This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Guarding Against the 'Advanced Persistent Threat'

CIOs in charge of security need to be very aware of the so-called Advanced Persistent Threat, and shore up defenses to head it off.

The unsatisfactory term "Advanced Persistent Threat" is shorthand for a decade-long program of coordinated attacks, originating mostly from China, aimed at exfiltrating corporate intellectual property. If your company has not yet been targeted, congratulations; but you need to be prepared.

I call the term APT "unsatisfactory" not only because it can mean different things when used by different security companies, government and military agencies, etc., but also because the intrusion techniques employed by state actors often are not very advanced. Russian cyber-criminals bent on self-enrichment employ advanced toolkits that may include zero-day vulnerabilities, previously unknown and unpatched. But Chinese hacking teams are much more likely to rely on known vulnerabilities in conjunction with social engineering and spear phishing.

The word "persistent" in the moniker is accurate, however. APT intrusions may last for months or years. These are not one-shot hacks.

Cyber-attacks have been with us as long as the Internet has, but until 10 to 12 years ago they looked more like government-to-government espionage than deliberate attempts to exfiltrate private intellectual property. The attacks have gradually broadened to target defense companies, and then other critical industries including energy, finance, security, and others. Here is a partial list of major APT activity over the past two years.

Security companies, the technical press, and lately the general press have been increasingly pointing out circumstantial evidence that the Chinese government and/or military are behind most of the industrial espionage attacks. This drumbeat culminated late last year in a US government report naming China and Russia. The experts who worked on that report have said in later interviews that as few as a dozen hacking groups appear to be behind most of the attacks. Investigations indicate that the dozen or so Chinese teams get "taskings" to go after specific technologies or companies within a given industry. Sometimes two or more teams appear to get the same target list, and they then compete to be the first or to get the most valuable trove of data.

China has always denied having anything to do with the attacks. Ironclad proof of their involvement will always be elusive, but the circumstantial evidence is mounting. For example, McAfee researchers found that the "Night Dragon" attackers were always active within a time window of 9:00 AM to 5:00 PM in the time zone that includes Beijing.

Security expert Bruce Schneier notes an important way the APT differs from more familiar threats, which tend to be motivated by either money or politics. To shield from the latter attacks, what matters is your relative level of protection -- if you are more secure than 90 percent of your competitors, the traditional hackers will pass you by and go after them instead. When facing the APT, the absolute level of your protection needs to be up to snuff.

The Australian Defence Signals Directorate maintains a prioritized list of 35 APT mitigation strategies (they call the attacks "targeted cyber intrusions"). The Directorate estimates that 85 percent of APT attacks could be mitigated by the simple steps of consistent patching (of both operating systems and applications), application whitelisting, and reducing the number of users with administrative privileges. Implementing processes farther down the list -- data-loss prevention, user behavior analysis -- boosts your safety even more. The SANS Institute offers training in these and other advanced security techniques.

If your company has any involvement in national security or major global economic activities -- even peripherally -- you should expect to come under pervasive and continuous APT attacks that go after archives, document stores, intellectual property repositories, and other databases. Make sure your people and processes are up to the challenge.