?

McAfee recently discovered a widespread series of exploits that they are calling Operation Shady Rat (http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat). This exploit compromised 72 companies around the world and seemed to lead back to China. McAfee concluded that this attack was an Advanced Persistant Threat or APT, other security Vendors such as Sophos claimed that this attack was not an APT becuase the malware was not sophisticated. As a result, I wanted to take the time to discuss this type of attack and get away from some of the marketing terms.

What is an APT? APT is the term used to describe an attack carried out over a fairly significant time, that is meant to gain a foothold deep into an organization's systems, staying in the network for a long period of time undetected, usually with the goal of collecting intelligence information such as troop movements in the case of an attack carried out against the government or intellectual property in the case of an atack carried out against a corporation. The main difference between an attacker that is considered an APT is that they are persistent and have resources such as a government or major corporation backing them.

Second, an APT is not a piece of malware, even though some seurity vendors would have you believe that for the sake of selling a product. For example FireEye claims they can stop APT's (http://www.fireeye.com/products-and-solutions/), really? Don't ge me wrong, I love the FireEye malware analysis product and I am not just picking on them as there are several others that advertise the same, but really do you expect me to believe you can shutdown hackers backed by a large government or the Russian Mafia on all attack vectors? Now, yes you maybe able to find the malware that is being planted, but that is only one part of the attack and even if you stop that piece of malware, the attackers will be back, they are persistent after all.

Ultimately what I want get across here is that, an APT is the attack as a whole, including; the attackers, the attackers' motives, and the methods used to compromise the network (it could be malware, or maybe a misconfigured server, etc.). An APT attack could be carried out by a group of attackers using something as old as Back Orifice, or by using no malware at all. To protect against APT's you, will need mroe than a product that claims to protect against APT's, you will need multiple products and you will also need people analyizing logs and network behavior for things that your tools missed.