advanced persistent threats how to manage the risk to your ...egnlghana.com/pdfs/insight5.pdf ·...

www.isaca.org/cyber

Advanced Persistent Threats

How to Manage theRisk to Your Business

Personal Copy of: Mr. EDWARD ANSAH

Advanced Persistent Threats: How to Manage the Risk to Your Business

2

ISACA®

With more than 110,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders maximize value and manage risk related to information and technology. Founded in 1969, the nonprofit, independent ISACA is an advocate for professionals involved in information security, assurance, risk management and governance. These professionals rely on ISACA as the trusted source for information and technology knowledge, community, standards and certification. The association, which has 200 chapters worldwide, advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. ISACA also developed and continually updates COBIT®, a business framework that helps enterprises in all industries and geographies govern and manage their information and technology.

DisclaimerISACA has designed and created Advanced Persistent Threats: How to Manage the Risk to Your Business (the “Work”) primarily as an educational resource for security, governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security, governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

Reservation of Rights© 2013 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] site: www.isaca.org

Provide Feedback: www.isaca.org/CyberattackParticipate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficialLike ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN: 978-1-60420-348-6Advanced Persistent Threats: How to Manage the Risk to Your Business


Acknowledgments

3

AcknowledgmentsISACA Wishes to Recognize:

AuthorDavid Lacey, CITP, David Lacey Consulting Ltd., UK

Expert ReviewersRory Alsop, CISM, C|CISO, M.Inst.ISP., RBS, ScotlandVilius Benetis, CISA, CRISC, PhD, BAIP, LithuaniaPatrick Hanrion, CISM, CISSP, McGladrey LLP, USA Ken Hendrie, CISA, CRISC, GCIH, ITIL, PRINCE2, BAE Systems Detica, AustraliaEpsilon Ip, CISA, CISM, CRISC, CISSP, ISSMP, ISSAP, Cathay Pacific Airways, Hong KongLeonard Ong, CISA, CISM, CRISC, CPP, CFE, CISSP, PMP, Citihub, SingaporeJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia

ISACA Board of DirectorsTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia,

International PresidentAllan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,

Vice PresidentJuan Luis Carselle, CISA, CGEIT, CRISC, RadioShack, Mexico, Vice PresidentRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain,

Vice PresidentTheresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA,

US House of Representatives, USA, Vice PresidentVittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice PresidentJeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice PresidentMarc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA,

Past International PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, DirectorKrysten McCabe, CISA, The Home Depot, USA, DirectorJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director

Knowledge BoardChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, ChairmanRosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The NetherlandsSteven A. Babb, CGEIT, CRISC, Betfair, UKThomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USAPhil J. Lageschulte, CGEIT, CPA, KPMG LLP, USAAnthony P. Noble, CISA, Viacom, USAJamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK



4

Acknowledgments (cont.)Guidance and Practices CommitteePhil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, ChairmanJohn Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USAYves Marcel Le Roux, CISM, CISSP, CA Technologies, FranceAureo Monteiro Tavares Da Silva, CISM, CGEIT, BrazilJotham Nyamari, CISA, Deloitte, USAJames Seaman, CISM, CRISC, RandomStorm, UKGurvinder Singh, CISA, CISM, CRISC, AustraliaSiang Jun Julia Yeo, CISA, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., SingaporeNikolaos Zacharopoulos, CISA, CISSP, DeutschePost–DHL, Germany


5

Table of Contents

Table of ContentsList of Figures ...............................................................................................................8

Introduction ..................................................................................................................9

1. Understanding APTs ................................................................................................11

1.1 Overview .......................................................................................................11

1.2 What Is an APT? ...........................................................................................11

1.3 How Are Other Enterprises Responding? .....................................................13

1.4 Understanding the Jargon ..............................................................................15

1.5 A Short History of APT Attacks ....................................................................18

1.6 Who Is Behind APT Attacks?........................................................................28

1.7 Who Is at Risk? .............................................................................................36

1.8 What Damage Can They Do? ........................................................................38

1.9 Characteristics of an APT Attack ..................................................................38

1.10 Stages of an APT Attack .............................................................................43

1.11 Where Might This Lead? .............................................................................47

1.12 Learning Points ...........................................................................................48

2. Assessing the Risk of an APT ..................................................................................49

2.1 The Risk Management Cycle ........................................................................49

2.2 Identifying Assets at Risk..............................................................................49

2.3 Identifying Specific APT Threats to Assets ...................................................53

2.4 APT Risk Identification .................................................................................54

2.5 APT Risk Assessment ...................................................................................55

2.6 Moral Hazard ................................................................................................56

2.7 APT Risk Mitigation .....................................................................................56

2.8 Making the Business Case for Countermeasures ..........................................57

2.9 Learning Points .............................................................................................58

3. Security Management for APT Threats ....................................................................59

3.1 Introduction ...................................................................................................59

3.2 Shortcomings in Existing Management Processes ........................................60

3.3 Key Measures to Mitigate APT Attacks ........................................................64

3.4 Disrupting the “Kill Chain” ..........................................................................67



6

3.5 Tell-tale Signs of an APT Attack ...................................................................70

3.6 Times Justifying a Heightened Alert .............................................................72

3.7 Learning Points .............................................................................................73

4. Security Technology Measures to Mitigate APT Attacks .........................................75

4.1 Overview .......................................................................................................75

4.2 How Much Security Is Required? .................................................................75

4.3 Basic Security Measures ...............................................................................76

4.4 Advanced Security Measures ........................................................................79

4.5 Specific APT Countermeasures .....................................................................81

4.6 Best Available Security Practices ..................................................................84

4.7 Learning Points .............................................................................................86

5. Managing an APT Incident ......................................................................................89

5.1 Overview .......................................................................................................89

5.2 Creating a CSIRT ..........................................................................................89

5.3 Creating a Security Operations Center ..........................................................90

5.4 Interfacing the CSIRT With Other Crisis Teams ...........................................92

5.5 Stages in Major Incident Management .........................................................95

5.6 Incident Identification ...................................................................................96

5.7 Damage Assessment ......................................................................................96

5.8 Crisis Management........................................................................................97

5.9 Containment ..................................................................................................98

5.10 Recovery ......................................................................................................98

5.11 Investigation ................................................................................................99

5.12 Learning From Incidents .............................................................................99

5.13 Post Mortem Report ..................................................................................100

5.14 Learning Points .........................................................................................100

6. Conducting an APT Controls Review .....................................................................103

6.1 Introduction .................................................................................................103

6.2 Methodology ...............................................................................................103

Appendix A: APT Questionnaire/Checklist ...............................................................107

Appendix B: List of APT Attacks ..............................................................................109


7

Table of Contents

Appendix C: COBIT 5 Gap Analysis ...........................................................................113

Appendix D: Glossary of Terms ................................................................................121

References ................................................................................................................ 125

Index ......................................................................................................................... 129



8

List of FiguresFigure 1—The Highest Risk to Enterprises From an APT Attack .............................14

Figure 2—Sources of APT Threat ..............................................................................29

Figure 3—Targets of APT Attacks During 2012 ........................................................36

Figure 4—Stages in the APT Attack Cycle ................................................................44

Figure 5—APT Risk Management Cycle ..................................................................49

Figure 6—APT Risk Assessment Heat Map Example...............................................55

Figure 7—Typical Shortcomings in Existing Management Processes ......................61

Figure 8—The Lockheed Martin “Kill Chain” ..........................................................68

Figure 9—Opportunities in the APT Attack Cycle ....................................................69

Figure 10—Levels of Security Countermeasures ......................................................76

Figure 11—Typical Crisis Management Structure ....................................................93

Figure 12—Stages in Major Incident Planning and Management .............................96

Figure 13—Illustration of an Ishikawa Diagram .....................................................100

Figure 14—Stages in Conducting an APT Controls Review ...................................103


Introduction

9

IntroductionThis book explains the nature of the security phenomenon known as the advanced persistent threat (APT). It also provides helpful advice on how to assess the risk of an APT to the organization and recommends practical measures that can be taken to prevent, detect and respond to such an attack. In addition, it highlights key differences between the controls needed to counter the risk of an APT attack and those commonly used to mitigate everyday information security risk.

