Advanced Persistent Threats (APTs): Part 1
August 12th, 2011
I’ve already posted a blog entry (number 56) concerning Advanced Persistent Threats (APTs) at www.emagined.com/blog. In this older entry I argued that APTs are real and discussed their nature to some extent. I wrote that entry well over a year ago. Since then, many new events and trends have occurred in the information security threat arena, so it is well time to make an update.
APTs have if anything grown in severity since the last time I wrote about them. The Aurora attacks that plagued so many Fortune 500 companies and the US military and government beginning late last year serve as a strong case-in-point. Contrary to the way perpetrators attacked systems, applications and databases just a few years ago, Aurora attackers by all appearances tended to not give up until they had conquered their targets. Given such a target- and vulnerability-rich environment, attackers were almost guaranteed success in attacking organizations with average or below-average security. But they even succeeded in attacking computing systems of companies that by all appearances had achieved “best practices” status in information security, causing us to rethink the problem.
Traditional wisdom says to use a defense-in-depth strategy in combating information security threats. The idea here is that control 1 may fail, control 2 may also fail, and perhaps even control 3 may fail, but then control 4 will finally defeat an attacker’s efforts. I have seen this type of scheme work in thwarting numerous attacks in the past, but never in stopping more recent APT-related attacks. The fundamental problem with the conventional defense-in-depth security model is that every control is imperfect. In information security lingo, every control has at least some amount of residual risk. Suppose that in a defense-in-depth scheme control 1 is highly effective to the point that it has only a ten percent residual risk factor. As far as conventional attacks go, the control is nearly perfect. But now consider an APT scenario in which a highly persistent attacker will not quit until s/he has defeated or bypassed this control. After considerable time and effort, the attacker succeeds and moves on to defeat or bypass the next control in the defense-in-depth scheme. Suppose furthermore that the next control has a residual risk factor of 20 percent, a factor with which most information security professionals who really understand the nature and amount of residual risk would be happy. The attacker is even more likely to succeed in defeating or bypassing this control than the first control, which had a residual risk factor of only ten percent. Now consider the third control, and I think that you have my drift.
The point I am trying to make here is that defense-in-depth is a good strategy, but it was not designed to meet the onslaught of APT-related attacks that have been plaguing us. Any time that any control has residual risk, a determined attacker is likely to be able to defeat or bypass it. Defense-in-depth per se is not the real problem. The real problem instead is defense-in-depth with controls that are less than perfect (or, more realistically, at least somewhat ineffective against the range of possible actions of highly determined attackers). The higher the residual risk associated with a control measure is, the more likely an APT-related attack is to succeed.
Fortunately, potentially good solutions exist. Stay tuned.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC