Paranoia in APT Land posted by Rick Howard

Filed in: APT

I just visited the US International Trade Commission. They invited me to discuss what iDefense knows about intellectual property theft in cyberspace; in other words, what is going on with the "Advanced Persistent Threat" (APT)? Just this past year, it seems like the APT acronym has really emerged as the catch-phrase for the security industry. We use to call this activity "cyber espionage." I guess old-timers like me still call it that, but the cool kids call it APT.

This year there have been three very public demonstrations of large APT-styled attacks: Google, the Indian Government and the US Oil Industry. iDefense sources tell us that the actual target numbers, the ones that are not being reported, are in the thousands. The point I am trying to make is that, thanks to Google going public with its incident, a lot of organizations are now aware of this style of threat. They were ignorant about it before and didn't understand that these kinds of activities have really been going on for the past decade.

That's the good news. The more people that understand the threat, the better we can all protect our enterprises. The bad news is that there is not a lot of consensus about what we are supposed to do about it.

Some of my friends jump right to detection. They think the most important thing you can do to defend yourself against the APT is to detect and eradicate the activity on your network. I don't disagree that we all should be doing that, but I would like to make an argument for putting some significant effort into prevention. If it is true that the number of victims that have been penetrated by some APT group is in the thousands, shouldn't we pretty much assume that we can all be had by these players and that we all might have something useful that they want? If thousands of victims exist, doesn't that mean that our traditional cyber security defenses are not working?

Off the top of my head, here are some things network defenders should consider. Assuming that some APT organization is attacking your enterprise, what do they want? Two things come to mind: they want the secret sauce that makes your company unique and they want leverage in any contract deal that is currently underway. To protect both of these "crown jewels," here is a list of things I would add to my standard network defenses:

1. Physical separation between the corporate network, the secret sauce, any Merger & Acquisition (M&A) groups and any contract deals. I would go as far as physically separating each contract group and M&A group into its own network. Defend the walls of these networks rigorously.

2. Ruthlessly enforce the "Need to Know" rule for each separate network. If you do not need to know about an M&A Deal, you don't get into that network.

3. Encrypt everything in transit and at rest. This included data on your smartphone.

4. If you are traveling in foreign countries. Use throw-away laptops and phones (You still have to encrypt them though).

5. Label all documents and e-mail with the appropriate data classification. Do not allow designated classifications out of each separate network. For the exceptionally paranoid, install beacons in all documents; small snippets of code layered into headers or footers that call home every time a user opens them.

I know these remedies are not as sexy as catching the APT groups in the act. Sometimes, the least sexy remedies are the most effective. In addition, I'll admit, these remedies seem a little paranoid; however, if the victim list is in the thousands, isn't it time to be a little paranoid?

(1 Comment)

Cyber Arms Control, Gloating and Botnet Terminators posted by Rick Howard

Filed in: Cyber Arms Control

Before the holidays, I stumbled into a blog over at defensetech.org regarding the subject of Cyber Arms Control. The word "stumbled" is one of those euphemisms I use when I am surfing the net instead of doing real work.

From Bruce Schneier's blog, the Russians and the Americans have started discussions about how a treaty might be arranged that might "strengthen Internet security and limit military use of cyberspace". From what I have read, the Americans are not that interested in a formalized treaty, but in a break from the previous administration, the Obama administration is at least willing to listen.

It is not quite time to gloat yet because there are many years of negotiations ahead of us before this gets any closer to reality. But, this falls right into line with something I suggested in an SC Magazine essay back in August. This is the idea that nations could agree to take on individual security issues together. The particular issue I suggested in the SC Magazine essay was the Botnet issue. I suggested that nations might authorize an international team of Botnet Terminators to pursue and destroy Botnets wherever they may lead. If we could just get the Chinese, the Russians and the Americans to sign up for that program, other nations would surely follow. The result would be a game changer. Pernicious Cyber Security Cartels from around the world would have to refit and reconfigure their entire operations in order to avoid the Terminators.

As I said, it is not time to gloat yet. There are many reasons why nations will not want to participate in my Botnet Terminator program or other similar Cyber Arms Control Treaties. I am encouraged though that at least some leaders are talking about it. That puts us a lot closer to the possibility then we were back in August and way closer than I ever thought possible when I wrote the original essay.

I guess I need to stumble around more often. If I could just convince my boss then I would really have a reason to gloat.

(2 Comments)