This book is designed primarily for security managers, IT managers, IT auditors and students studying for computer science or information security qualifications. It is written in clear, nontechnical language so it will also be of value to business managers and government officials responsible for valuable intellectual assets or critical services that might be the target of an APT attack.



10

Page intentionally left blank


Chapter 1. Understanding APTs

11

1. Understanding APTs1.1 OverviewThis chapter examines the nature, history and modus operandi of advanced persistent threats (APTs). It explains their defining characteristics and indicates why and how they are different from other forms of security threat. In addition, it explores the primary sources of APT threats, examining specific motives, methods and targets. It introduces concepts that might be new to business managers, such as “botnets,” “attack vectors” and “zero-day exploits,” and it highlights the key factors that differentiate an APT from more familiar forms of security threat.

The chapter describes actual examples of actual APT attacks as well as a step-by-step analysis of a typical APT attack. It also provides an overview of the evolution of APTs, past, present and future, and concludes with a list of learning points, which might serve as a useful reference for readers too impatient to read all of the content.

1.2 What Is an APT?Advanced persistent threats are relatively new phenomena for many organizations. The motives behind them are not entirely new, but the degree of planning and resources employed and the techniques used in attacks are unprecedented. These threats demand a degree of vigilance and a set of countermeasures that are above and beyond those routinely used to counter everyday security threats from computer hackers, viruses or spammers.

It must be pointed out that not everyone is agreed on precisely what constitutes an APT. Many experts regard it as nothing new. Some see it as simply the latest evolution in attack techniques that have been developing over many years. Others claim the term is misleading, pointing out that many attacks classed as APTs are not especially clever or novel. A few define it in their own terms, for example, as an attack that is professionally managed, or one that follows a particular modus operandi, or one launched by a foreign intelligence service, or perhaps one that targets and relentlessly pursues a specific enterprise.

In fact, all of these descriptions are true. The defining characteristics of an APT are very simple: An APT is a threat that is advanced and persistent. It is a specifically targeted and sophisticated attack that keeps coming after the victim. Unlike many other types of criminal act, it is not easily deflected by a determined, defensive response.



12

Attacks of this kind are quite different from the ones that enterprises might have experienced in the past. Most organizations have at some point encountered one or more opportunistic attacks from small-time criminals, hackers or other mischief makers. But most APT attacks originate from more sinister sources. They are often the work of professional teams employed by organized crime groups, determined activists or governments. This means they are likely to be well planned, sophisticated, well resourced and potentially more damaging.

The term “advanced persistent threat” appears to have been coined around 2005 by security analysts working for the US Air Force. The anecdotal evidence suggests it was created in order to discuss a particular set of espionage attacks in the public domain without identifying specific threat sources or invoking classified code words. Today, it is firmly associated with professional, managed cyberattacks, especially ones that exploit undisclosed knowledge of security vulnerabilities in computer platforms or application systems.

For a more formal definition, the US National Institute of Standards and Technology (NIST) description is as good as any that have been compiled:

An APT is as an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (e.g., cyber, physical and deception). These objectives typically include establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.1

A key point to note in this definition is that the ultimate goal of an APT attack can vary from theft of information to sabotage of services. There might, for example, be a wide range of potential business impacts from a single intrusion, although the techniques used and the planning process might appear indistinguishable.

It is also worth noting that it is quite feasible for an attacker to switch goals from one objective to another. For example, it is conceivable that an attack might commence by stealing intellectual property, progress to exploiting that information competitively, and then resort to more aggressive tactics to sabotage the victim’s capability to operate. In

1 National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, Special Publication 800-61, USA, 2008, csrc.nist.gov/publications/PubsSPs.html



13

fact, the ultimate goal of an APT attack is always difficult to ascertain, so it is prudent to consider the worst-case scenario when assessing the potential impact of a penetration.

When considering the motives of an APT intrusion it is worth examining the core objectives of the attacker. Intelligence services, for example, are in the business of gathering secret information. Criminal gangs are out to make money. Activists are aiming to make a point. Military forces are in the business of winning conflicts.

Such motives are not entirely clear-cut. Organized criminals often operate on behalf of rogue governments or terrorists. Armed forces have military intelligence units that seek to gather useful information in addition to working out how to take out enemy infrastructure. Intelligence services are occasionally called on to mount operations that might involve causing physical damage to enemy infrastructure.

Any or all of these motives can be mixed up in the development of an APT attack. And the source of the attack can be heavily disguised behind an array of smoke and mirrors. It may be impossible to determine the true perpetrator and objective of an APT attack, although it is possible to imagine who might be the beneficiaries of such an initiative and speculate on the potential business damage.

A more practical lesson for enterprises to note from previous experience of APT attacks is that countering a sophisticated attack by a well-resourced adversary requires much more than a set of baseline security practices. It demands specialist security skills; state-of-the-art security technology; intelligence-led risk assessments; streetwise education of staff; vigilant, round-the-clock network monitoring; and state-of-the-art forensic analysis skills.

These practices are not unfamiliar to security professionals, but the level of experience, skill and technology needed to counter an APT attack generally exceeds that found in most public and private enterprises. This book aims to help bridge this gap by highlighting the additional or enhanced measures that every organization needs to prevent, detect and respond to a professional APT attack.

1.3 How Are Other Enterprises Responding?If you were to present the risk of an APT attack to an executive board, it is likely that one of the first questions the board members will raise is “How are other enterprises responding to this challenge?” Unfortunately, the candid answer to this question, even when comparing the practices of leading Fortune 500 companies and government agencies, is likely to be “Not well enough.”

APTs are certainly a real and present threat to any organization that possesses valuable intellectual property or delivers critical national services. The business



14

damage from an APT attack can be severe enough to reduce the profitability of a line of business or to force the resignation of a top executive.

Yet independent research by ISACA2 indicates that few organizations have been facing up to the APT threat with the determined and comprehensive response that such a serious risk would appear to merit. The ISACA survey of industry and government, published in 2013, indicated that:• Nineteen out of 20 organizations judged APT to be a credible threat to national

security and economic stability.• One in five enterprises has already experienced an APT attack.• Two-thirds of respondents thought it was only a matter of time before an attack

was experienced.• More than half of respondents did not believe that APTs differed from

traditional threats.• Four out of five respondents noted that there is a lack of public guidance on APT.3

The highest risk to the enterprise associated with a successful APT attack, judged by respondents in the ISACA survey, is illustrated in figure 1.

2 ISACA’s study report Advanced Persistent Threat Awareness Study Results, sponsored by Trend Micro, was undertaken in the fourth quarter of 2012 and published in 2013.

3 As part of its continual effort to serve its members and other constituents, ISACA is responding to the survey findings by creating a series of products to address this challenge.

4 Percentages of enterprises judging the impact of APT risk, from the ISACA 2013 survey

Reputation Damage

Financial Loss (Tangible)

Contractual Breach or Legal Issues

Loss of Personal Information

Loss of Intellectual Property

Loss of Availability

0 5 2010 15

Percent

3025

01The Highest Risk to Enterprises From an APT Attack4FI

GURE



15

ISACA’s research indicates a clear contradiction between enterprise awareness and remedial action. There are a number of likely reasons for this contradiction, including the following:• Many enterprises believe the risk does not warrant any different or immediate

action. (This book argues against this view.)• Many security functions do not have the necessary budget and resources needed to

respond effectively.• The business case for additional investment in security often fails to clear the

hurdles set by investment appraisal boards.

There were, however, some positive responses from the survey, such as a trend toward increased management attention, enhanced security budgets and stricter policy enforcement. Less promising were respondents’ indications that they are not increasing security awareness, nor changing the way they deal with third parties.

1.4 Understanding the JargonFor the nontechnical reader, it is helpful to understand the underpinning techniques employed by APT attacks and the basic terminology used to describe them. A brief glossary of terms is set out at the end of this book, but it is useful to start by setting out the most common terms encountered, explained in the context of their evolution.

MalwareAPT attacks use malicious software, commonly referred to as malware, to leverage their scope and capability. Malware can be designed to help gain access to targeted computer systems, steal information or disrupt computer operations. There are several types of malware, the most important categories being computer viruses, network worms and Trojan horses, which are differentiated by the way in which they operate or spread. A number of further terms are also used to describe more specific types of malware, characterized by their purpose. For example:• Spyware is a class of malware that gathers information about a person or

organization without the person’s or the organization’s knowledge.• Adware is a class of malware designed to present advertisements (generally

unwanted) to users.• Ransomware is a class of extortive malware that locks or encrypts data or functions

and demands a payment to unlock them.• Keylogger is a class of malware that secretly records user keystrokes and, in some

cases, screen content.• Rootkit is a class of malware that hides the existence of other malware by

modifying the underlying operating system.

