Advanced Persistent Threat Hacking
Defining the Threat
The cold, hard truth is that at this very moment, regardless
of the defenses you have in place, I can get access to any and all of your
private data. Whether the private data is intellectual property, financial
information, private health information, or any other confidential data is
irrelevant. The importance doesn’t stop at just information either. If I can get
access to any of your information, then I can also get access to anything
protected by that information. For example, you might consider your money to be
safely secured in a bank, but if I can get access to the credentials that secure
your access to the bank, then I can also get access to your money. Think your
house is secure with that shiny new alarm system? All someone needs is a small
piece of information to bypass your home security system—the “security code”—and
oftentimes that’s not even needed. How did we get here? How do we live in a
world where it’s so incredibly easy to get access to such valuable data? Not
only valuable data, but also actual valuables. And what the heck are all these
security vendors selling if everyone is so insecure!? An excellent question, one
that we will seek to address shortly and prove with the remainder of the book.
The answer to why it is so easy to hack any
system, organization, or person is a relatively complex one. There isn’t one
single reason; there are many contributing factors.
In this book, you will understand how an APT hacker can use the
widespread immersion of technology to reach their goals, but you should also
ponder some of the other very serious threats besides APT hackers that could use
this information to their advantage.
Threats
To fully understand the different threats, we need to first
correctly define them. Many people incorrectly use the term threat to refer to situations in which a specific
vulnerability is exploited or to refer to “risk.” It is very important that we
use the same terms to fully understand the problem. In risk management parlance,
a threat is “a person or thing that can exploit a vulnerability.” You can think
of a threat as the actor that takes advantage of specific vulnerabilities. From
a mathematical standpoint, we can understand specific threats like this:
Motives + Capabilities = Threat Class
Threat Class + History = Threat
Threat Class + History = Threat
We consider a threat to be a combination of the motives and
capabilities of an attacker with an understanding of what that attacker has done
in the past. Although you can’t necessarily predict a threat’s behaviors based
solely on their past efforts, it can absolutely provide insight into future
actions. In the famous words of Mark Twain: “History doesn’t repeat itself, but
it does rhyme.” A threat agent is any manifestation of a defined threat, either
a person or a program written by an attacker.
Attacker Motives
To frame our discussion, let’s break attackers into several
major types based on their generally observed motives. We could then further
define the threat by assigning them to an appropriate threat class and observing
their past behaviors. A few historically observed motives for each threat are as
follows:
This table is extremely simplistic out of necessity. We can’t
possibly define the motives of every individual attacker, but we can lump them
into somewhat general categories to help understand how we can defend against
them. It is also important to understand that these are not the only possible
threat classes and they do not adequately define all the current and future
threats.
An element of motive is that of persistence, meaning whether an
attacker will continue to target an organization after failing, or if they will
move on to find an easier target. Ultimately, any threat may be persistent, but
it’s only meaningful if that persistence allows them to compromise the intended
target.
Threat Capabilities
There aren’t any industry-standard definitions of threat
capabilities, so we’re going to invent our own. In order of least capabilities
to greatest capabilities these threats are
Unsophisticated Threat (UT) Unsophisticated Persistent Threat (UPT) Smart Threat (ST) Smart Persistent Threat (SPT) Advanced Threats (AT) Advanced Persistent Threat (APT)
As you can see in the APT has the most
advanced skill set of all. Although there isn’t much hard evidence to point to
exact numbers of how many threats exist in each threat class, we can make
assumptions based on simple logic. The fact that it takes much longer to accrue
the skills necessary to be considered an APT than it does to be considered a UT
means we can assume that there are far more UTs than APTs. In addition,
empirical data also points to the fact that there are far fewer advanced threats
as compared to other threats.
