November 15, 2011

Advanced Persistent Threat (APT) - why did we resist so long?

Bruce Schneier posts on something I've felt as well:

Advanced Persistent Threat (APT)

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

So, this becomes a really classic case of that old saw: "What's your threat model?"

There are apparently two sterotypical attackers out there (at least in this dichotomy):

  1. the random agnostic thief: "A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever." He doesn't share our economic beliefs of society and trade, but he certainly subscribes to the power of our money.
  2. the advanced persistent threat: the spy who's after your state-level secrets. He's not economic, in the sense that he isn't constrained by normal commercial levels of investment, instead he's got a very large budget behind, with very large strategic interests directing the target choice.

Very different agents, leading to very different models of security. And all other things, such as how we as society deal with these issues.

Schneier finishes on this:

This is why APT is a useful buzzword.

Sure, no matter how uncomfortable we are with the background, it's the buzzword we've got.

Why then did we disbelieve the APT for so long? I think there are three factors.

  • We the people aren't bothered by the APT, we're bothered by the random agnostic thief.
  • The credibility of the USA industrial-military machine is at an all time low. Since the low-point of Colin Powell's speech to the UN, the people routinely disbelieve anything said, and now demand evidence.
  • They presented no evidence. We had to wait until DigiNotar and the surrounding other events (the other CAs) to understand that this was the real deal.

We still aren't so totally accepting. We still have the problem that our attacker is the random agnostic thief.

Why still resist? My feeling is this: I'm annoyed that the state has managed more success in swinging the major Internet vendors around to dealing with selling to the state's APT -- NIST's pogrom on small numbers, ESG’s U.S. Advanced Persistent Threat Analysis, etc -- than we ever had as an open community in dealing with our random agnostic thieves.

We're still following the NSA's drumbeat.

Posted by iang at November 15, 2011 12:57 PM | TrackBack

@ iang,

With regards where APT lies within cyber crime/espionage activities it is perhaps best to look first at ordinary or non cyber illicit activities.

There is a spectrum of illicit activities of which there are three levels of practicioner who directly earn money from the proceads of their illicit activity by converting the tangable gains into money. These are the,

1, Oportunistic criminal.
2, Working criminal.
3, Proffesional criminal.

The "oportunistic criminal" is at best the bottom feeder of the criminal food chain they basicaly "see, smash, grab and run" there is no planing involved such as target selection and often no plan for disposing of any gains. Often it is "street crime" such as "mugging" or "handbag snatching" to basic "auto/car contents theft".

The "Working criminal" usually has planing involved in their activites, they select a target look it over, note any visable defences and only procead when they know they have a reasonable chance of success. They usually have a tried and tested method in place to dispose of any gains at a reasonable rate of return. However they are fairly easily detered by obvious defences such as alarms and CCTV and old fashioned bars across windows etc. Effectivly these are the house breakers and burglars of small to medium size businesses, where overly specialist knowledge is not required to obtain the tangable goods.

The "Proffessional criminal" always plans what they do and frequently "steal to order" they are not deterred by ordinary defences and will usually take on only high value crimes such as art theft etc which requires some specialist knowledge.

Often included incorrectly in "proffessional" is "white collar" criminals who defraud businesses etc, they are usually only "proffessional" because of their ordinary everyday job, and tend to be on par with "opportunistic criminals" in outlook.

There are two other levels on the spectrum of illicit activities at either end, in neither of which is the practitioner dependent on the proceads of the crime for a living.

At the bottom you have the "zero's" or "impulse criminals" often drunken idiots that have no sense of awarness take no precautions and basicaly do pointles crime such as stealing road signs etc "for the fun of it". Usually they have absolutly no intension of making a personal gain from the activities. Often they end up on CCTV being candidates for televison programs about "inner city anti-social behaviour", as one career criminal put it without any sense of irony "they are the sort that give crime a bad name".

At the top is a fourth level that is realy a whole new spectrum in it's own right, I would for want of a better word call them "Operators". With main subsets of "Officers", "agents" and "contractors" with further subsets in each of "spooks", "handlers", "squirrels", "legends", "colators" and "techs" which are involved with "movie plot" style illicit activities (many of which are not codefied crimes yet) that in reality could only be carried out with the resources of large corporations or state actors and their agencies.

Invariably the targets of the illicit activities are not tangable goods but intangable information and any actual crime commited is tangental or incidental to the main activity. Out side of the movies these people commit acts of what would be considered "espionage" or "spying" usually by just carefull observation, and news gathering.

Where entry into premises is required they used to be called "black bag jobs" (after the "surgeons" style bag the burglary tools were carried in). These are often carried out by those who have been trained in the techniques of proffessional criminals, but unlike them have gone several steps further with highly specialised knowledge. Often the participents have compleate cover stories or "legends" to not only disguise who they and there employers are but also the actuall target. Legends may spend months or years in "deep cover" getting to the target.

For short notice "insider" activities in the past people employed by utility companies such as the old UK GPO used to be trained and used and were known as "squirrels" (that went out to gather the nuts).

Usually all "operators" plan to keep their activity compleatly undetected from the target organisation and no conventional level of security defences (including guards and dogs) will keep them out especialy when in many cases they become "insiders".

However sometimes it is not possible to "place" an insider so another route in is required and they will if required not hesitate to use methods of coercion most would find unpalatable the aim often to "turn" a person into an "agent" controled by a "handler".

Very infrequently the coercion is physical and direct and these activities are sometimes refered to as "wet work" and they will "clean up" or "cleanse" afterwards.

There are some commercial organisations (such as Kroll) who have been reputed to behave as though they have "state backing" when infact they have not and they have due to lack of suitable caution come very unstuck (which just one of many major reasons they are not state backed).

And yes there are commercial organisations that do have state backing and are used for "deniability" reasons many can be seen as "contractors" in the likes of Afghanistan and Iraq. Broadly they fall into two groups depending on where they are deployed. Those in "remf" positions are sometimes jokingly refered to as "shades" in part from the "sun shades" they wear and in part because a "shade" is also another type of "spook". Those at the sharp end or beyond as "No name, no rank, no shave types" and are often indistinguishable from "Special-Ops" and the press sometimes mistakenly call them "mercenaries" although thay are not "soldiers of fortune" paid to fight.

Contractors can be doing various activities including close protection of Vips, preparing and operating of high tech weapons such as drones, capturing and interogating of "suspects" along with operating "rendition" activities and other intel gathering activites and plain old fashioned sabotage. One such organisation that has got in the news a few times more than it should have is Blackwater although there are many others, many of whom can be seen touting for business in one way or another at certain "Arms fairs".

Posted by: Clive Robinson at November 19, 2011 10:21 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.