Not all of these varieties of malware are used in an APT attack, but a key malware capability exploited by many is that of self-replication, a technique that enables an attack to spread rapidly across an enterprise.



16

Viruses and WormsA computer virus is a piece of code that can replicate itself and spread from one computer to another. A variant of this is a network worm, which is essentially a piece of self-replicating code designed to spread itself across computer networks.

The idea of self-replicating software is far from new, having first been explored more than 60 years ago by the distinguished mathematician John von Neumann. Experimental versions were developed in research laboratories in the 1970s, although the first widespread computer virus (a Pakistani virus called Brain) did not emerge until 1986.

Since then, numerous viruses and worms have been created. Initially, few were malicious or targeted. Some early ones, such as the Robert Morris worm, were experiments that spiraled out of control. Progressively they became a nuisance. Today the fruits of this research have become a vehicle for intelligence gathering, crime or sabotage.

The level of sophistication of viruses has also grown, for example, with the emergence of characteristics such as polymorphism, which enables a virus or worm to change its appearance in order to bypass detection mechanisms that are based on recognized signatures.

Trojan HorsesA further category of malicious software (malware) is the Trojan horse, named after the famous incident in the Trojan War when Greek soldiers hid within a wooden horse to gain access within the enemy’s city walls.

A Trojan horse (or simply Trojan) is a piece of malware that gains access to a targeted system by hiding within a genuine application. Trojan horses are often broken down into categories reflecting their purpose. Here are some commonly encountered terms for specific types of Trojan:• Data-sending Trojans are designed to steal specific types of information, such as

passwords or credit card details.• Denial-of-service Trojans are designed to overload networks in order to disable

business processes.• Destructive Trojans are programmed to damage or delete files.• FTP Trojans enable the attacker to connect using File Transfer Protocol (FTP).• Man-in the-browser Trojans enable an attacker to intercept and modify browser

requests and responses.• Man-in the-mobile Trojans enable an attacker to interfere with mobile device

transactions.• Proxy Trojans allow an attacker to use the victim’s computer as a proxy server, for

example, to attack other victims.



17

• Remote access Trojans enable an attacker to gain control of the victim’s system.• Security software disabler Trojans are designed to stop or kill security programs,

such as antivirus software.

Proxy Trojans can be used to harness additional computing resources in support of a large-scale attack, for example, for the purpose of a denial-of-service attack using a vehicle called a “botnet.”

BotnetsA botnet (a term derived from “robot network”) is a large distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on a selected victims.

Botnets can contain hundreds of thousands (in some cases, millions) of individual computers. They have been used extensively by criminals for sending spam messages, by activists for attacking enterprises, and, in a number of cases, on behalf of government agencies for military or political purposes.

Drive-by DownloadsA drive-by download is a malware infection caused by a user visiting an infected web site. The term can also be used to describe an attack triggered by the user clicking on a fake pop-up window planted on the user’s client device. Most APT attacks gain access to enterprises by tricking the user to visit an infected web site or click on an infected attachment or pop-up window. Infection by a drive-by download is a typical result of a social engineering attack on an IT user.

A watering hole is a form of drive-by download that targets a group of members from a targeted enterprise. In this scenario, the payload is downloaded when members of the group browse legitimate sites that are infected.

Zero-day ExploitsA zero-day exploit is an attack based on advance, unpublished knowledge about a software vulnerability in an operating system or application that has not yet been addressed by the software vendor. These attacks are extremely difficult to defend against because they might not even be known to the vendor and will probably not be detected by an anti-malware system that relies on recognized signatures.

Zero-day exploits are valuable assets to those who discover them. They can be sold to organized crime groups or intelligence agencies for hundreds of thousands of dollars or used to mount information theft attacks on unfortunate victims. The only effective defense against such an attack is a malware detection process that is able to analyze the behavior of incoming code (sandboxing).



18

1.5 A Short History of APT AttacksIt is instructive to examine the history of the APT because it is possible to derive many important lessons for defending against them in the future. The earliest use of the term “advanced persistent threat” emerged from the US government sector in 2005, describing a new, deceptive form of attack that targeted selected employees and tricked them into downloading a file or accessing a web site infected with Trojan horse software.

These early attacks aimed ultimately to steal information of direct interest to foreign intelligence services, so it is highly likely that they were sponsored by a rival intelligence agency. The attacks did not employ new forms of technology or knowledge. They simply exploited glaring (with hindsight) weaknesses in existing security defenses.

The underlying exposure in every enterprise attacked was that there was no effective protection to prevent a planted Trojan horse from transmitting information outside the enterprise. Attacks designed to steal large amounts of information through automated malware were, therefore, always a possibility, but few attacks had been encountered in practice and organizations felt relatively safe behind their enterprise firewalls.

The audacity and ambition of this new wave of cyberattacks surprised most stakeholders. They succeeded in catching target organizations off guard, not because such an attack was not considered possible, but simply because the attacks were unprecedented as well as carefully researched and executed. It was a learning point that should be noted by all enterprises. Just because a form of attack has not yet been experienced does not imply it could not materialize in the future.

Information security risk assessments are unfortunately backward-looking, seeking evidence of past incidents to justify investment in new countermeasures. Business managers are understandably reluctant to spend money on controls to counter theoretical threats. The consequence is that most security defenses are designed primarily to prevent or detect attacks that have been previously encountered, rarely taking account of new forms of attack that are theoretically possible but outside the experience of the organization.

Lack of attention to future risk is a vulnerability that exists across many disciplines. It is often said, for example, that armies are designed to fight the last war. The same is true of cybersecurity. Most, if not all, protective measures are based on past experience rather than future needs. But when facing a fast-changing threat landscape, it is important to look ahead and anticipate new forms of potential risk rather than responding only when they hit home.



19

Later chapters of this book will examine the question of how to ensure that security measures are adequate and necessary. Unfortunately, it is not as easy to achieve in practice as it might sound, largely because expenditure on measures to mitigate theoretical future risk is hard to justify to investment appraisal boards.

Returning to the history of APT attacks, it is worth noting that much of the increase in the sophistication of malware attacks is due largely to the emergence of intelligence services on the computer hacking and malware scene. These agencies are substantially better equipped than individual enthusiasts or small-time criminals to develop sophisticated offensive malware. Their entrance effectively raised the bar for all actors, including criminals, activists and, potentially, terrorists, by demonstrating the art of the possible and exposing the vulnerabilities of enterprises to determined, sustained attacks.

There is nothing new in national intelligence services spying on other countries. It has been going on for thousands of years. But, in the past, it was achieved primarily by human agents or through interception of communications. The growth in computer networks and databases over the past thirty years, however, has transformed the intelligence gathering landscape. It is now easier to gather intelligence through hacking than via human spies.

Appendix B summarizes the known facts, anecdotal evidence and reported claims behind the attacks experienced over the last 15 years. These attacks are explained in more detail in the following pages. They are neither theoretical nor exaggerated and can affect any enterprise or individual that happens to falls within the sights of their objectives. Before discussing these attacks, however, it is worth taking a step back several years to examine an attack that served as an early wake-up call to the potential for mounting professional cyberespionage attacks.

The Cuckoo’s EggThe earliest published attack on military research establishments was detected as far back as the late 1980s when West German hackers penetrated networked computers in California to steal secrets relating to the “Star Wars” program.

A fascinating account of this particular set of attacks is related in the 1989 book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,5 by Clifford Stoll, a computer manager at the Lawrence Berkeley National Laboratory, who stumbled across the activity when investigating a minor accounting discrepancy in the computer usage accounts.

5 Stoll, Clifford; The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday, USA, 1989



20

Stoll discovered that the intrusion was coming from a university in West Germany across a satellite link. He set up a trap with enticing details of a fictional Star Wars contract, enabling the West German authorities to locate the hacker, a student called Markus Hess, who had been selling the stolen information to the Soviet KGB. Hess was tried and found guilty of espionage in 1990 and sent to prison.