Figure 1-1 Threat capabilities pyramid
Unsophisticated Threats and Unsophisticated Persistent Threats
An unsophisticated threat is a new way to look at many of the
threats we’re used to hearing about. One of the most interesting changes in the
information security field and computer underground is that it has become
ridiculously, almost laughably, easy to perform certain attacks and compromise
computer systems. Many tools today are built to be almost idiot proof—point and
click to execute a specific attack—and require virtually no skill. This has led
to the development of users who have almost no idea what they’re doing but are
still able to compromise some pretty interesting targets. You can consider them
“technologically enabled” idiots. Although good examples are somewhat limited,
we do have some interesting examples we’ll cover in Chapter 2.
Just as with advanced threats and advanced persistent threats,
UTs can focus on specific targets. Again, the only difference here is one of
general motive and target selection. A UPT will use the same methods and have
virtually the same skill set as a UT, but will focus their efforts on a specific
target.
Smart Threats and Smart Persistent Threats
Smart threats represent a class of attackers with good
technological skills. There isn’t one defining skill or skill set that is
required to be considered a smart threat. Instead, a smart threat uses
well-thought-out attacks that may use sophisticated technological methods but
tend to stick to specific attack techniques that they have experience with or
enjoy.
It’s important that you understand an attacker doesn’t need
specific skills to fit into any specific category. I think I would lump most of
the hacker community into the smart threat group. Smart threats may execute
complex attacks, but they are more likely to be
observed and put less importance on anonymity than the APT hacker. If there is
one defining difference between a smart threat and advanced threat, it would be
that smart threats “use what they know,” meaning they’ll typically stick with
attack vectors that have worked for them in the past. If a target organization
is not vulnerable to that attack vector, then the smart threat might move on to
a different target, whereas an advanced threat has a wide range of attack
vectors to choose from and will strategically choose the method that works best
for the target organization.
Advanced Threats
Advanced threats are, simply put, advanced—go figure! Although
it seems paradoxical, you’ll see that the raw skills required to be an advanced
threat are not all that different from those required to be a smart threat.
Instead, some of the key factors that really separate an advanced threat from a
smart threat are
Big picture/strategic thinker Systematic/military approach to attacks Preference for anonymity Selection of attack from larger pool
We’ll cover the differences in much more detail in Chapter 3, where we define
a methodology for advanced threats.
Advanced threats have been around for some time now, so we have
much more evidence available to speak about typical motives and methods. The
core difference between an APT and an AT is that an APT will put their efforts
toward compromising a specific target, whereas ATs may be looking for quantity
over quality.
The terms spray and pray, low-hanging fruit, and crime of
opportunity might summarize the methodology typically employed by many ATs.
Examples of advanced threat agents include a virus that uses a zero-day exploit.
The virus might use the spray-and-pray approach, in which the attacker tries to
compromise as many hosts as possible, not necessarily caring if a specific
target is compromised.
Advanced Persistent Threats
The very first time I was introduced to the term APT, I
thought it was one of the stupidest acronyms I’d ever heard. It just sounded
like an empty marketing term that didn’t actually define anything new. Although
I chose to adopt the term somewhat tongue in cheek, since that time, I’ve
changed my mind and believe that it accurately defines a very specific kind of
threat.
So what exactly is an APT, and
how does it differ from other threats? The acronym itself is pretty
straightforward. It is a threat with advanced capabilities that focuses on
compromising a specific target. The key word here is persistent; an APT will persist against a specific target of
interest until they reach their goals.
In the past, an attacker seeking to compromise a specific target
would be limited by basic economics. That is, if it cost the attacker more to
compromise a target than the assets obtained were worth, then this would either
prevent an attacker from even attempting to compromise a target or the attacker
would exhaust their limited resources attempting to compromise the target.
Although these laws of economics are still a factor, by the end of this book
you’ll understand that the cost to compromise any target
has been reduced so greatly that a single individual can infiltrate any
organization with very limited resources, including time and money.
Who are the people or organizations that represent APTs, and who
do they target? The fact is that there have been few widespread examples of true
APTs to give us a solid definition. We will cover some of the real-world
examples in the next chapter, but for now, we’ll just mention who are likely
candidates to be APTs. The two most likely candidates are nation-states and
organized crime; however, we will see this change in the future, and APTs will
become a very diverse crowd of mercenaries and criminals.
