APTs Latest in Cyber-Arms Race
From Flame to Gauss to Madi – the list of advanced persistent threats (APTs) that have appeared on the public's metaphorical radar screen so far this year seems to be growing. Whether or not this is part of an ongoing cyber-arms race between countries or their proxies, experts say that the threat landscape should influence how large organizations think of risk.
"Today's APT attacks in most cases look like conventional attacks," said Anup Ghosh, CEO of Invincea. "They start with conventional vectors such as spearphishing and utilize tactics such as luring people into clicking on links. Their exploits resemble conventional banking malware. It is what they do once they have a presence on the network that distinguishes an APT from a cyber criminal or conventional attack. APTs colonize the network and exfiltrate valuable IP."
"Organizations need to understand the "cyber war" today is largely a cold war -- one of espionage and theft of intellectual property," he said. "If your organization develops intellectual property that would be valuable to other countries to copy, you are a target and probably have already been compromised."
In its threat report for the first half of 2012, F-Secure summarized the pieces of the Flame malware, which according to some researchers claimed the title of the most complex ever. Earlier this year, The Washington Post cited anonymous sources stating that the malware was linked to a joint effort by the United States and Israel, though American and Israeli officials officially declined to comment. While arms races in the physical world have centered on countries letting their rivals know about their capabilities for the sake of deterrence, the world has not yet reached this stage when it comes to cyber-attacks, wrote Mikko Hypppnen, chief research officer at F-Secure.
"Most likely, yes (we are in an arms race)," he told SecurityWeek. "But it's happening behind closed doors in classified programs, so we don't know much about it – so far. Only [the] USA has confessed doing this. But we must assume most technically advanced nations are stockpiling cyber arms."
In this environment, having knowledge of an attacker's motives and what they are after becomes vital, Hypponen said.
"You need to understand your enemy and their motives. There's no point in trying to secure your system against the wrong attacker," he said. "Know your enemy."
There is evidence too that cyber-criminals and the minds behind the types of advanced persistent threats that have made headlines this year are using similar tactics, said Tom Kellermann, vice president of cybersecurity at Trend Micro.
"APTs have been privatized and their cyber kill chains automated so that these types of targeted attacks are now mainstream for organized crime syndicates," he said, adding that the complexity of code "is reaching a singularity in automation."
Ideally, the presence of more complex threats shouldn't change much about how organizations plan their strategy, said Kevin Haley, director of Symantec Security Response. After all, he explained, should already be educating employees on cyber security risks and how to avoid them, and should also have technology in place to mitigate malware outbreaks.
"The reality, however, is a different story," he said. "Many organizations are still struggling to get a grip on these simple security best practices. Thus, more than anything else hopefully the threat of targeted attacks and APTs serves as an alarm bell causing more companies to prepare their infrastructures to withstand attacks of all sorts."
"The concept of layered security is not new, but as the threat landscape gets more complex the layers must increase," he added. "Stopping exfiltration is an important new layer. Incident response is not a new idea, but it’s a lot more important now and something companies who have largely ignored up until this point should not anymore."