The incident helped raised awareness across the intelligence and security communities of the potential for offensive attacks as well as the vulnerability of networked computers to compromise. It was a portent for future attacks that would materialize in years to come.

Moonlight MazeAt the turn of the century, a widespread series of attacks on government sites was discovered by the US government. The attacks, codenamed Moonlight Maze, had been going on undetected for nearly two years, penetrating systems at the Pentagon, NASA and US Department of Energy as well as universities and research labs involved in military research. Some experts point to these attacks as perhaps the first major example of an APT, although the term was not in common use at that time.

The attacks stole tens of thousands of files, including maps of military installations, troop configurations and military hardware designs, resulting in damage amounting to many millions of dollars. The attacks were traced back to a mainframe computer in the former Soviet Union, although the Russian government denied any involvement. It is possible that the stolen information might have been sold to the highest bidder.6

Titan RainTitan Rain was the code name given by the US government to a series of cyberespionage attacks launched in 2003 on US defense contractors, including those at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. The attacks were claimed to be of Chinese origin, although the Chinese government denied any involvement.

What was new in the attacks that began to emerge at this time was the level of deception and the use of multiple attack vectors (channels of attack), which combined well-researched social engineering attacks on specific, targeted individuals with stealthy Trojan horse attacks using malware techniques that were calculated to bypass contemporary security countermeasures.

The sensitive nature of the incidents and targets encouraged a blanket of government secrecy, which was understandable but, with hindsight, unfortunate because it helped the perpetrators to broaden their attacks to steal data from a wider spectrum of

6 In a testimony to a US Senate Committee on Government Affairs in March 2000, James Adams, chief executive officer (CEO) of iDEFENSE, a security intelligence consultancy, claimed that stolen information worth tens or hundreds of millions of dollars was shipped over the Internet to Moscow for sale to the highest bidder.



21

enterprises, encompassing all major sectors of industry including aerospace, defense, energy, financial services, manufacturing, pharmaceutical, technology and others.

SykipotFor several years, perhaps going back to 2006 but not detected until much later, an APT attack called Sykipot has been collecting and stealing secrets and intellectual property, including design, financial, manufacturing and strategic planning information. The attacks employ spear-phishing emails containing a malicious attachment or a link to an infected web site, as well as zero-day exploits.

Sykipot attacks have targeted many US and UK companies, including those operating in the defense, computer, telecommunications, energy, chemicals and government sectors. An analysis of these attacks carried out in 2011 by AlienVault Labs indicated that the vast majority of servers are based in China.7 The targets and information gathered suggest an intelligence agency would be the likely beneficiary.

GhostNetGhostNet was a large-scale cyberespionage operation discovered in March 2009. Its command and control infrastructure was reported to have been based largely in China, although the Chinese government has denied any involvement.

The GhostNet attacks were initiated by spear-phishing emails containing malicious attachments that loaded a Trojan horse on the victim’s system, enabling the execution of commands from a remote command and control system, which downloaded further malware to take full control of the compromised system. The malware included the ability to use audio and video recording devices to monitor the locations housing the compromised computers.

GhostNet was reported to have infiltrated the computers of political, economic and media targets in more than 100 countries, including the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany, Pakistan and the office of the Prime Minister of Laos. The foreign ministries of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan were also targeted. Computers in the Dalai Lama’s Tibetan exile centers in India, London and New York were also compromised.

Some researchers have suggested that GhostNet might have been an operation run by citizens in China for profit or patriotic reasons. Alternatively, it may have been created by intelligence agencies from other countries such as Russia or the US. One factor that is consistently encountered when attempting to identify the source of APT

7 Blasco, Jaime, “Are the Sykipot’s authors obsessed with next generation US drones?,” AlienVault Labs Blog, USA, 20 December 2011, labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next- generation-us-drones



22

attacks is the preponderance of unsubstantiated rumor or spin associated with the attacks. Every expert has a different opinion on who is behind them.

Operation AuroraOperation Aurora (claimed to be original name of the operation) was a series of cyberattacks launched in 2009, reported to have originated in China. The attack used a zero-day exploit to install a malicious Trojan horse named Hydraq, designed to steal information.

Early victims of APT attacks had generally been unwilling to publicize their experience or confront the suspected perpetrators. Fear of antagonizing their attackers or upsetting their customers and shareholders discouraged public announcements and retaliatory action, which served only to encourage attackers to go even farther. To its credit, Google was an exception to this culture of silence. In January 2010, Google disclosed the attacks, claiming that 20 other companies had also been attacked, although it is now widely believed that the number was much higher. Victims were known to include Adobe Systems, Juniper Networks and Rackspace. Many other companies that were attacked preferred to remain anonymous, although reports indicated that they included leading banks, defense contractors, security vendors, oil and gas companies as well as a number of other technology companies. The email accounts of Chinese human rights activists were targeted as well.

McAfee investigators reported that the primary goal of the attack was to gain access to and modify source code repositories at these high-tech, security and defense contractor companies. At the time, these repositories were not generally protected to a high security standard.

By publicizing its experiences, Google helped to promote awareness of the risk and encourage investment in better security countermeasures. Many companies still remain reluctant to admit being victims of similar attacks, although regulatory compliance requirements have been progressively forcing enterprises to be more open about their security incidents.

GoziThe Gozi virus, named by the security experts who first discovered it in 2007, was a banking virus that infected more than one million computers in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere, causing tens of millions of dollars in damages. Systems at NASA were also penetrated by the attacks. The malware was rented or sold to criminal gangs by Nikita Kuzmin, a Russian national who created the Gozi virus with the support of accomplices from neighboring countries.



23

Initially designed simply to capture and transmit personal banking information, later versions contained a capability to intercept browser traffic and modify web communications. Gozi was controlled through a so-called “bulletproof hosting” service that helped cybercriminals distribute the Gozi virus in a manner designed to enable them to preserve their anonymity. Gozi was disseminated to its victims through various methods, most commonly disguised as a benign PDF document.

Nikita Kuzmin was arrested in the US in November 2010 and pled guilty to computer intrusion and fraud charges, but banks have continued to experience attacks from Gozi, which has continued to be enhanced. A new variant of Gozi, which appeared in early 2013, infects the hard disk master boot record—an attack that cannot be easily eradicated even by reformatting and reinstalling the operating system.

ZeusFirst discovered in 2007, when it was used to steal information from the US Department of Transportation, Zeus is a Trojan horse used to steal credentials used for banking and credit card payments or for logging in to social networks. Zeus is not a specific attack from a single source, but a complete tool kit providing a wide range of automated and manual tools used by criminals as part of an APT attack.

APTs created using Zeus can spread to victims through a phishing email or a visit to an infected site. The Trojan then mounts a man-in-the-browser attack to capture keystrokes and web form data from users. Using this technique, Zeus is reported to have compromised tens of thousands of FTP accounts on company web sites and infected several million customer computers.

In 2010, more than 100 people were arrested in the US, UK and Ukraine on charges of conspiracy to commit bank fraud and money laundering after using Zeus to steal around US $70 million.

SpyEyeIn 2009, a new banking Trojan known as SpyEye emerged, retailing for US $500 on Russian underground forums. Like Zeus, SpyEye is designed to steal customer credentials and initiate transactions when a victim logs onto his/her bank account. A variant of SpyEye discovered in 2012 was able to modify displays of bank statements and balances. Newer variants of Zeus and SpyEye, generally with increasing levels of sophistication, continue to emerge in response to improvements in security defenses.8

In May 2013, the alleged developer and controller of SpyEye, Hamza Bendelladj, an Algerian hacker, was extradited from Thailand to the US and charged with numerous count of fraud.

8 For example, see Eurograbber, covered later in this chapter.



24

One of the SpyEye command and control servers sited in Atlanta (Georgia, USA) allegedly contained information from 253 different financial institutions.

RSA AttackIn March 2011, approximately a month after hosting the world’s largest cybersecurity conference, RSA (the security division of EMC) announced that it had been the victim of a successful APT attack. Although many experts would not place this attack in the same category as some of the more sophisticated intelligence-gathering attacks that have been mounted on governments and Fortune 500 companies, this was clearly a professional, targeted attack by a major APT actor.