What are the goals of an APT? This also depends on who exactly
is behind it, but the scary truth is that the goals of an APT are limitless.
Anyone is a potential victim. Some of the more obvious reasons for an APT to
target a specific organization include
Stealing intellectual property (corporate
espionage) Stealing private data (insider trading,
blackmail, espionage) Stealing money (electronically transferring
funds, stealing ATM credentials, etc.) Stealing government secrets (spying, espionage,
etc.) Political or activist motives
Maybe you’d like to know the maximum amount someone is willing
to pay you, or the minimum amount someone else is willing to be paid. Maybe
you’d like to know the financial information of a public company before the rest
of the world does. Perhaps it would be beneficial if you knew what information
the prosecutor’s attorneys have on you. Or you’d simply like the secret formula
your competitors are using. Even worse, maybe you’d like to know the military
plans of a foreign power, or any of another million military or political
secrets. All of these are well within the reach of APTs.
Threat Class
When we combine an attacker’s motives and their capabilities,
we’ve successfully defined their threat class, as shown in the following table.
So which threat class does each of these threats map to? There are generally
accepted classes that each of these threats fit into based on empirical data;
however, the reality is that any of these threats can map to any of the defined
threat classes. Remember that the classes simply define their capabilities and
motives. For example, there are hackers that could easily be considered advanced
threats, and there are hackers with little skill that could be considered
unsophisticated threats.
Threat History
In practice, you’d want to determine the history of specific
threats that might affect your organization. To get a quick understanding of all
of the components of a threat, we’ve dedicated an entire chapter to a discussion
of some of the evidence we have of multiple threat classes, which includes
advanced threats, their capabilities, and motives. Again, keep in mind that you
can’t predict future attacks solely on the history of a threat; however, it
provides valuable insight into their capabilities and methods used to compromise
targets.
APT Hacker: The New Black
The APT hacker is a single individual with an advanced skill
set and methodology, which gives them the ability to target and compromise any
organization they choose, gaining access to any desired assets. Today, there is
very limited data to quantify the number of these individuals or the
capabilities of the individuals who could be classified as an APT hacker.
The APT hacker is not the same as the colloquially accepted term
“APT” that is being used pervasively in the information security industry and in
the media and marketing of security products. Thus, do not confuse this book to
be an analysis of those threats.
As previously mentioned, a
threat can take on many forms. In this book, we elaborate on the specific
manifestation of an APT that takes the form of an individual actor—that is, a
single person who can act alone. Of course, APT hackers do exist within groups
and will continue to be recruited by nation-states and organized crime.
Likewise, it is completely feasible that a collective group of smart hackers
could prove to be just as effective as a single APT hacker.
However, we are at a pivotal point in our evolution in which
we’ll see an increase in the number of individuals who obtain and use an
advanced cyber-skill set to target and compromise specific organizations. This
increase in individuals will also manifest itself in an increase in the efficacy
and impact of cyber-attacks.
The true impact of some of these attacks, beyond the immediate
one to the compromised organization, will ripple through entire countries and,
in some cases, the world. As you’ll learn in the next chapter, some of these
world-changing attacks have already occurred. The problem is that they are only
going to increase, again both in number and in impact.
Paradoxically though, even with the number of APT hackers and
cyber-attacks increasing, obtaining the most relevant data has proven to be a
difficult challenge, and will most likely remain so. Many organizations are very
hesitant or unwilling to share the mere fact that they have been compromised,
let alone any details as to the source or method of the attack.
Ultimately, conveying the ease with which an individual can
obtain the necessary skill set to target and compromise any target organization
is the singular point of this book. In that vein, this is not meant to imply
that the techniques covered in this book represent the only means to
systematically target and compromise an organization. On the contrary, it is
acknowledged that the attacker/defender wrestling match is in constant flux and
the attacks that work today may cease to work tomorrow, only to be resurrected a
year from now. It is, however, believed that the vast majority of strategies,
tactics, techniques, tools, and attacks covered in this book will remain
effective for a considerable amount of time.
