There is perhaps no contemporary security policy issue that is as important, but so poorly understood, as cybersecurity. A major part of the problem is a simple lack of familiarity with the most basic terms and definitions.
Almost all policymakers today are digital immigrants — people who grew up in a world where computers were rarely used, but who now live in a world where they are ubiquitous. Unlike younger digital natives to whom computers are a natural feature, these leaders often feel like strangers in a new land, unable to speak the language, and thus more likely to keep silent for fear of embarrassment or misunderstanding. These immigrants are also the ones whose ignorance is most often taken advantage of by get-rich-quick schemes and other bad policy advice.
I recently watched a good example of this at a meeting in Washington of government officials and business leaders. A so-called consultant in cybersecurity (at least that’s what his business card and website said, and who are we to question the Internet?) spent half his presentation talking up the massive boogeyman of cyber danger that loomed for any and all, mentioning again and again the new specter of APTs, or advanced persistent threats. Fortunately, he spent the second half explaining how all that was needed to deter such threats was to be “good enough.” As long as you make sure your defenses are slightly better than the next guy’s, the attackers will give up and quickly move on. And lo and behold, his firm had a generic package for sale that would solve for just those needs. It was a presentation that was slick and effective — and wrong.
APTs are a phenomenon that has gained more and more notoriety in recent years but still is poorly understood. They illustrate the challenge in the policy world of calling attention to very real emerging challenges in cyberspace but also avoiding overreaction, hype and hysteria.
What is an APT?
If cybersecurity threats were movies, an advanced persistent threat would be the “Ocean’s Eleven” of the field. It’s not that APTs star handsome actors like George Clooney or Brad Pitt in Armani suits; indeed, they are more likely to be run by their polar opposites, in sweat-stained T-shirts. Rather, APTs have a level of planning that sets them apart from other cyber threats. Like the plots in the “Ocean’s” movies, they are the work of a team that combines organization, intelligence, complexity and patience. And because of that, like the kind of major casino heists depicted in the movies, APTs are actually quite rare.
While there are some 60,000 new pieces of malware created by cyber criminals each day, a miniscule percentage have anything to do with an APT. And even more, much as every group of criminals would like to think they are just like the gang in “Ocean’s Eleven,” only a subset of groups behind APTs are actually that good. One defense firm, for example, is aware of a number of APTs targeting its systems, but divides them in the A-team group that spooks them and a wider set of Z-team groups, which they laugh about.
An APT starts with a specific target in mind. The perpetrators know what they want and who, specifically, they will go after to get it. APT targets have ranged from military jet designs to classified diplomatic documents to oil company trade secrets. While everyone would like to think they are important enough to be targeted by an APT, the reality is that most of us don’t rise to that level. Sorry, you’re not going to be played by Al Pacino, as in the last “Ocean’s” movie.
Once the target has been identified, the hallmark of an APT is how it reflects the work of a coordinated team of specialized experts, each taking on different roles. Much like a robber casing a bank or a spy observing a military base, a surveillance team performs target development — learning everything they can about the person or organization they are going after and key vulnerabilities. In this effort, online search tools and social networking are a blessing to the attackers.
Want to steal a new defense widget and therefore need to know who is the vice president of product development? In the past, you would have had to send James Bond to seduce the receptionist in Human Resources and then sneak into her files while she was sleeping off a night of romance and martinis. Now, just have your Red Bull-sipping targeting guy use a search engine and he can get everything from that executive’s résumé to the name of her daughter’s pet iguana. As cybersecurity expert Gary McGraw notes, “The most impressive tool in the attackers’ arsenal is Google.”
These groups might not just use search from afar, but also work to bring themselves closer to the target with physical or even virtual means, such as social networking. Perhaps the most innovative recent example was when senior British officers and defense officials were tricked into accepting friend requests from a fake Facebook account claiming to be Adm. James Stavridis. As the Telegraph reported, “They thought they had become genuine friends of NATO’s Supreme Allied Commander — but instead every personal detail on Facebook, including private email addresses, phone numbers and pictures were able to be harvested.”
It is this phase that also explains why such attacks are differentiated as persistent. The reconnaissance and preparations conducted can literally take months. The teams are not just trying to understand the organizational structure of the target, but also its key concerns and even its tendencies. One APT, for example, was casing a technology firm headquartered in Minnesota. They ultimately figured out that the best way to crack the system was to wait until a major blizzard. Then they sent a faked email with a document purporting to be the firm’s new snow day policy. Another effort, reported by Reuters in 2011, was allegedly conducted by Chinese intelligence and military units, who gathered details not only on who were the key friends and associates of U.S. national security officials, but even what farewell message they typically signed off with in their emails.
Former Brookings Expert
Strategist and Senior Fellow - New America
Once the target is understood, an intrusion team of professional hackers will then work to breach the system. One of the most common compromise activities is spear phishing, where an individual or group is targeted with a communications that seems to come from a trusted source. When they open files or links in the message, they instead trigger a download of malware, as in the “snow day” email. A faked email is frequently used by such attackers. Take Operation Shady RAT (remote access tool), a highly successful campaign that targeted some 72 organizations around the world, from aerospace firms to the World Anti-Doping Agency (notably right before the 2008 Olympics). When the counterfeit email attachment was opened, malware was implanted inside the target’s network. This created a backdoor communication channel to an outside Web server, which had, in turn, been compromised with hidden instructions in the Web page’s code in an effort by the attackers to cover their tracks.