The attack itself was relatively simple, but effective: It was initiated by a phishing email exploiting an Adobe flash vulnerability embedded in an attached spreadsheet. The intrusion resulted in the theft of confidential information, including data relating to RSA’s best-selling SecurID authentication technology. The attack used a piece of malware named PoisonIvy, which at the time was a widely available remote access Trojan that had been used to steal information from companies in the chemical and motor sectors as well as from human rights organizations.

The disclosure sent shock waves across the security community because the SecurID product, widely regarded as a security best practice, had long been the product of choice for many Fortune 500 enterprises. Shortly after the RSA breach, several defense contractors, including Lockheed Martin, disclosed that they had experienced cyberattacks on their networks. At least one of these attacks was reported to have used spoofed passcodes from a cloned RSA SecurID token.

The consequences of this attack were potentially highly damaging for both RSA and the customers of its security authentication product. Fortunately, RSA acted quickly to contain the damage, immediately informing customers and advising them to take action to strengthen their SecurID implementations. EMC reported that it had spent at least US $66 million on remediation. According to RSA executives, no customer networks were breached, although the breach eventually affected over 700 organizations and was estimated by a Gartner analyst to have cost the banking industry US $50-100 million in replacement costs for new tokens.

There are several lessons to be drawn from the RSA incident:• It is possible for security products to be compromised through an attack on the

supplier. Contingency plans should, therefore, be considered for possible breaches of this type where the consequences would be highly damaging.

• The incident demonstrated that even the most security-aware companies handling highly sensitive material can have weaknesses in their security posture. There is certainly an element of truth in the old adage that “the cobbler’s children have the worst shoes.”



25

• With speedy identification and response, it is possible for the immediate damage from an intrusion to be contained. RSA acted swiftly, decisively and candidly to minimize the consequences to customers.

• The incident demonstrates that enterprises with good crisis management and public relations can ride out even the most severe incidents. RSA is still in business today and has maintained a good reputation.

The Stuxnet WormThe Stuxnet computer worm, discovered in June 2010, was the first piece of malware found in the public domain that is designed to spy on and subvert industrial process systems. Stuxnet was claimed to have been created by the US and Israel in order to attack Iran’s nuclear facilities.9 The malware was reported to have caused substantial damage to the centrifuges at the Natanz nuclear enrichment laboratory in Iran.

The worm specifically targeted Siemens industrial software and equipment, making itself inert if the target software was not found and containing safeguards to limit the spread of the infection. It was the first piece of malware to include a programmable logic controller (PLC) rootkit. It was also programmed to erase itself on a specific date in June 2012. The design of the worm suggests that it was intended to achieve a specific objective against a particular target rather than to support a general intelligence-gathering operation.

Stuxnet was designed to spread initially through an infected USB drive and then use other exploits to infect or update other computers. It was controlled through two web sites in Denmark and Malaysia. The malware contained four different zero-day exploits, a considerable investment for a single attack because such exploits can be sold for hundreds of thousands of dollars.

The size and sophistication of the code indicated that the development cost would have been substantial, requiring on the order of a dozen or more man-years. Further derivatives of Stuxnet, called Duqu and Flame, were discovered over the next two years, suggesting that these attacks were part of an ongoing development program.

DuquDuqu was discovered in 2011 and named after the prefix ~DQ, given to the names of the files it creates. The code has been found in a limited number of enterprises, including those involved in the manufacturing of industrial control systems.

9 On 1 June 2012, an article in The New York Times reported that Stuxnet is part of a US and Israeli intelligence operation called “Operation Olympic Games,” started under President George W. Bush and expanded under President Barack Obama.



26

Analysis showed it to be very similar to Stuxnet, suggesting that it was created by the same authors or a source that had access to the Stuxnet source code. Server addresses were scattered across many countries, including Germany, Belgium, the Philippines, India and China, suggesting that some sites were selected to help mask the real source of the attacks.

Duqu is designed to gather information rather than cause damage. In particular, it captures information such as keystrokes and system information, most likely for the purpose of enabling a future APT attack on industrial control systems.

Researchers at Kaspersky Lab have pointed out that, unlike many other pieces of malware, the code shares similarities with professionally produced commercial software, suggesting that it was developed by software professionals rather than computer hackers.

Analysis of Duqu also indicated that the malware was built on an earlier platform called Tilded (because of the ~d at the beginning of the file names it creates), which originated as far back as 2007.

FlameFlame was discovered by Iran’s National Computer Emergency Response Team in 2012. It was used to mount sophisticated cyberespionage attacks on governmental ministries, educational institutions and individuals in Middle Eastern countries, infecting around 1,000 machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

The Flame malware was large and complex, designed to spread over local networks or via USB sticks. It could record audio, screenshots, keyboard activity and network traffic, including Skype® conversations. It was also capable of stealing contact information from any nearby Bluetooth®-enabled devices.

The malware was designed to be killed instantly by a remote instruction from the central command and control server. Attacks ceased when the malware was publicly disclosed. The Washington Post claimed that Flame was jointly developed by the US National Security Agency, CIA and Israel’s military at least five years prior to discovery, although this was officially denied.

Red OctoberRed October, a malware program designed to steal secrets from government and research organizations (including data on mobile devices), was discovered in October 2012 by Russian firm Kaspersky Lab. It was believed to have been operating worldwide for at least five years prior to discovery, stealing a wide range



27

of information, including secrets from diplomatic, trade, military, aerospace, energy and research organizations in Russia, Iran, the US and at least 36 other countries.

The Red October attacks were designed to target multiple platforms, including routers, switches, mobile phones and external storage devices, and adapt their actions to different software environments. Among other things, the malware targeted files associated with cryptographic systems, including systems used by NATO, European Union, European Parliament and European Commission departments.

Analysis of the malware by Kaspersky Lab uncovered a sophisticated framework of more than 30 different categories of module, each designed to carry out a specific task, such as identifying the software environment, infecting machines, installing back doors, searching for files, grabbing information, stealing credentials, recording keystrokes or uploading collected files. It also included special software to enable infected machines to be resurrected automatically upon the receipt of an email attachment in the event that the main body of malware should be discovered and removed, or the system patched.

There are contradictory views among experts as to the source, which remains unknown. Analysis of the malware indicated that it was different from the code found in Stuxnet, Duqu and Flame, suggesting that it was created by a different source.

EurograbberIn December 2012, security vendors Versafe and Checkpoint publicized details of a sophisticated Trojan horse they named Eurograbber, which had stolen an estimated 36 million euro from more than 30,000 customers in over 30 banks across Europe. The attacks began in Italy and quickly spread to Spain and Holland.

This attack began by infecting the computers of bank customers through a phishing email, which downloaded a Trojan (a variant of Zeus) designed to recognize and inject instructions into banking transactions, diverting money into a “mule” account owned by the criminals.

The attack was able to circumvent the SMS-based authentication system used by the targeted banks by asking the user to install new security software on their mobile device.

Emerging Trends in AttacksTrend analysis shows a progressive extension of targets to include less obvious ones, such as universities and small enterprises. Where will these attacks end? The answer is that they will not. Given the attractiveness and effectiveness of APT attacks to the agents that launch them, it can be confidently anticipated that APTs will continue to grow in sophistication, ambition and impact.



28

One indication of this is the substantial increase in government spending on cyberdefense, including offensive capabilities. For example, according to a Reuters report in June 2013, US military cyberspending is projected to grow by US $800 million, to $4.7 billion, while overall Pentagon spending is being cut by $3.9 billion.10

A further factor is that the techniques and source code used in previous attacks are often widely available through sale or publication on the Internet. Attacks will be replicated or will evolve faster as attackers of all types race to exploit publicized vulnerabilities and breaches before their victims have a chance to eliminate the flaws in their infrastructure. Vulnerability scanning tools are also readily available to any would-be attackers to enable them to search out weaknesses in networked systems. Some tools are free to download.

The end result will be an increasing number of people acquiring hacking and malware development capabilities, coupled with a growing demand from governments, criminals and terrorists to exploit their skills. To understand better why so many different actors are keen on cyberattacks and what they are after, it is necessary to examine the objectives of the organizations responsible for mounting APT attacks.

1.6 Who Is Behind APT Attacks?The motives behind most APTs are as old as civilization itself: espionage, sabotage, crime, terrorism, warfare, protest and vandalism. Such threats are familiar to everybody, although their physical manifestations are generally beyond the everyday work experiences of most citizens and company staff. The average person rarely encounters spies, criminals or hackers when going about his/her business, but networks are bringing such threats much closer to home.

