Effective Persistent Threats - Sophistication, Economics & Complexity

Posted on 26 January 2016

Much has been written about the “Advanced Persistent Threat,” with the implication that hordes of Nation-State hackers are just waiting to rampage through your network using ultra-sophisticated techniques, rendering your defences useless and stealing all your secrets.  Or worse, destroying your network and reputation in the process. Whilst some of this true (Saudi Aramco, Sony, Target, etc.), the sad reality is that many of the techniques used to compromise networks are surprisingly un-sophisticated.


The term “sophisticated” is often misunderstood, being typically associated with technical complexity. Whilst this is partially true, we would argue that it is a far more nuanced and multi-dimensional concept than this. What exactly are we referring to? Is it technical sophistication in terms of the capability and stealth of the malware used? Is it the background research conducted by the attacker? Could it be the vulnerability used to successfully breach their target’s systems? A “sophisticated” attack could be any or none of these things.


Essentially, we should think of “sophistication” in terms of mind-set and how our adversaries approach their attacks. Nation state hackers, and to some extent criminal hackers, do whatever is necessary to achieve their objectives, expending enormous resource if required. Of course, a nation state can raise this bar rather high; Stuxnet, for example, was unarguably “sophisticated” at every level – from its genesis and development, through the use of multiple 0-days, to the delivery and execution of the entire operation. Most Nation-States, thankfully, don’t need to deploy Stuxnet-level malware to achieve their goals as they can rely on traditional tried-and-tested penetration-testing techniques and tools – the irony of which is not lost on MWR – often leveraging vulnerabilities such as SQL injection, badly configured servers, poor credentials, and, most frustratingly, your very own employees or contractors. Once into your network, the attackers invariably steal your domain credentials, perhaps your entire user database, and then masquerade as one of your own to further strengthen their foothold within your network.  


Justifying the cost of cyber-security is difficult – it’s expensive and its ROI is hard to measure


Were the previously mentioned attacks mounted in the face of what our industry considers to be strong network defences? Invariably, yes. Our clients typically have multiple layers of defence, firewalls, proxies, content checkers, anti-virus, armies of IT Security Professionals, SOCs, SIEMS and more. Yet, these adversaries succeed more often than not. Frustratingly, we also know of attacks that were foiled because the security measures worked, but nobody actually noticed, even if the evidence was there in the log files – probably one of many entries documenting the resident noise level of low-level viruses and malware that is always present.



This does raise the thorny question of how do we measure the success or ROI of our defences? Does the fact you don’t see anything mean you are not interesting enough to attackers or have you missed something? And, justifying the cost of cyber-security is difficult – both because it’s expensive and because its ROI is hard to measure.


We also have to recognise that, as the security industry adapts and openly discloses Nation-State cyber campaigns (i.e. APT1, APT28, Snake, Turla, Regin, Stuxnet et al), this only drives our adversaries’ innovation to adapt and move on, changing their infrastructure or tweaking their code to ensure AV no longer detects their malware. Criminal groups have long understood this and built their malware and infrastructure to survive the attention it attracts. We also have to recognise that this drives the greater awareness of the art-of-the-possible to actors whose aims go beyond espionage. Whilst cyber-terrorism as a concept is flawed, the use of cyber-espionage techniques by terrorists to further their more destructive goals is a real possibility. The stealing of names and addresses then becomes something far more sinister.


This is where another dimension to cyber should be considered, that of “economics”. Here I’m not referring to the cost of a cyber-attack to the targeted business – we will leave that debate for another time – but the cost of conducting an attack. By improving our defences and better understanding the threats we face, we can make life increasingly difficult for any attacker.


Whilst it may not stop these attackers, it will make your network unattractive to the average hacker or less competent Nation-States. More competent or better funded Nation-States will no doubt continue, but you want to cause them pain in the effort, increasing the money and human resource they will need to put into their attacks.


Do we monitor everything or just the most valuable systems? And do we know what they are?


A final term we need to consider is “complexity”. If an attacker can bypass all of these controls using “un-sophisticated” techniques, what on earth has gone wrong, given the level of monitoring most large organisations employ? Perhaps “complexity” is the key. The more you log, the more systems you allow access to the internet, the more systems you have to manage, control, patch and upgrade, the greater the data you have to store, all requiring more control,  more logging, more configuration and more monitoring. If you have 50,000 end-points and 100 servers to monitor, the attacker only needs a foot hold on one. You have to monitor and maintain all 50,100 devices - no wonder it often appears like an impossible task.


Faced with this tsunami of data and systemic complexity, we need to think carefully about what we choose to do. Perhaps asking questions like the following will help in making those choices:


  • Do we need to log everything, or should we just log and monitor the systems that are most valuable?
  • Do we know what systems are most valuable?
  • Could we list them right now?  
  • Have we patched MS14-068?
  • How many laptops have connected to our VPN?
  • The list goes on…


Knowing what is on your network and each component’s configuration is absolutely essential. Knowing what systems and data are important to your organisation is even more so; and if you don’t know what is important to you, your attackers probably do and they will steal it, or worse, deny you access to it.


I would argue that organisations need to accept that their IT systems and their security are as important as the business itself - without them, you may not even have a business. For example, Sony in their last attack lost control of their network, with staff resorting to pen and paper, and Saudi Aramco lost 30,000 desktops. Even after remedial processes have been put in place so a repeat doesn’t happen, the reputational damage may forever tarnish the business.


Your network is a complex, living beast that is further complicated by the humans who use it


IT security must be more than a compliance and tick-box exercise. There is no one magic security widget that will solve all of your problems – education and investment in people who understand the threats and how to use these technologies effectively is far more important.


Your organisation must therefore know how to detect and respond to intrusions efficiently, have a solid disaster recovery plan in place and be prepared to work together to deal with the attack appropriately. You must learn from mistakes and adapt as quickly and intelligently as our adversaries do.


Finally, and this is the hard bit, you must prepare for failure and accept that your network is not the impregnable bastion you thought it was. Your network is a complex, living beast that refuses to be tamed, and is further complicated by the humans who use it and a business that requires its 24/7/365, universal availability.