Lately the threat posed by APT has gained a lot of attention. As highlighted by my April Fool's Day post, there was the RSA incident, the HBGary incident (which was more "Persistent" than anything else), the Australian PM's laptop getting owned (which barely got more than a day's press), and more.
I wanted to really try and summarise what APT is and what is the real takeaway message for people out there.
Advanced Persistent Threats always have been there.
Always. Without exception. You may not have known them by this name. You may never have heard of it before. That doesn't mean these attacks weren't going on before. The point being, they are not new. The idea that people have never been hit by a highly skilled, motivated attack who was never going to stop until he gained access to your network and got what he wanted is insane.
Sure, the label is popular when talking about state actors, but it is incorrect to assume that if the attacker isn't state sponsored or backed, that it isn't APT. That's not to say that are not in some cases either....
In anycase, the point is, these kind of attackers have been around since the dawn of the Internet.
You cannot stop APTs
To quote one of the Sourcefire VRT guys, Matt Olney, in what is probably the best definition of APT I've ever seen:
"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."
Firstly, we need to really revisit what we know of information security. If there's anything we've learned to date, it is that nothing can be made 100% secure. The best result one can seek is to delay, defer or hinder an attacker to otherwise induce them into targeting an easier target. If we accept that as an axiom, then we can further conclude that if the attacker is only after you, then you're pretty much screwed given sufficient time and skill (or at least time enough to get skilled).
Yeah, good luck with that indeed.
Most people are worried about the wrong thing
Working in security - particularly consulting - you get to see a lot of different businesses and how they run and implement security. The sad reality is that most people do a poor job of it. I don't say that to insult anyone, it's just a simple statement of fact. Regardless of reason, too many business lack the basics controls. Too many people can be taken down by a script kiddie with a fresh copy of Metasploit. Too many people don't have a good handle on the basics, like patch management. Too many people still running around with IE6 as the default web browser.
And yet they want to focus on APT?
If you don't have down some basic processes - stuff like patch management, vulnerability management and proper logging and event management, if you don't pentest your environment hollistically as well as individual projects from internal AND external threats, then there's really no point. You need to learn to walk before you run.
Also, in understanding APT we're talking about a hacker doomsday scenario where you are going to get owned and there is very little (if anything) you can do to stop it. In most cases, the best you can ever hope for is a shot at detecting the attack in progress. This is what RSA and Google were able to do. And how do you think they did it? Uhuh that's right. See above. This is why I laugh at people bagging these businesses getting owned. Everyone can get owned. But when the shit hits the fan how they deal and respond is key. The fact they could detect these attacks gives an indication of their level of security maturity. Could you say the same about your business? Uhuh, I didn't think so.
So in conclusion - let's get real with the problems we can solve. Don't worry about the hacker doomsday scenario that you cannot prevent. Focus on getting the basics down first. Once you get a handle on those processes, then we can have a chat about APT.
PS: You'll still get pwn3d though.