Lately the threat posed by APT has gained a lot of attention. As highlighted by my April Fool's Day post, there was the RSA incident, the HBGary incident (which was more "Persistent" than anything else), the Australian PM's laptop getting owned (which barely got more than a day's press), and more.
I wanted to really try and summarise what APT is and what is the real takeaway message for people out there.
Advanced Persistent Threats always have been there.
Always. Without exception. You may not have known them by this name. You may never have heard of it before. That doesn't mean these attacks weren't going on before. The point being, they are not new. The idea that people have never been hit by a highly skilled, motivated attack who was never going to stop until he gained access to your network and got what he wanted is insane.
Sure, the label is popular when talking about state actors, but it is incorrect to assume that if the attacker isn't state sponsored or backed, that it isn't APT. That's not to say that are not in some cases either....
In anycase, the point is, these kind of attackers have been around since the dawn of the Internet.
You cannot stop APTs
To quote one of the Sourcefire VRT guys, Matt Olney, in what is probably the best definition of APT I've ever seen:
"There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that."
Firstly, we need to really revisit what we know of information security. If there's anything we've learned to date, it is that nothing can be made 100% secure. The best result one can seek is to delay, defer or hinder an attacker to otherwise induce them into targeting an easier target. If we accept that as an axiom, then we can further conclude that if the attacker is only after you, then you're pretty much screwed given sufficient time and skill (or at least time enough to get skilled).
Yeah, good luck with that indeed.
Most people are worried about the wrong thing
Working in security - particularly consulting - you get to see a lot of different businesses and how they run and implement security. The sad reality is that most people do a poor job of it. I don't say that to insult anyone, it's just a simple statement of fact. Regardless of reason, too many business lack the basics controls. Too many people can be taken down by a script kiddie with a fresh copy of Metasploit. Too many people don't have a good handle on the basics, like patch management. Too many people still running around with IE6 as the default web browser.
And yet they want to focus on APT?
If you don't have down some basic processes - stuff like patch management, vulnerability management and proper logging and event management, if you don't pentest your environment hollistically as well as individual projects from internal AND external threats, then there's really no point. You need to learn to walk before you run.
Also, in understanding APT we're talking about a hacker doomsday scenario where you are going to get owned and there is very little (if anything) you can do to stop it. In most cases, the best you can ever hope for is a shot at detecting the attack in progress. This is what RSA and Google were able to do. And how do you think they did it? Uhuh that's right. See above. This is why I laugh at people bagging these businesses getting owned. Everyone can get owned. But when the shit hits the fan how they deal and respond is key. The fact they could detect these attacks gives an indication of their level of security maturity. Could you say the same about your business? Uhuh, I didn't think so.
So in conclusion - let's get real with the problems we can solve. Don't worry about the hacker doomsday scenario that you cannot prevent. Focus on getting the basics down first. Once you get a handle on those processes, then we can have a chat about APT.
PS: You'll still get pwn3d though.
Friday, April 1, 2011
A number of events in past months have forced me to reconsider my position on a number of issues.
Foremost in my mind:
- The Vodafone scandal in Australia,
- the Australian Prime Minister’s Laptop being hacked,
- Office of National Assessment’s of Govt security (and SQL injection being described as “non-major”),
- RSA being owned,
- the Comodo CA hack.
What do these all highlight:
- Ultimately, the blatant disregard that Australian citizens have towards their own privacy,
- Similar disregard by our government to protect its information assets,
- Gross misunderstanding over what SQL injection means (in spite of seeing the ownage of HBGary),
- The fundamentally flawed architecture we come to rely on (SSL & CAs) .
We (Australia) have no mandatory notification of breaches, no penalties for privacy breaches, weak government interest, capability and skill in securing our own assets.
I am tired of banging my head on a wall and hoping that things will get better and that I can play any role in that future. I have blogged about it in the past and I hoped this was just a phase and I’d get past it. But I can’t and I’m over it.
A wise man once said to “follow your bliss”. Once upon a time, I loved pillaging boxes and finding holes. Somewhere along the way, I lost my path. I betrayed my own values. I got a set of programming books piling up in my library I’ve never touched because I’ve been so focused on architecture, strategy and business. None of this makes a lick of difference in the scheme of things and quite frankly, if the Australian population and our own government don’t give a shit, I frankly don’t see why I should.
Sure I believe you can focus on architecture, sound decisions based on risk and intelligent approach to understanding your business and uplift your security. But at the end of the day, its a drop in the bucket. When people think SQL injection doesn’t mean much and lazy administrators can’t be stuffed patching Windows boxes because it involves work (err... “downtime”), then nothing I do will ever really matter. Whats more, nobody seems intent in addressing these problems. There is no patch for human stupidity (or laziness for that matter).
So I’ve decided to “follow my bliss”. I will be focusing on penetration testing, vulnerability research and programming solely from now on. I will get back to my roots – and I am the first to admit I have a lot of things to catch up on. But I will enjoy the journey at least. I will devote myself to finding the holes. Let the fixing go to other people who have the stamina and the patience to do it – I’m done with it.
To the pentesters I’ve hassled – you guys were right all along. I was wrong.
To the people who supported me – sorry guys, but I’ve seen the light.
UPDATE: For those who missed the date of the post, yep I'm pulling your leg. Happy April Fools Day y'all.