Tuesday, March 9, 2010

APT: Should your panties be in a bunch, and how do you un-bunch them?

There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding the “Come to us my children, only we can save you from death by APT” drum.

This isn't to say that APT isn't real; we’ll get to that in a moment. But it dilutes and distorts the term, changing it from a euphemism for a certain group of attackers who display an uncharacteristic amount of backing, talent and motivation to a “thing” that CEOs have heard of and are now looking for the “Firewall blocks APT” checkbox. This is a disservice to those who face APT-level threats and also moves it into the “whatever” category for a lot of operational folks.

First, what is APT? I’ve been told, if I remember correctly, that initially the term was used to describe specific groups associated with nation-states that aggressively and successfully penetrated critical infrastructure networks and established well developed, multi-level footholds in those networks.  But now it increasingly means "bad thing from the Internet".

The co-opting of APT by the marketing folks have led to the point that people are classifying any malware, rootkit or bot as "APT".  Zeus is not APT, Aurora is not APT.  APT is a level of threat, a description of the sophistication, patience and talent behind an attack.  The attacks are targeted, typically involving both an exploit and social engineering.  Emails containing PDF exploits don't get spammed to everyone in the organization, they are sent to key individuals with convincing messages.  Bots aren't your commercial, off-the-shelf variety.  They are custom built, hard to detect and typically have multiple instances and functions so an initial remediation sweep will appear successful but miss the deeper, quieter processes.

The attackers monitor the state and success of their attacks and channels.  As one channel goes down, they activate another.  If a node containing valuable data is cleaned, they'll reinfect it from another computer.  They know what they are doing.

Or, to use my own, barbaric way of describing things:

“APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."

Now, I’ll tell you a secret about APT. There isn’t a silver bullet product that is going to save you. The people behind this level of attacks have MONEY and TALENT and EXPERIENCE. I would be surprised if there wasn’t a stack of IDS boxes, a bunch of AV solutions, a pile of WAFs, firewalls and anomaly detection gear sitting in a server room with a whole bunch of bad stuff going through it. Each time detection occurs, the attack is modified to evade detection. The root kits are self morphing and uses established protocols to avoid detection.  In short, they know the way you work and they abuse that knowledge.

Now you might be saying, depending on where you work: “I’m not important enough to worry about APT level threats”. If you say that, then one of two things are in play. One, you are not aware of your company’s interactions on the global market and the level of interest players in the world may have in your data. If you are a supplier to the Government they might be interested in a sudden increase in orders of a certain product. If you are a law firm, they might be interested in your research on another company or how you might defend a client who is suing or being sued by a certain company. Maybe an email sourced from your server would not arouse suspicion and would quickly be opened by a CEO, CTO, CSO or any employee at all, to be honest, from another firm. So think about where you are in the world and who you interact with.

So you’ve done that and you’ve decided you’re in the clear: Nothing to worry about in APT land. This is true…and then again it isn’t. One of the common methodologies that attackers use to obscure their activities is to bounce around, deliver attacks and pull data from different IP addresses. While they may not be interested in your data, they are interested in your network. Just be aware that you might make an excellent jumping-off point for an attack. So if you’re interested in being a good Internet citizen pay attention.

Inline TLDR: These people want to beat you. They can beat you. You are a target.

The question you should be asking is “Well what the hell do I do then, smart guy?” Well, glad you asked. First of all, meet the minimum. Start with patch management, which I can sum up, from a security perspective like this: PATCH IMMEDIATELY (hey, by the way its Microsoft Tuesday today, go patch, I’ll wait…) when they come out. I know, I know, you have to do x, y and z testing. That’s great. Let me tell you a story:

Back before Sourcefire was in the MAPP program, we had to do that bad guy way of understanding what the patches addressed. This means we’d take the old DLL and compare it to the new DLL. This would tell us what changes Microsoft made and allow us to reverse engineer from that point to understand the vulnerability.

I'll admit...I suck at this, seriously. It would generally take me about a day to figure out was going on, and I suspect that my bugs were easier. The hard ones, and the ones that looked like they would go live as exploits, went to Lurene Grenier (we call her Lulu, she loves that). The mean time for her to go from the diff to a POC was about an hour. Now, to go from POC to exploit is a different matter dependent on the nature of the bug and the ability of the attacker to pass arbitrary data before and during the exploit of the vulnerability. But this should give you an idea of the time frame you are working with.

As another example, when the JBIG2 bug hit earlier this past year, our fuzzer hit the vuln in about 10 minutes. From there it was not difficult (in this case) to move to an exploit.  (And don't think we only fuzz against emerging 0-day.  As a throw-away metric we average one DOS-level crash per day and on review one or two of these per month move to exploitable status).