In this book, we will not cover every possible attack, every
advanced technique, or all possible iterations of the covered attacks. Instead,
we start from a foundation of utilizing the simplest attacks with the only
requirement being the efficacy of the attack. And as you’ll see, the ability to
acquire this “advanced” skill set is well within the grasp of every individual.
It is from this perspective that I hope to demonstrate to the reader the almost
absurdly simple effort required to reach the point where any organization can be
targeted and compromised, and thus the fact that every organization today is
vulnerable to a targeted attack by an attacker with very few resources.
Again, the goal is clear: This
book exists to elaborate and illuminate the impact a single individual can have.
If you want to understand my argument for this new cyber-wizard and learn the
ease with which an individual can reach this summit, then follow me through the
looking glass.
Targeted Organizations
The important thing to note is that no organization is safe
from an APT hacker, large or small. That bears repeating: NO organization is
safe from an APT hacker. Take a moment to think of the most meaningful
organization that could be compromised—governments, military agencies, defense
contractors, banks, financial firms, utility providers. It doesn’t matter to an
APT hacker. Each organization may present unique challenges, but none are
safe.
Frankly, I’m not sure which is worse—the fact that any large
organization can be compromised or that any small organization can be
compromised. It’s obviously not a good thing if a utility provider can be
compromised, but consider the implications to the vastly larger number of
smaller organizations. If a large organization with far more resources can be
compromised, how can a tiny organization with a fraction of the budget even
stand a chance against an APT hacker? The fact is that smaller organizations
don’t stand a chance. As you’ll learn in later chapters, the tactics used by an
APT hacker will make it trivial to compromise small organizations. It’s also
much more difficult and far less likely for a small organization to detect the
presence of an APT hacker; thus, an attacker can maintain access undetected for
a very long time in all organizations, especially in small ones.
Constructs of Our Demise
Seriously? Can any organization be
hacked?
Yes.
Any? Even the most secure
environments?
Yes.
But seriously, any organization, regardless
of industry?
Yes.
And it doesn’t matter what defenses they
have in place?
Of course, the defenses matter. It just may
make it more difficult, but not impossible.
There isn’t one single factor
that makes it possible to compromise any organization today. There isn’t one
single vulnerability, issue, or attack method. Instead, there are many
contributing factors that, in aggregate, allow an APT hacker to hack any target.
Following are the foundations we have built our world upon that are leading to
the cold, hard truth that we live without any effective security against APT
hackers. It is very important that you understand all of these truths, as they
affect everyone. Not just organizations large and small, but individuals
too.
The Impact of Our Youth
Do not for a second forget how young the information security
field—and technology in general—is. It’s easy to forget simply because the
Internet is so deeply involved in our daily lives, but the Internet and modern
digital technology in general have not been around for very long.
Don’t misinterpret the fact that technology is young and think
that it makes the current insecurity of our world okay or just a small part of
growing pains that we will quickly grow out of. Instead, you should understand
the long-term implications this insecurity has on our lives. The foundation of
so much of what we rely on is riddled with serious vulnerabilities.
Yes, the foundation of the Internet is older than 1993, but many
people consider 1993 as the official year the World Wide Web was born, which was
when the Internet started gaining in popularity. That means we have been
entangled for just over 25 short years. We have gone from watching web pages
load line by line in the span of a few minutes over a blazingly fast 28.8K modem
to fiber-optic connections being commonplace for homes with the ability to
download entire movies in under a minute—and all in 25 years!
This simply means that some of the necessary growing pains have
not been experienced yet—growing pains that will be the catalyst for change.
Technologies and laws that need to be put in place to fix these insecurities
simply have not been created yet. Unfortunately, though, things are going to get
worse before they get better. In the next chapter, we’ll explore some of the
real-world events that point to the fact that the storm is gaining in intensity
and getting closer. In addition, because current ubiquitous technologies have
not existed for very long, the defenses that will be effective simply have not
been created yet. These defenses will manifest themselves in technology,
processes, education, and the way people use technology, among others. We are
currently asking too much of our defenders. Technology has developed too quickly
without effective consideration for security.
