These days, everyone in the information security world, from C-level executives to product vendors, is losing sleep over the advanced persistent threat (APT), and rightly so. In our hype-saturated industry, threats are often exaggerated to the point of absurdity. But this time, the monster in the closet is real — and it should be making us completely rethink our approach to information security and risk assessment. But maybe we’re not seeing the monster clearly, or calling it by the right name. The term APT is only correct if you’re referring to the government or the military. It’s their term, and it has a very specific meaning for them. Ironically, true APTs often don’t use particularly advanced techniques, and they frequently look for, and follow, the path of least resistance to their targets. It’s a serious mistake to give the impression — especially to people outside the security profession — that “advanced” attacks are all we have to worry about. The real risk comes from attacks that are targeted against a specific organization and are designed not to stop until the attackers have achieved their goal. That’s why NSS Labs defined the term targeted persistent attack (TPA).
Let’s take a closer look at this three-headed creature. A TPA is:
Targeted: The attacker selected the organization, for a specific reason.
Persistent: The attack is capable of using multiple command-and- control channels and attack vectors, and constantly increasing its penetration of your IT systems and resources. It is also stubborn, resisting remediation attempts.
Attack: While the word “threat’ is somewhat nebulous when used in the context of APT, there is nothing unclear about it here. This is a true attack, and it may have several distinct stages.
A seemingly endless series of well-publicized, highly damaging TPAs has resulted in the theft of intellectual property, unauthorized access to corporate infrastructure, and critical resources being disabled. The possibility of falling victim to a TPA — no, the probability, maybe even the certainty — should be top-of-mind for you and everyone else on your security team right now. (By the way, it’s worth noting that not all targeted attacks are all that persistent. Last year’s RSA Security data breach was a “smash and grab” attack, but that’s not much comfort to all the RSA clients whose tokens were compromised.) And it should be making us all rethink the idea that being secure means being impenetrable, so that we can set the bar for risk exposure and acceptable failure where it belongs.
The reality is simple mathematics: There are (x) people on your security team, trying to defend against (x * ∞) possible threats, inside and outside your network. Even more important, if it was ever smart to consider your infrastructure a sterile environment, it isn’t anymore. Smartphones and notebook computers — many of them employee-owned — are connecting to that environment after being exposed to all kinds of public and shared networks. The number of remote workers is growing constantly. And your infrastructure is being extended by relationships with business partners and other third parties. All these trends are opening up new attack vectors for TPAs and dramatically increasing the risks they represent to your organization. And they should be making us rethink our most basic security rationales.
Today’s compliance standards don’t call for anti-TPA technologies, and they shouldn’t, because the nature of the TPA threat makes that completely unrealistic. What’s needed instead is layered security, using technologies like network-based intrusion prevention systems (NIPS), host-based intrusion prevention systems (HIPS), endpoint protection platforms (EPP) and security information management/security information and event management (SIM/SIEM). The management of these systems should focus not only on change control and segregation of duties, but also on patching, tuning, and maintenance.
What we’re really talking about here is an “untrusted nodes” mindset, one that allows us to architect and deploy a more resilient network. And that goal — resiliency, not some unrealizable vision of perfect, impenetrable security — is what we should be aiming for in the TPA age.