Advanced Persistent Threats and Us


In a blog post from last year, Richard Bejtlich (blog | twitter) talked about a concept called an Advanced Persistent Threat (APT). His discussion then centered on the Aurora attacks on Google and other firms. In a recent post, Richard covered a bit about his experience at a Congressional hearing on digital threats. Here's what caught my attention:

"One of General Hayden's points was that we are not having a debate about how to address digital threats because no one agrees what the facts are. If you work counter-intrusion operations every day, or participate in the intelligence community, you know what's happening. Outside that world, you likely think 'APT' and the like are false concepts."

It is obvious to many private security researchers that nation states are involved in cyber-espionage. When it gets to that level, you have the capability of advanced attacks. If it's intentional, it's a threat. And if it is an ordered objective, such that the threat is sustained, you have the persistent part of APT. China has definitely shown that it is an APT with respect to the United States. In a recent video, a software package built by one of China's military academies is shown which attacks Falun Gong websites. One of the sites is actually at an IP address at a US university.

There is little doubt that China represents an advanced threat. The question is, "Are they a persistent one?" Based on what we've seen, I'd say they are. And what makes the video footage especially disturbing is that they are going after systems unrelated to the US government or large organization. From a corporate perspective, that means the possibility of a nation state hacking one of our sites is something we have to consider. In this case it's to go after a dissident group. However, we could just be targeted as "low hanging fruit." After all, when systems are automated to detect vulnerabilities and then exploit them, what is to stop someone from hitting everyone if there are no immediate consequences? Furthermore, if the folks believe they are doing it for the good of their nation, then why wouldn't they carry out the attack?

So why would the Chinese government be interested in us? Truthfully, for most of us, they could care less about us as individuals or our organizations. However, the computing resources of our organizations, now that's a different story. Distributed Denial of Service (DDoS) attacks require numbers of computers to succeed. Attacking encrypted data is doable if there's a break in the cipher that allows the decrypt to be accomplished within a reasonable amount of time with the available computing resources. It's a matter of gathering those computing resources.  The big thing is to remove ourselves from the "low hanging fruit" group. This involves doing simple things:

  • Applying security patches
  • Employing secure configurations based on industry best practices (this includes at the network layer)
  • Minimizing rights wherever possible
  • Doing regular vulnerability scans
  • Checking Internet facing systems for SQL injection and similar attacks
  • Checking logs and systems regularly for signs of intrusion

Is this enough? Based on MANDIANT post, it may not be. It depends on how far we take that "employing secure configurations." Something that is interesting based on their research:

A staggering 100% of APT malware identified by MANDIANT made ONLY outbound connections from victim networks, 83% of which used TCP port 80 or 443.

It's hard to do anything about this for individual workstations. However, for servers that aren't terminal servers (like Citrix servers), this is very doable at the firewall. If your server does outbound communications, you should know the IP range (even if it's an overly broad one, like for Azure). In most cases there is no reason for a SQL Server to connect outbound to the Internet to TCP port 80/443.