Tuesday, August 2, 2011

Dealing with Advanced Persistent Threats

To distinguish cyber attacks that are "highly targeted, thoroughly researched, amply funded, and tailored to a particular organization -- employing multiple vectors and using 'low and slow' techniques to evade detection" from hacker exploits, the US Air Force has coined the term APT.

APT infiltrations can originate from nation-states and their hired attackers, from industrial competitors, or from organized crime.

The standard approach to fortifying the perimeter of an organization, such as network encryption, is a losing battle. Attackers are not trying to insert malware through existing encrypted channels. A successful defense has to change from “keeping attacks out” to accepting that “sometimes attackers are going to get in” regardless of protective measures.
The first line of defense is therefore the ability to detect attacks and then to minimize the damage instantly. Zero-day attacks are used with increased frequency. No pre-planned defense will counter that. One must assume that every organization has been already be compromised and then immediately proceed with countermeasures.

An approach to cyber defense must therefore rely on the presence of highly automated network control centers that have installed triggers, often using artificial intelligence or neural networks, to detect intrusions. If an organization has more than a thousand networks and several hundred data centers (such as is the case in DoD), it has neither the personnel, nor the resources or organization to stand up a rapid response line of defense. The only way to address the organization of secure network control centers is to limit their numbers through a consolidated management of networks that operated with only a limited number of Platform-as-a-Service (PaaS) clouds.

The second line of defense is to control tightly the access desktops, laptops or smart phones. With millions of such devices in DoD it is neither practical nor affordable to install into every device firewalls, virus protection and malware detection means. Access to desktops is always based on personal authentication privileges, regardless of location or computer technology used. Configuration updating of virus, firewalls or malware therefore becomes an unmanageable task for controlling access to a very large number of points of access. Security enforcement should be done at the server farm level where up to hundred thousand virtual desktops can be controlled centrally.

Rapid migration to cloud computing, in the form of a private PaaS, is the only affordable and feasible way for protecting DoD against cyber attacks.

The reaction received to my recent blog about the compromise of the RSA network warrants further information.  According to IEEE Security & Privacy, July 2011, the RSA hacker exploit was based on a bug in the Adobe Flash Player. Attackers broke into the RSA network by sending e-mail messages to a number of RSA employees. Attached was an Excel spreadsheet. The Excel spread sheet contained an embedded Flash file with a vulnerability that was previously unknown to Adobe. This vulnerability allowed the attackers to take over an RSA employee’s personal computer and install a version of the Poison Ivy remote administration tool. This enabled the attackers to steal user credentials, access other RSA computers and then transfer to themselves sensitive information.

This situation could have been averted.  RSA employees should have strong access authorization that would identify the Poison Ivy source as illegal. The RSA network administrators should have been able to detect a communication anomaly and immediately intercept it.


  1. Wow what a nice post. I love it.

    Thanks for more sharing..........

    " private equity china "

  2. Wow what great post. I love it.

    Thanks for more sharing.....

    " private equity russia "


For comments please e-mail paul@strassmann.com