Advanced threats: The enemy is already within
Despite the number of headlines generated by recent high-profile breaches, advanced persistent threats reported in the press are only the tip of the iceberg, and organizations should assume that they already have been or will be breached, a group of C-level executives participating in recent closed-door discussions in Washington, D.C., concluded.
“There is a lot more APT activity than is actually known,” said Eddie Schwartz, chief security officer of RSA, the Security Division of EMC, which hosted the APT summit in July.
Schwartz said APT activity is at pandemic levels and that compromise is a new fact of life.
Hackers gain access to RSA's SecurID security tokens
After hack, security of RSA SecurID tokens in the hands of customers
RSA confirms its tokens used in Lockheed hack
“The surprising thing to me was the level of shared concerns” among the 100-plus private- and government-sector executives attending the discussions, Schwartz said. “It was more pervasive than I believed going into it. Literally everyone had something to say and talked about experiences.”
The attackers often are well-funded and have access to sophisticated tools, and they are also are doing a better job of sharing information than security professionals, the executives concluded. They called for the removal of legal barriers that stifle sharing of information between and among companies.
The best practices identified to combat the threats turned out to be basic enterprise security.
“When APTs show up, there is an assumption that you will have to have some advanced technology to deal with it,” but that is not the case, said Bill Boni, chief information security officer for T-Mobile and a participant in the discussions.
The APT summit was organized by RSA along with the TechAmerica industry group in an effort to determine the extent of the problem and identify best practices. A summary of findings from the summit was released Sept. 13.
The gathering was in part a response to a breach of RSA reported in March. “RSA recently went through an issue” with APTs, said Schwartz, “and we wanted to provide some leadership.”
The company announced that it had been breached by an APT and that information about its SecurID authentication technology had been stolen. Although the company said at the time that SecurID remained an effective tool, it acknowledged in June that stolen data was used in an attack against defense contractor Lockheed Martin. It offered to replace compromised tokens for high-risk customers.
Advanced persistent threats is a descriptive term for a new class of attacks that tend to be stealthy, sophisticated and well-targeted, often exploiting multiple vulnerabilities including previously unknown zero-day vulnerabilities. They are intended to remain unseen in systems over a period of time, often gathering sensitive information.
The primary attack vector for APTs is social engineering, the executives concluded.
“The new perimeter is human beings,” Schwartz said. “The human is the weak link in the chain.”
Neither training nor technology alone can protect completely against spear phishing and other targeted attacks. The prevalence and success of the attacks also means that organizations must focus on mitigation as well as prevention and learn to live in a state of compromise.
“You’d be amazed how many organizations still don’t believe this to be true,” Schwartz said. Living in a state of compromise means prioritizing digital assets, knowing where they reside and who has access to them, and knowing how to lock them down in the event of a breach.
A disturbing conclusion reached by participants is that supply-chain poisoning is on the rise, with adversaries attacking weak links to compromise targets through less-secure trusted vendors.
“There weren’t specific examples given because of the sensitivity,” Schwartz said of the published findings from the summit. But he said many companies already have taken action in response to supply-chain compromises, including new personnel policies, code review, reform of contracting and procurement policies, and assignment of dedicated personnel to the problem.
These efforts underscore the importance of and the need for collaboration and information sharing. But today’s attackers often are better at real-time intelligence sharing than are their targets. Unburdened by regulation and liability, the bad guys are nimble and cooperative when it serves their purposes.
“Fear of legal risks appears to be one of the biggest impediments to sharing actionable threat information,” according to the summit findings. Establishing a framework for intelligence requires standardized reporting processes and lexicons, liability indemnification for sharing information for security purposes, and a technical infrastructure to share and analyze information at machine speed.
The Washington gathering was the first in a serious of summits being planned by RSA and TechAmerica, with the next being planned for London in October. Boni described the initial meeting as a “milestone on a long and interesting journey in security in the 21st century.”
“It helped validate that this is a real risk that is worthy of concern,” he said. “We are starting to build a broader community trust that is going to be necessary.”
Other findings from the July summit include:
- Situational awareness is essential to detecting threats early.
- Incident response should be an organizational competency, not a siloed security function.
- Customization in APTs defies traditional signature-based security.
- Organizations must get creative to detect attacks early and disrupt attackers often. Damage from APTs can be minimized by interrupting the attacker’s workflow.
- Simplicity is the path to better security. Weak links can be eliminated by simplifying systems and decommissioning outdated systems.