What you need to know about the latest cyber foes
When hackers used authentication keys stolen from EMC’s RSA security division to target computers at Lockheed Martin and other large government contractors last spring, they displayed a level of sophistication that had the earmarks of an elite state-sponsored cyber attack force.
But for all their technical sophistication, the breaches began with one of the oldest tricks in the hacking handbook: a spear phishing campaign that induced even savvy security pros at RSA to unwittingly open infected e-mail attachments.
This blend of sophistication and tried-and-true intrusion techniques shows how advanced persistent threats (APTs) differ from routine, opportunistic hacks. With APTs, expert cyber soldiers focus on high-impact targets — large military and civilian agencies, defense contractors, security firms, and critical infrastructure organizations — and spend months collecting minute details about individuals at these enterprises.
The tainted e-mail messages reference real projects and co-workers, so rather than being suspicious about an attachment, “you’re stupid if you don’t open it,” said Alan Paller, director of research at the SANS Institute, a cybersecurity training organization.
That’s just one of the reasons why defensive measures against the rising threat of APTs differ fundamentally from those used to block routine hacks. Also, APT intrusion strategies are so well planned and executed that targeted organizations must assume that a percentage of the attacks will be successful and have strategies in place to contain the damage. But most organizations are only in the early stages of adopting such defensive measures, if they have started at all.
For those in government and supporting industries, claiming ignorance about APT is not a very credible position these days.
Besides RSA and Lockheed Martin, defense contractors Northrop Grumman, L-3 Communications and Booz Allen Hamilton have reported intrusions recently, as have the Energy Department’s Pacific Northwest and Oak Ridge national laboratories, the CIA, U.S. Senate, the FBI’s InfraGard program, and Arizona’s Department of Public Safety.
And in July, the Defense Department revealed that 24,000 of its files stored on a contractor’s computers had been taken by what Deputy Secretary of Defense William Lynn called a foreign intelligence service.
The list of victims illustrates how the goals of APT actors differ from those of traditional hackers. Instead of obtaining credit card numbers or other information for financial gain, APT actors seek out state secrets, classified information that can sway trade negotiations, details about the inner workings of defense and critical infrastructure, or as in the case of RSA, security tokens that can open the doors to the larger ecosystem of public and private organizations.
DOD’s Lynn estimates that more than 100 foreign intelligence organizations are targeting U.S. organizations. Chinese hackers are among the most active and have been connected to some of the earliest incidents, such as the Titan Rain attacks on U.S. government and industry networks first discovered in 2003.
In addition, although hacktivists such as Anonymous and LulzSec may not be state sponsored, they use their considerable skills to promote political agendas and have claimed responsibility for a number of recent intrusions, including those against the CIA and Senate.
How APT works
The "advanced" part of the APT designation refers to the range of methods extreme hackers use to achieve their objectives. Methods include so-called zero-day attacks that exploit vulnerabilities that software developers and security vendors haven’t yet identified, let alone developed an effective defense against.
In addition to falling prey to infected e-mail attachments, victims might encounter zero-day and other malware after they have been lured to fake websites set up by cyber foes. Even legitimate sites might become infected with Trojan horses and other dangerous software that take advantage of security gaps in popular business programs, such as Microsoft’s Internet Explorer and Adobe’s Flash and Reader software.
In June, hackers secretly planted a zero-day exploit on a website that many people in the defense industry visit. “All you need to do is go to it to get infected,” said one defense contractor’s senior IT manager, who requested anonymity. “There’s nothing you can do about it. People were going to the website because they needed to go to it.”
The contractor discovered that the infection was enabled by an Adobe Flash vulnerability, so until a security patch was issued, the contractor blocked its staff from running Flash.
APTs are "persistent" because attackers have long-term objectives and the resources necessary to spend time studying targets for vulnerabilities, developing tailored exploitation techniques, and then attacking them over and over.
“This is their day job,” said Anup Ghosh, a former senior scientist at the Defense Advanced Research Projects Agency and currently CEO of Invincea, a security technology company. “Literally, from 9 to 5, they keep at you, and if you block them, they are going to try something different tomorrow.”
The defense contractor's IT manager said a successful breach of his organization in recent months was one of thousands of attempts it faces every year.
“Our firewalls are constantly being bombarded,” he said.
Another dimension of persistence is that once APT actors have gained access to a victim’s network, they often use software techniques that are difficult to detect and remove. This allows the perpetrators to conduct surveillance and steal information for as long as possible.
Although hacktivists seek publicity to celebrate their exploits and advance their political aims, security officials said more damage might be caused by stealthier intrusions that remain hidden for months as malicious programs relay sensitive information undetected by the victim even after the hole they came in through has been blocked.
“You can’t simply assume that the discovery of one specific activity is the full extent of discovering the scope of an adversary’s penetration,” said Eddie Schwartz, chief security officer at RSA. He declined to discuss the specifics of this spring’s encryption-key thefts.
New defensive strategies needed
The first step security officials need to take to adapt their defenses to the rising threat of APTs is to shift the focus away from trying to double-lock every door and window to thinking first about what it is that a determined intruder most wants from them. Instead of spreading limited resources thin by trying to protect everything, organizations should focus on protecting their most critical assets first, APT experts say.
From there, organizations need to adopt behavior-based anti-attack measures by assigning expert personnel to analyze a constant stream of reports generated by sensors that monitor the activities of networks and computers for signs of unusual and unexpected activities.
“If you all of a sudden have an encrypted channel inside your network, you’d better do something about it unless you know absolutely that you set that [virtual private network] up yourself,” said Keith Rhodes, former chief technologist at the Government Accountability Office and now chief technology officer in the Mission Solutions Group at QinetiQ North America, an IT technology and services company.