Today any enterprise, of any shape or size, or any IT user is a potential target for a sophisticated attack from professional hackers or criminal malware. Virtually all companies or public sector organizations hold some information of value to an attacker, whether it is trade secrets, privileged knowledge of commercial deals, facilities to initiate money transfers, or personal identifying details (of staff or customers) that could be exploited for identity fraud purposes.

Sophisticated attacks on banking systems can also impact citizens. Consumers are a much softer target than financial institutions. The returns from a fraud on an individual bank customer might be relatively small, but there are many millions of them, and automated malware makes it easy to mount large-scale attacks.

10 Strobel, Warren; Deborah Charles; “With troops and techies, U.S. prepares for cyber warfare,” Reuters, 7 June 2013, accessed 22 August 2013, in.reuters.com/article/2013/06/07/usa-cyberwar-idINL1N0EF0NF20130607



29

Figure 2 lists the primary actors behind APT threats. It sets out their overall goals as well as the potential business impact of their attacks. Each source of threat is examined in more detail in the subsequent paragraphs.

Some of this content might seem to some a little dramatic and perhaps alarming to everyday business managers. It might be perceived as a remote threat to a down-to-earth security manager or auditor with immediate needs focused on everyday incidents resulting from user oversights, operating errors or equipment failures.

But the targets, scope and impacts of professional attacks are becoming progressively broader, so it is important for all enterprise managers and individual consumers to understand the source and motives of APT risk, and to be able to assess their likelihood and impact, no matter how remote they might appear at present.

Threat What They Seek Business Impact

Intelligence agencies Political, defense or commercial trade secrets

Loss of trade secrets or commercial, competitive advantage

Criminal groups Money transfers, extortion opportunities, personal identity information or any secrets for potential onward sale

Financial loss, large-scale customer data breach or loss of trade secrets

Terrorist groups Production of widespread terror through death, destruction and disruption

Loss of production and services, stock market irregularities, and potential risk to human life

Activist groups Confidential information or disruption of services

Major data breach or loss of service

Armed forces Intelligence or positioning to support future attacks on critical national infrastructure

Serious damage to facilities in the event of a military conflict

Intelligence AgenciesMention espionage to the average person and it is likely to conjure up a mental model of Agent 007, James Bond. But spying is now part and parcel of modern international business. State-sponsored theft of company information is a clear and present threat to any enterprise that possesses or handles valuable information property, regardless of how big they are or where they are located.

02Sources of APT ThreatFI

GURE



30

A major barrier to mitigating this threat for many enterprises is that talk of espionage can be perceived by business managers as a flight of fantasy rather than a concrete business reality. Security evangelists face a hard challenge in persuading managers and IT users to take the threat seriously. Many people are understandably reluctant to respond to risk that is outside their experience. Over time, however, they will become familiar with the subject because an increase in attacks will increase the level of APT awareness.

The purpose of intelligence gathering is to support national security by giving early warning of impending threats and helping to inform defense planning. It can also be used to serve national interests by discerning the intentions of rival countries and their industries.

State-sponsored intelligence gathering is a major industry, employing many hundreds of thousands of people worldwide. There are more than 100 countries in the world with professional intelligence services, and most countries have more than one. The US intelligence community, for example, is a coalition of 17 different agencies and organizations working independently and collaboratively to gather the intelligence necessary to conduct foreign relations and national security activities.11

The threat to business is that commercial secrets are highly vulnerable to theft and copying, often with substantial business impact. The benefits to a country of replicating another nation’s industrial technological secrets have long been clear to governments with an appreciation of history. Examples go back centuries. In 1712, Francois Xavier d’Entrecolles, a French Jesuit missionary, stole the Chinese technique of manufacturing porcelain and brought it to Europe, leading to the development of Meissen porcelain and a consequential decline in Chinese porcelain exports.

Some 70 years later, at the height of the industrial revolution, Samuel Slater, an Englishman alternatively known as the “Father of the American Industrial Revolution” or “Slater the Traitor,” depending on one’s nationality, memorized all he could about Britain’s cotton-spinning technology and promptly took off for New York, replicating the British designs and single-handedly eliminating Britain’s competitive advantage.

Whether the target is porcelain manufacturing, cotton spinning, weapons of war, chip designs or secret ingredients, intellectual property will always be a target of espionage. Legal redress can sometimes help, but it is rarely enough to mitigate the full business impact, especially when a foreign government is the culprit.

11 See www.intelligence.gov for more details.



31

Cyberespionage is simply the next logical extension of traditional espionage. It has the advantage of enabling massive quantities of information to be stolen remotely, cheaply, surreptitiously and with little personal risk to the perpetrators. In recent years, national security agencies have warned their industries that many foreign states are now equipped and motivated to conduct sophisticated cyberespionage attacks to steal commercial secrets. For example, British national security agency MI5 warns UK companies that:

A wide range of hostile actors use cyber to target the UK. Foreign states are generally equipped to conduct the most damaging cyber espionage and computer network attacks. Hostile actors can target government, military, business and individuals. They use computer networks to steal large volumes of sensitive data undetected. This might include intellectual property, research and development projects, strategic data on a company’s merger and acquisition plans or any other information that the owner might want to protect.12

The organization and scale of some attacks have been progressively growing to what many observers judge to be alarming proportions. The attacks involve large numbers of hackers exploiting many thousands of computer platforms. A single attack can net a surprisingly large amount of information, as much as tens or hundreds of gigabytes of data.

Not every country sets the same priorities and objectives for its intelligence services. Western agencies, for example, place a high priority on intelligence to support counterterrorist, defense and political initiatives. In contrast, many states in the eastern hemisphere place a higher priority on the theft of commercial secrets to support state-owned industries. They are likely to target and exploit a wide range of commercial intellectual property in addition to the more traditional targets of political and military intelligence. China and Russia, in particular, have been repeatedly accused of engaging in large-scale espionage on commercial companies.

Mandiant, a specialist consultancy, claims that its analysis of APT threats leads it to conclude that a major source of attacks is likely to be the People’s Republic of China, specifically the Second Bureau of the People’s Liberation Army General Staff Department’s Third Department, commonly known by its Military Unit Cover Designator as Unit 61398. Mandiant believes that this unit has systematically stolen hundreds of terabytes of data from at least 141 organizations.

12 See the cyber advice on the official MI5 site at www.mi5.gov.uk.



32

The unfortunate fact for business enterprises is that the benefits of cyberespionage are simply too great for national security agencies to resist. In fact, it would probably seem quite wasteful for any intelligence service to ignore the most effective modern means of covertly gathering secret information from geographically remote targets. There is no indication that the threat of commercial spying will diminish in the short, medium or long term. As the famous futurist Alvin Toffler once put it: “The 21st Century will be dominated by information wars and increased economic and financial espionage.

Criminal GangsOrganized crime is a very different business from state-sponsored espionage, but there are similarities in the range of tools and techniques employed and, in some cases, the end uses of the intelligence gathered. Research by Verizon, for example, has indicated that financially motivated cybercrime represents 75 percent of reported data breaches. (State-sponsored espionage claimed the second spot.)

Not all criminals target victims in such a sustained manner, however. A lot of crime is opportunistic in nature because many criminal gangs prefer to search out and exploit the softest targets they can find. This type of crime can be compared to a balloon: Squeeze it in one place and it instantly inflates somewhere else. In effect, it can be shifted, but it cannot be eradicated. But a target likely to be a victim of extortion demands such as an online betting company, or any rich source of trade secrets or personal identity data has a strong chance of eventually becoming the target of a sustained attack from an organized crime gang.

It is important to note also that criminal gangs that mount APT attacks do not necessarily steal the information for their own consumption. Sales of stolen identity credentials and military intelligence have long been, and will continue to be, successful lines of business for organized crime groups, but such gangs also have close contacts with intelligence services and information brokers, and they will often sell their stolen secrets to the highest bidder.

The existence of such links between intelligence services and organized criminals was highlighted in a 2012 report13 prepared by Northrop Grumman Corporation for the US-China Economic and Security Review Commission, which notes that: “Organized cyber criminals and state-sponsored intelligence professionals conducting computer network exploitation often operate in the same environment and sometimes against similar categories of targets.”