Now..Lulu is scary talented. But she isn’t the only one in the universe that has the ability and drive to do what she does. You should know a lot of the names of other folks who do (check @pusscat and @kpyke’s follow list if you don’t’) but I guarantee there are a bunch that you and I have never heard of. So this is the level of talent you are facing: disclosure to exploit in less than a day.

Next, understand your network and ensure it behaves in a highly deterministic fashion. Work with your network engineering folks to understand the configuration of the network, where the VLANs are, how the IP space is allocated and what security features are in place in the network configurations. Consolidate your logs, network flow data and monitoring into a SIM and build systems to detect when something becomes different.

Did I say patch? For God’s sake, patch.

OK...so you've begun to meet the minimum. Now, time to move up to AA Ball. To some extent this involves taking steps towards Mattland.  We need to gain control of the network and how it is used.  Get some aggressive, scary policies in place. Threaten to (metaphorically) eat the children of people who play Facebook apps on your network, (metaphorically) melt the faces of all those who dare to surf porn or play flash game and (metaphorically) drop the hammer of God on anyone who dares to bring a USB key or software from outside. Then put systems in place to watch for this and make scary visits to those who would defy you. In all seriousness, put in policy and procedures and the capability to enforce them. I’m sure you have a CISSP tucked away somewhere who will help you.

Next, get some intelligence feeds together. To start with, get an RSS new reader and a twitter account. Hit every security site you’ve ever heard of and evaluate it for content. Here is an off-the-top-of-my-head list:

http://www.exploit-db.com/
http://isc.sans.org
http://www.oracle.com/technology/deploy/security/index.html
http://www.adobe.com/support/security/
http://www.microsoft.com/security/msrc/
http://blog.threatexpert.com/
http://osvdb.org/
http://0dayexpose.blogspot.com/
http://blogs.msdn.com/michael_howard/default.aspx
http://carnal0wnage.attackresearch.com/
http://www.metasploit.com/
http://blog.metasploit.com/

Add to this list and then check it. Every day, twice a day. Now…twitter. As dumb as it sounds, Twitter is one of the best Intel tools I’ve found. People like to chat about new things they’ve found and things they are working on. Here is a basic list of people to watch:

http://twitter.com/reversemode
http://twitter.com/DidierStevens
http://twitter.com/egyp7
http://twitter.com/mdowd
http://twitter.com/sans_isc
http://twitter.com/alexsotirov
http://twitter.com/dinodaizovi
http://twitter.com/halvarflake
http://twitter.com/hdmoore
http://twitter.com/daveaitel
http://twitter.com/pusscat

Every day, twice a day.

OK…time to go big time. What do you need to really push the envelope on security? You need a team. You need a serious, serious team. There isn’t one person in the universe that can stand alone on this. You need a group of high-energy, high-motivation people that love what they do. First, sit down and think about the kind of systems you have. You need a group of people who, together, are experts on those systems. Then list the kinds of protocols you have. Your group needs to collectively be experts on those protocols. List the security systems you have in place. Your group needs to be experts on those systems and how to customize them rapidly (remember there is no silver bullet product). Also, your group needs to be conversant in Ruby, Python, PERL and C…the languages of exploits. Finally, you need a very, very bad person.

It is hard to overstate the need for someone who hates rules, restrictions and limitations. You need to find someone who your HR department is going to hate. You need to find someone who reminds you of you in your younger more carefree days. You need to find someone you trust completely. Then you are going to put them in a cube and NOT BOTHER THEM. Throw them problems, tasks and direction but get out of their way and let them do their thing. Then let them pick apart every security decision and implementation you have. Ask them how they would get around it and how to mitigate that. Finally, when they tell you something is bad…believe them.

Finally, understand that in all likelihood, you will fail to keep the attacker out. Be it 0-day, mis-configured servers or some special guy in finance who JUST DOESN'T GET IT…someone most likely will get a foothold. So balance your time between attack detection and detection of rootkits and bots. Maintain a high degree of suspicion.

So, TL;DR (which may, in itself be TL;DR):

  1. APT is becoming a marketing term
  2. Your APT definition should be:
    "APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that.”
  3. Despite your place in the world, an APT level threat may affect you.
  4. Nail down the basics: 
    1. Patch immediately
    2. Understand your environment
  5. Then get better: 
    1. Build aggressive policies
    2. Be able to enforce those policies
    3. Generate intelligence and monitor that intelligence
  6. Go big, build your team.  Then Venn diagram of your team should include: 
    1. OS experts
    2. Application Experts
    3. Protocol Experts
    4. Security Systems Experts
    5. Ruby/PERL/Python/C coders
    6. At least one very, very bad person
  7. Balance detection between attack detection and successful intrusion detection.
  8. Marketing doesn't know what the hell it is talking about - do your research.
  9. Remember, technology won’t save you. People will.

As always, comments, corrections and snide remarks are welcome below.
Add to Technorati Favorites Digg! This
Post a Comment