Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

APT - There.. I Said It.

Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, "What Is APT and What Does It Want?"). Following are some of my thoughts on the topic:

  • Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them.
  • CuckooCover.jpg

  • Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.

  • What industries are targeted the most with APT? – I believe all industries are targeted depending on the motives of the attackers. Motives are one of those things that kill us in this industry, because they are so vast and sometimes they seem random. This is one of the things that separate physical security from information security. If you are defending the safety of the president, the attackers motives are pretty clear and keeping the president alive is your goal. Secret service employs strict and thorough security procedures, and I believe we can learn a lot from them. However, our IT issues run deeper: attackers may be after information, money, your Internet access/bandwidth, your partners or your employees, for different reasons ranging from economics to politics. Therefore, it’s a pretty level playing field with respect to the different industries that are attacked.
  • national-geographic-inside-u-s-secret-service-dvd-cover-art.jpg

    National Geographic has a great documentary about the Secret Service. They provide information on how the Secret Service conducts reconnaissance for each location the President will visit, including asking the local police if any uniforms are missing. It’s difficult to put these tactics in place when defending an organization's IT infrastructure. However I believe it’s clear that we need to learn more about our attackers and perform recon on them, rather than just letting them do recon on us.

  • What data is most often taken (this goes to adding more protections around the most valuable data)? – Depends on your attacker and your industry. Sometimes attackers are after intellectual property. For example, there have been a series of attacks against several major corporations, the latest of which includes RSA and the certificate authority Comodo. In each case the attackers were after something specific to the organization, such as information about RSA SecurID tokens, or copies of root-level CA certificates. The motives could also be political, and attackers are burying themselves in systems in an effort to disrupt communications or operations of SCADA systems (e.g., Stuxnet).
  • What are the most common Trojans used with APT? – This is an interesting question, and I think an even more interesting point is how sophisticated malware is getting. The bad guys are using the same technologies we’re using, except they are implementing them for evil purposes. Attackers are using encryption, 0-day exploits, cloud computing and P2P networking technologies to increase their chances for success and reduce their operational overhead. You also have an underground economy that is growing, taking the work of the best hackers and putting it the hands of common criminals. So, you don’t have to be the worlds best hacker, you just need to have some money and know the right people and you can get your hands on some of the best tools. I think the most common malware that we see is not what we need to worry about, but rather the one-off attempts that are largely going undetected.
  • What can be used for detection (system logs, AV logs, IDS logs, Netflows, DNS, VPN logs, Full packet capture, File system analysis)? - Detection is really the name of the game. Again, it’s hard to detect recon and exploitation. I’m not saying you shouldn’t try, but attackers have the advantage, mostly using social engineering and exploits that leave little trace or don’t even rely on a software vulnerability (Java applets, default/weak passwords, etc.). Detecting the remote connections to your systems is critical, because at the end of the day an attacker has to make a connection to control a system or exfiltrate data. I’m a big fan of log analysis and NetFlow data, which are big indicators of compromise. The key is to detect it as quickly as possible and not let a compromised system sit inside your network for extended periods of time (such as months or years).
  • What can be done (logs, correlation of data across the enterprise, combine response efforts into a central location, keep data longer)? – I think some of the best technology for detection is software that monitors the behavior of processes. For example, if you can answer questions such as “Why is explorer.exe connecting to port 443 on a server in China” or “Why is Internet Explorer reading all of my NTLM hashes?” you can often detect the presence of attackers without relying on a signature.
  • How can you tell you've been infected by APT? – Best case, you see the compromise in your logs and deal with it. Worst case you receive a bribe letter/email from evil attackers, or have your most private data posted openly on the Internet.

  • Ipwned.png

    For those not fluent in "ransom letter" it reads: "I pwn3d your network, please send LOTS of money. k THX Bye"

  • How long should you maintain this network data (3 months, 6 months, 9 months, a year)? – There are some regulatory compliance requirements that will dictate how long you should store data of certain types. Compliance aside, its really up to you, I don’t think that storing more data will increase chances for success in detecting attackers. A year is best, but this needs to be balanced with your business goals and objectives with respects to cost and people time. More importantly, having large amounts of data will not help if you cannot or will not correlate it and use it to your advantage.
  • What can be used for mitigation (DNS/IP Sink Hole, system remediation and reimage)? – I’m a huge fan of honeypot technologies. I’m not talking about setting up a system, letting people break into it, and watching them. I like to modularize the honeypots, and implement darknet space monitoring, tarpits (network and web), dummy accounts, etc. There is a lot of work going into this area (see my upcoming talk at SOURCE Boston for more information).
  • Do you notify law enforcement when you find APT (or the company that you saw was infected by this malware)? – You should notify law enforcement if you believe your compromise is part of a larger scheme or you have incurred damages that could lead to criminal charges. The key here is to establish the relationship with your legal department and law enforcement before there is a compromise. Infraguard is a great program for keeping the communication channels open with law enforcement.
  • Do you recommend security awareness to all employees and if so, do you have any examples/suggestions? – Absolutely, the best user education starts with personal and hands-on training. Embed this into your culture so it spreads in a positive way between employees.
  • Are you seeing APT being used by certain countries or is it equally used across the globe? – I’ve had the same questions, and one of the best answers was provided to me by Brian Krebs. Many eastern countries, Romania and the like, have great infrastructure for training their people in highly technical jobs, however there are no such jobs available. So, they use their skills for evil rather than working in a much lower paying job.
  • Should vendors cryptographically sign all the code, including JavaScript, that they produce so that users can verify that they are really running the code they think they’re running? – Code signing helps, but like many forms of encryption, it’s only part of the solution. For example, on mobile devices this helps prevent malicious code from running, however a rootkit placed on the system can circumvent the code signing.

Related Articles

Your APT Anti-Hype By Marcus Ranum

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.