13 Krekel, Bryan, Patton Adams; George Bakos; “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” prepared for the US-China Economic and Security Review Commission by Northrop Grumman Corporation, USA, 2012, origin.www.uscc.gov/sites/default/files/Research/USCC_Report_Chinese_Capabilities_for_Computer_Network_Operations_and_Cyber_%20Espionage.pdf



33

This trend of collaboration between criminals and spies is likely to continue and become even stronger as organized criminals develop cyberskills and government agencies seek to extend their capabilities by harnessing available external resources.

TerroristsThe goal of terrorism is to produce widespread terror through death, destruction and disruption. The last two objectives can be achieved very efficiently through destruction or manipulation of industrial process systems that control essential citizen services, such as power and telecommunications.

The threat of a major terrorist attack employing APT techniques is judged by many authorities to be a real possibility, but fortunately such a serious breach has yet to be experienced. However, the potential for such an attack to materialize continues to grow as the knowledge and support tools needed to mount an effective attack increase.

Such a threat represents one of the most serious risk to business and society because many supervisory control and data acquisition (SCADA) systems controlling industrial processes are potentially vulnerable to well-planned, deliberate cyberattacks, which could result in widespread disruption of consumer services as well as damage to critical infrastructure and potential loss of life.

The potential consequence of a coordinated cyberattack, although exaggerated, was illustrated in the 2007 American action film “Live Free or Die Hard” (or “Die Hard 4.0”). Although a fictional account, the film does indicate the potential impact on society of widespread outages in energy supplies and malicious manipulation of critical control systems such as automated traffic signals.

Assessing the potential risk of any terrorist attack is difficult because most are unpredictable by nature, constantly shifting and often directed against general communities with randomly selected victims. The only thing we can say for certain is that the risk is continually rising, although the general perception will remain largely complacent for as long as there is an absence of visible major incidents.

ActivistsWhen it comes to exploiting technology, activist groups have often been ahead of the game, and this trend is increasing even though the nature of activist or “hacktivist” attacks has been changing significantly. For example, the Verizon 2013 Data Breach Investigations Report14 reported that the proportion of incidents involving so-called hacktivists was holding steady, although it also noted that the motive of many activists had shifted markedly from data theft to disruption, through approaches such as distributed denial of service (DDoS) attacks on the targets of their concern.

14 Verizon, “2013 Data Breach Investigations Report,” USA, 2013, www.verizonenterprise.com/DBIR/2013



34

The term “hacktivism” describes the exploitation use of computer network attacks to promote political or ethical goals. It is intended to serve as a modern form of protest, publicity or civil disobedience. Such groups have defaced web sites of targeted companies, conducted denial-of-service attacks or published confidential information stolen from their victims.

The activities of hacktivist groups such as Anonymous have been well documented in the press. A key point to note is that these groups quickly respond to developments, instantly switching targets from one company to another or immediately turning their attention to any country that might offend their values. Enterprises might be targeted for attack because of their behavior, image, industry, location or associations.

Denial-of-service attacks by hacktivist groups can have serious consequences for victims. A nine-day attack by the hacker group Anonymous on PayPal in 2012 resulted in a reported loss of more than US $5.3 million. Eventually many of the individuals involved will be caught and sentenced, although this is unlikely to discourage future generations aiming to convey a political or ethical ideal.

Armed ForcesElectronic warfare, information operations and intelligence gathering have long formed an integral part of the capabilities of armed forces across the world. Over the past decade, however, military forces have begun to develop more sophisticated cyberwarfare capabilities, essentially extending the military theater of operations into cyberspace.

Writing in The Wall Street Journal in June 2013, Anders Fogh Rasmussen, Secretary General of NATO, advocated an enhanced cyberdefense role for NATO, building on the work of the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn, Estonia, which was set up in the wake of the four-day cybersiege of Estonia in 2007.15 He added: “NATO protected its members during the age of the Berlin Wall. We must be prepared to protect them during the age of the firewall.”

At around the same time, Reuters reported that the US has established a US $358 million headquarters at Fort Meade, Maryland, for the military’s Cyber Command and is aiming to equip it with more than 3,000 cyberwarriors by late 2015.16 Most of these troops are expected to focus on defense, detecting and stopping computer penetrations of US military and other critical networks, but there will also be an increasing focus on offense capabilities as military commanders beef up plans to

15 Rasmussen, Anders Fogh; “NATO’s Next War—in Cyberspace,” The Wall Street Journal, 2 June 2013, accessed 22 August 2013, online.wsj.com/article/SB10001424127887323855804578508894129031084.html

16 Rasmussen, Anders Fogh; “NATO’s Next War—in Cyberspace,” The Wall Street Journal, 2 June 2013, accessed 22 August 2013, online.wsj.com/article/SB10001424127887323855804578508894129031084.html



35

execute cyberstrikes or switch to attack mode if the nation comes under electronic assault. The doctrine of cybersecurity is evolving into an inclination to go on the offensive in order to prevent attacks more effectively. Several national security authorities have asserted that the best form of cyberdefense is attack.

Speaking at a Reuters Cybersecurity Summit in May 2013, US Army General Keith Alexander, head of Cyber Command, was quoted as saying: “We’re going to train them to the highest standard we can, and not just on defense, but on both sides. You’ve got to have that.”17

The People’s Republic of China is known to be an enthusiastic adopter of cyberwarfare capabilities. Two decades ago the People’s Liberation Army (PLA) identified the need for modernization of its doctrine and structure and embarked on a “Revolution in Military Affairs.” Developing a strong high-tech capability is an integral component of their new military doctrine. The Economist magazine reports that China has plans of “winning informationised wars by the mid-21st century.”18 The Northrop Grumman report19 prepared for the US-China Economic and Security Review Commission notes that: “It is reported that the People’s Liberation Army of China have embraced the idea that successful war fighting is predicated on the ability to exert control over an adversary’s information and information systems, often preemptively.”

China is widely claimed to be a major source of cyberattacks, but the Chinese government is not alone in embracing cyberwarfare. In addition to the US, which is reported to be investing heavily in developing its military cyberskills, there are indications that Russia, Israel, North Korea and Iran are also building significant capabilities.

Cyberattacks can be used to disrupt or damage information systems and their supporting infrastructure. Such attacks can range from simple denial-of-service attacks to sophisticated attempts to manipulate industrial process control systems. This is new ground for all players. NATO’s CCD COE in Tallinn, Estonia, has published a handbook on the subject, but there is very little in the way of established agreements or laws to guide responsible rules of engagement. Unlike previous extensions of the military battlefield into air and space, existing principles of deterrence and proportional response are difficult to apply in cyberspace. Attacks are much easier to hide, spoof or deny when launched across digital networks.

17 Strobel, Warren; Deborah Charles; “With troops and techies, U.S. prepares for cyber warfare,” Reuters, 7 June 2013, accessed 22 August 2013, in.reuters.com/article/2013/06/07/usa-cyberwar-idINL1N0EF0NF20130607

18 “Cyberwar: War in the Fifth Domain,” The Economist, 1 July 2010, accessed 22 August 2013, www.economist.com/node/16478792

19 Krekel, Bryan, Patton Adams; George Bakos; “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” prepared for the US-China Economic and Security Review Commission by Northrop Grumman Corporation, USA, 2012, origin.www.uscc.gov/sites/default/files/Research/USCC_Report_Chinese_Capabilities_for_Computer_Network_Operations_and_Cyber_%20Espionage.pdf



36

Military APT attacks may form part of a reconnaissance operation to gather intelligence or a mission to plant a back door or Trojan horse to assist future attacks. Such attacks might at first glance seem disturbing, although not immediately threatening, but it must be remembered that the ultimate objective of cyberwarfare is to cause damage to an enemy. Any penetration of a civilian network by armed forces should be reported to an appropriate national security agency, especially as the consequences might be even more serious for stakeholders outside of the organization.

Present-day cyberwarfare doctrine is largely aimed at taking out the enemy’s information infrastructure, although some experts predict that this will increasingly evolve into more subtle forms of contention. Much of the real power of digital networks lies in their power to influence, deceive or manipulate behavior, although cyberskills have yet to mature to a level that is sufficiently sophisticated to achieve such a goal. In the longer term, it is likely that cyberwarfare may become the art of illusion rather than the science of sabotage.