What is notable here is that the initial target is frequently not the end target. Often, the best way into a network is via trusted outsiders, often with lower levels of defense. One defense firm was penetrated in 2010 via smaller company vendors. Next, the attackers may target people in the network who have some level of access that will open the gates wider. Last year, an APT was launched at various think tanks. The attackers sought access to scholars who worked on Asian security issues, but aimed initially at employees who had administrative rights and access to passwords.
Email is not the only way in. Other APTs have used Facebook and other social networks to figure out the friends of individuals with a high level of privilege inside a targeted network. Then, they compromise these friends’ instant messaging chats as a way to sneak in.
The malware used in these attachments is often quite sophisticated. Polymorphic malware, for example, changes form every time it runs, to stay ahead of defenses, and then can burrow deep into computer networks to avoid discovery. The best APTs might use even more advanced tools, like malware that is tailored to the system it is targeting or avoids automatic propagation that might lead to detection, or even goes after a new vulnerability known as a zero day. (In this case, the attack is acting before the first or “zeroth” day of developer awareness of the weakness, meaning there is not yet a security fix available to users of the software.) Much like a military unit or even a sports team would do, APT groups often conduct dry runs and even quality assurance tests to minimize the number of anti-virus programs that can detect them.
Once the team is in, they branch out like a viral infection, often with more personnel joining the effort. They jump from the initial footholds, compromising additional machines inside the network that can run the malware and be used to enter and leave. This often involves installing keystroke-logging software and command-and-control programs, which allow them to direct the malicious code to seek out sensitive information.
At this point, the target is “pwned” (a common mistyping of “owned” and a term used by hackers and online gamers when they have gotten the better of a target or opponent). An exfiltration team begins work on retrieving what the APT was targeting all along. Here is another hallmark of a real APT: Such a team eschews the usual criminal ethic of “grab what you can get” in favor of a disciplined pursuit of specific files. In many cases, the attackers don’t even open the files during a theft, suggesting that their earlier reconnaissance was thorough enough that they didn’t need to double-check. Many analysts believe this discipline suggests the hidden hand of military or intelligence officials, either as team members or advisers, in many APTs.
Many APTs are detected during exfiltration, when data is leaving the network in massive amounts that are hard to mask. Exfiltration teams therefore use all sorts of tricks to cover their tracks. One frequently used tactic is to have the data routed through way stations in multiple countries, akin to a money launderer running stolen funds through banks all over the world. This makes it not only harder to track them down, but also routes their activities through different legal jurisdictions.
Some APTs do more than just copy the data. French officials, for example, said an APT run out of China gained access to the computers of several high-level French political and business leaders, and then activated the devices’ microphones and Web cameras so that they could eavesdrop on their owners’ conversations.
Even more nefarious, some APTs alter the files to which they gain access. By definition, this is the point at which an action moves from theft or spying into sabotage or even attack. It may also become the line international law ultimately decides is the difference between espionage and war.
What makes APTs even more of a challenge is that even if a target finds out it has been attacked, the pain is not yet over. Finding which machines and accounts inside the system have been infected can take months. Even more, if the effort is truly persistent — say, if the target has some sort of ongoing value to the attacker — there might be an additional unit in the APT whose very job it is to maintain an electronic foothold in the network. Their job is to ensure there is a sequel — an “Ocean’s Twelve,” so to speak. Rather than focusing on what information to steal, this team might, for example, monitor internal emails to learn how the defenders are trying to get them out, in order to stay one step ahead.
With their electronic communications compromised, some defenders’ response here is often old-school. They will do things like literally yank hard drives out of their computers and post handwritten signs in the hallways about needed password changes.
In sum, APTs are a nightmare scenario for any organization. Many don’t know they’ve been hit until it is too late. And even if they do find out, it is often impossible to prove who did it. Indeed, that is why APTs may be the most controversial of all the threat vectors in cybersecurity. Except in cases where the attackers are sloppy (such as when a high-ranking officer in China’s People’s Liberation Army employed the same server to communicate with his mistress that he was also using to coordinate an APT), there is little actual proof that would stand up in a court of law or even the court of public opinion. What we are often left with instead are just suspicions and finger-pointing, which is why APTs have become so poisonous for diplomatic relations, especially between the U.S. and China.
This is exactly why it is important to better understand the nature of such threats: to be able to better respond effectively. APTs are not as pervasive as they seem from the level of discussion in business pitches and congressional hearings. Their very sophistication both creates a problem and acts as a limiting factor.
But in turn, that sophistication means the threat is not likely to be stopped by some “secret sauce” sold by the many firms that have followed the federal budget money train into cybersecurity. A good defense is complex and layered, taking on each of the attacker’s phases, from surveillance to exfiltration. This means that the best counters will range from the highly sophisticated (such as new mechanisms to monitor anomalies in network traffic) to simply spreading better understanding of the basics of the issue.
Take the relatively simple but important job of getting network users to observe basic cyber hygiene. In one noteworthy case in 2008, a DoD network was reportedly compromised via a memory stick left in the parking lot outside the base. A foreign intelligence agency was alleged to have left it there, thinking U.S. soldiers wouldn’t be able to resist its lures. And they were right: Someone picked it up and plugged it into a computer. Yet, you wouldn’t stick something you found in a parking lot into your mouth, so why would you think it OK to stick it into your computer?
In APTs, as well the wider issues of cybersecurity, information is power. This cuts both ways, however. The very real threats, as well as those who would profit from them, are targeting some valued bit or byte of knowledge. But their success, whether at stealing that information, or from banking on our fears, depends on our ignorance.