Fast action upon the discovery of suspicious activity is critical to limiting the damage. “It takes a bit of finesse to limit the hemorrhaging immediately while at the same time start an investigation to quickly understand the true scope of the problem while you have the chance,” Schwartz said.
But agencies shouldn’t wait for an actual attack to show them where they are vulnerable, Rhodes said. “Attack yourself — it can reap huge benefits,” he said.
That includes hiring white hat hackers to test agency defenses. “They might [say], ‘I couldn’t break into your firewall, but I got 77 passwords by talking to your help desk,’” Rhodes said.
How the main targets of advanced persistent threat are responding
There’s no question that advanced persistent threats are a clear and present danger to certain agencies and commercial organizations. But the best way to mitigate the risks represented by well-funded and determined attackers is less clear.
“The opponent only has to be right one time; you have to be right every time,” said Keith Rhodes, former chief technologist at the Government Accountability Office and now chief technology officer in the Mission Solutions Group at QinetiQ North America, an IT technology and services company.
Some countermeasures cut across organizational boundaries, but security executives also need to consider specific defenses based on their enterprise’s mission, its APT risk level and the type of systems it needs to protect. Here’s how the three main groups that have been targeted most often are responding.
What’s at risk
These agencies face some of the highest risks, given the value of weapons systems secrets and intelligence documents to foreign nationals and terrorist organizations. The primary threats are leaking classified information or having vulnerabilities introduced into critical defense/intelligence systems. When Deputy Secretary of Defense William Lynn recently reported an intrusion by a foreign intelligence service into Pentagon documents, he acknowledged that a weapons system might need to be redesigned as a result of the attack.
How this sector is responding
Standard cybersecurity measures, such as firewalls, two-factor authentication and intrusion-prevention systems, provide base-level protection, but defense and intelligence agencies need more to address APTs. Alan Paller, director of research at the SANS Institute, said some of the best and brightest security experts are being recruited by these agencies to write software filters for identifying intrusions in real time. But there’s a significant shortage of personnel with a high level of expertise, he added.
In addition, the Defense Department has launched a series of formal efforts to coordinate anti-APT activities. The U.S. Cyber Command, created in 2010, centralizes security monitoring and responses to support each branch of the military.
“We are now training our forces to thwart attacks that compromise our operations,” Lynn said in a July address before the National Defense University. He also discussed the possibility that the Pentagon might eventually launch offensive operations as a deterrent against APTs.
Defense contractors and the critical infrastructure industry
What’s at risk
Because large government contractors, such as Lockheed Martin, Northrop Grumman and others, are part of sensitive government operations, they are targeted as often as military agencies.
“Think about it, if you want to steal information about a fighter jet, you would compromise the defense company that’s making the plane,” said a representative from a defense contractor.
Similarly, breaches of supervisory control and data acquisition systems run by nuclear power plants and key infrastructure sectors could threaten public safety and economic stability. For example, the Stuxnet virus suspected to have targeted Iranian nuclear facilities reportedly damaged industrial control equipment and set back that country’s alleged weapons program.
How this sector is responding
A number of initiatives are under way to promote information sharing and keep defense and critical infrastructure organizations abreast of new threats and best practices for responding. DOD and the Homeland Security Department created the Defense Industrial Base Cyber Pilot to distribute security intelligence among defense contractors and commercial Internet service providers. Lynn credited the evolving program with helping to thwart some recent attacks. The two departments launched a similar effort last fall for the critical infrastructure community.
The National Security Agency also is collaborating with commercial Internet providers in a voluntary program to monitor electronic communications within the defense industry to spot APT intrusions.
DHS also manages Einstein, an ongoing effort to create an early-warning system for cyberattacks across a number of federal agencies. Seán McGurk, director of DHS' National Cybersecurity and Communications Integration Center, recently told a Senate panel that the second phase of the project, which creates a series of trusted Internet connections, is now in use at 15 agencies.
The government probably needs to get more involved in organizing defenses of critical infrastructure, said James Lewis, a senior fellow at the Center for Strategic and International Studies. “Can we rely on voluntary efforts [from infrastructure operators] against APT?” Lewis asked. “The answer is no. We need to consider if there is some higher level of defense above the enterprise that will work better.”
What’s at risk
Although APTs often target defense and intelligence agencies, civilian agencies aren’t immune to cyber threats from foreign nationals, terrorists and hacktivists. At risk are sensitive diplomatic communiques, strategic economic information and classified government policy information. Disinformation efforts against government data could also induce chaos in financial markets and other sectors of the economy.
How this sector is responding
The first step is for civilian agencies to recognize that they might be at risk and assess the likelihood that APT groups would go after their information. Next, security managers need to understand that Federal Information Security Management Act compliance is a starting point but by no means the final defense against APTs.
Greater visibility into civilian IT operations, as with other targeted sectors, is also important. “Most civilian agencies find out they’ve been a victim of an attack only when the FBI comes in and tells them,” Paller said.
Staff training is another important first step. The Commerce Department is working to heighten awareness of APT threats. “We have concentrated our efforts on…raising situation awareness not just with technical staff but with senior officials across the department,” said Earl Neal, director of IT security, infrastructure and technology at Commerce.
The agency is also implementing best practices for continuous security monitoring and sharing information with other federal agencies to strengthen cyber defenses, he added.
To make it more difficult for hackers to gather personal information for spear phishing attacks, Commerce created a policy that advises staff members to limit information published on social media sites and bans the use of personal e-mail accounts for official business.