The Economics of (In)security
One of the most important and simple truths in this
technological war is that you simply can’t afford to prevent a successful attack
from an APT hacker. Not only is it extremely costly to even attempt—currently,
it’s actually impossible to prevent a compromise from an APT hacker. The
mathematics behind risk management simply breaks apart when accounting for an
APT hacker.
Let’s first define the basic math behind risk management.
Generally, expenditures on security involve spending money (and resources) to
protect a greater amount of money (or resources) from being lost. If you have a
million dollars in the bank, you’re not going to spend that million dollars to
protect itself. Likewise, if a business generates a million dollars a year in
revenue, they can’t spend a million dollars annually on security.
In this book, you’ll learn the attack vectors and attack
techniques to employ to become an APT hacker and compromise any target of
choice. Once you have this understanding, you’ll realize that at many levels,
companies and individuals simply can’t afford to prevent the attack methods
you’ll use.
Why is it impossible to prevent a successful APT hacker attack?
Are the technologies capable of defending against an APT hacker attack simply
too expensive? The cost of technology is part of the issue, but it’s not the
entire picture. Although it would be absurdly expensive to implement all of the
cutting-edge defensive technologies even if you were able to do so, these
current technologies will not stop the attacks discussed in this book.
Security vs. Risk Management
Many people, including many experts in the information
security field, confuse security and risk management. When discussing security
in the context of a business, you must understand that a business is not in
business to “be secure.” Spending money on security does not directly generate
more revenue. Instead, businesses must perform risk management to minimize the
risk of doing business to an acceptable level. Processes like patch management,
vulnerability management, system hardening, and incident response are
no-brainers for reducing risk, but essentially, a business cannot remove all the
risk from technology, and obviously, technology is an essential part of every
business today.
It is this very fact that allows an APT hacker to hack any
target organization. Businesses simply can’t spend enough money to defend
against an APT hacker in an effective or foolproof way. A business may remove
certain attack paths and vulnerabilities but
will never be able to remove all the attack vectors that an APT hacker can
use.
Inverted Risk and ROI
Other extremely important economic factors include the
diminished risk and greatly increased return on investment (ROI) for digital
attackers. The fact is that the risks are greatly reduced for cyber-criminals
compared to traditional criminals, and the money made compared to the time
invested is far greater for cyber-criminals.
Let’s look at an example. If a criminal wanted to rob a bank
today, there are serious concerns of being injured or captured. He could easily
be killed by an armed security guard, police officer, or a trigger-happy store
clerk and is risking being arrested and immediately thrown in prison. A
cyber-criminal doesn’t have any of those risks. He has no worry of immediate
physical harm, and due to the anonymity afforded by the Internet, is unlikely to
ever be identified, let alone arrested.
According to FBI crime statistics, in 2011, the average bank
robbery in America netted the criminal just under $8,000 USD (www.fbi.gov/stats-services/publications/bank-crime-statistics-2011/bank-crime-statistics-2011-q1).
Yes, that is correct, just under $8,000 for risking your life and liberty. That
doesn’t sound like a good return on investment to me.
What about cyber-criminals? Attacks against nonfinancial
organizations or even home users can easily net six figures or more for a
cyber-criminal. In a traditional robbery, you’re limited to how much money the
organization has on hand and how much you can carry out the door. In the digital
world, you don’t have those constraints. You’re only limited by how much is in
the “account,” and then it can be as easy as a few mouse clicks to have the
money transferred out. Or you can sit and wait for the most opportune time to
retrieve the most money or steal someone’s identity.
The same is true of robbing individuals. If I break into
someone’s house, I have to either hope they have a lot of money stored at their
house or have valuables that are easily sold that will be difficult to trace
back to the robbery. Instead, if I compromise their computer, I can take money
right out of their account or try to steal their identity and take out a loan in
their name, use their credit cards, or sell this information to a horde of
hungry buyers.
All of this points to the clear fact that the return for time
invested, as well as the risks involved, are greatly in the favor of a
cyber-criminal, as shown
No comments:
Post a Comment