1.7 Who Is at Risk?Around three-quarters of all attacks are aimed at commercial enterprises across a range of industry sectors. Figure 3 shows the most targeted industries in 2012, according to research and investigations carried out by Mandiant, a US company specializing in APT investigations.20

■ Aerospace and Defense ■ Energy, Oil and Gas ■ Finance ■ Computer Hardware and Software ■ Legal and Consulting Services ■ Media and Entertainment ■ Telecommunications ■ Pharmaceuticals ■ Other

T

P

O

A

E

F

C

L

M

A

E

F

CLM

T

P

O

20 Mandiant, “M-Trends® 2013: Attack the Security Gap™,” USA, 2013, www.mandiant.com/resources/m-trends

03Targets of APT Attacks During 2012FI

GURE



37

APTs target companies of all sizes across all sectors of industry and all geographic regions that contain high-value assets. Staff of all levels of seniority, ranging from administrative assistants to chief executives, can be selected as a target for a spear-phishing attack. Small companies and contractors might be penetrated because they are a supplier of services to a targeted victim. Individuals might be selected if they are perceived to be a potential stepping stone to help gain access to the ultimate target.

No industry with valuable secrets or other sources of commercial advantage that can be copied or undermined through espionage is safe from an APT attack. No enterprise that controls money transfers, processes credit card data or stores personally identifiable data on individuals can be sheltered from criminal attacks. And no industry that supplies or supports critical national infrastructure is immune from an intrusion by cyberwarriors.

APT attacks often encompass third-party organizations delivering services to targeted enterprises. Third-party suppliers can be perceived by an attacker as the soft underbelly of large companies and government departments because they are generally less well protected. No matter how effective a company’s external perimeter security might be, it can be worthless unless extended across its supply chain.

In May 2013, Australian Broadcasting Corporation reported that the blueprints for an AU $630 million Australian Security Intelligence Organisation building had been stolen through a cyberattack on a building contractor.21 The stolen information included details of communications cabling, server locations and security systems. The attack was reported to have been traced to a Chinese server.

Safeguarding the supply chain is no mean feat because visibility of risk, procedures and events across third-party premises will be severely limited at best. Commercial contracts alone are insufficient to guarantee security. Frequent inspections, risk assessments and vulnerability monitoring are necessary to be certain that trusted connections remain private and secure.

The exposure to spear-phishing attacks can extend to even the most junior staff in enterprises. For example, statistics collected by Symantec indicate that more than half of all APT targets are personal assistants or junior staff in sales, public relations or recruitment roles.22 These people are selected because they are easy to contact and often have access to senior executives and targeted areas within the organization.

21 “Hacked!” Four Corners, Australian Broadcasting Corporation, May 27, 2013, http://www.abc.net.au/4corners/stories/2013/05/27/3766576.htm

22 Symantec, 2013 Internet Security Threat Report, Volume 18, accessed 22 August 2013, www.symantec.com/security_response/publications/threatreport.jsp



38

1.8 What Damage Can They Do?Most attacks experienced so far have been designed to steal or manipulate intellectual assets rather than to cause direct physical harm. However, physical harm is a feasible threat and should be considered during risk assessments.

Worst-case scenarios can be catastrophic. By manipulating supervisory control systems in an industrial plant, an APT attack could damage or destroy equipment, resulting in major outages and potentially loss of life and environmental damage. The Stuxnet worm managed to penetrate nuclear processing facilities in Iran, causing serious, long-term damage to centrifuges.

Long-term intrusions by intelligence agencies might well result in a pattern of increasing business damage. Consider, for example, how the following sequence of developments could evolve over several years:• The first phase of an APT attack commences with a wave of intelligence gathering,

with no immediate business damage. Such activity might even prompt cynical business managers to respond “So what?”

• Later phases of APT activity generate greater concern from targeted thefts of secret information that threaten short-term business deals and open up the prospect of a foreign competitor exploiting the stolen intellectual property.

• The final phase of an APT attack is potentially the most serious because the targeted enterprise finds itself in competition with a rival that has access to its information systems and can read email, customer data and commercial bids, and even damage business operations if desired.

Determining the full impact of a major cyberattack is never easy. Any predictions of the likely cost of a future or even past incident will necessarily involve a number of unproven assumptions and a good deal of educated guesswork because many impacts, such as lost future sales, are impossible to measure precisely.

Nevertheless, there are precedents, research and techniques that can be employed to help calculate the long-term costs of a major breach. The Ponemon Institute, an independent research body, publishes a number of statistics to help quantify the economic impact of cyberattacks.23 The institute calculated that the average annualized cost of cybercrime across 56 organizations in 2012 was US $8.9 million, with a range of $1.4 million to $46 million.

1.9 Characteristics of an APT AttackSecurity threats rarely fall into neat categories. Intelligence services across the world have many similarities in their “tradecraft,” but they also have quite distinct objectives and targets. In contrast, criminals generally pursue a common goal of

23 The Ponemon Institute publishes annual reports on the cost of cybercrime; see www.ponemon.org.



39

stealing other people’s assets, although they might exhibit marked differences in their modus operandi. A further confusion is that activist and terrorist groups may have very different goals and motives while sharing similarities in the nature of their attacks.

One consequence of this is that the potential source and motive of an attack might be hard to judge from the characteristics of incident itself. A further point is that APT risk assessments are likely to vary significantly in likelihood and impact from company to company, although the security measures required to prevent, detect and respond to them may well be quite similar.

Conducting an APT risk assessment is covered extensively in chapter 2 of this book. Determining how to mitigate the risk associated with APTs begins with a good understanding of their characteristics, which are discussed in the following paragraphs.

Well ResearchedIt is a safe assumption that most agencies launching an APT will have thoroughly researched the marketplace and determined precisely which companies, government departments, suppliers or institutes are of most interest. Professional APT attacks are rarely opportunistic or random. They are designed to steal identified intellectual assets or to gain a foothold for future exploitation, for the purposes of data theft, extortion, commercial advantage or even cyberwarfare. The target of an APT can expect that the perpetrator will have carefully studied the organization.

Who is likely to be a target? It may be any user with access to any data, systems or infrastructure of interest. That could include business executives, administrative staff, or selected managers in key supporting functions, such as human resources, IT or legal.

What else is needed to mount an attack? An attacker will first aim to build a good understanding of the enterprise organization and infrastructure. This might extend to team structures and even procedures for managing a security incident (to help evade or detect discovery). The next step will be to select individual targets. The final piece of research will be to ascertain the current business or personal interests of each targeted individual in order to help devise an enticing email that might encourage the recipient to open an attached file or connect to a linked web page.

SophisticatedProgressive generations of APT attack have surprised and impressed malware analysts with their sophistication. Many APT intrusions exploit zero-day vulnerabilities (ones that are unknown and are exploited in advance of the first day of a public launch). Some intrusions have even exploited several of these vulnerabilities in a single attack. Such attacks clearly cannot be stopped by traditional anti-malware detection mechanisms that rely on recognizing signatures of previously known attacks.



40

APT attacks are also likely to exploit a range of forged credentials, such as stolen passwords, cloned authentication codes, spoofed email addresses or forged digital certificates. In addition, they will employ an extensive framework of special-purpose modules designed for executing automated tasks on demand from a central command and control server. Modules to perform specific tasks can be downloaded, executed in memory and immediately discarded.

The malware used in the Red October attacks described previously in this chapter contained more than 30 different categories of module, each designed to carry out a specific task. It also included special software to enable infected machines to be resurrected automatically upon the receipt of an email attachment, in the event that the main body of malware should be discovered and removed, or the system patched.

Many APT attacks are also designed to target multiple platforms, including routers, switches, mobile phones and external storage devices, and adapt their actions to different software environments. Attacks conceived nearly a decade ago were designed to exploit audio and video recording facilities to monitor the physical environment of the compromised computers. The Flame attack was programmed to extract contact information from nearby Bluetooth-enabled devices.

In practice, the sophistication of APT attacks can vary significantly, according to the attacker’s goal, the skills and tools available, and the perceived vulnerability of the target environment. Professional attackers have a range of offensive resources available and may choose not to apply their top capabilities in pursuit of a minor target or one believed to be poorly defended. For this reason, some APT attacks may appear surprisingly simple to deflect, but it must be borne in mind that the attacker might well have a more sophisticated capability in reserve.

StealthyA fundamental principle of fraud, espionage and other attempts to steal secrets or penetrate systems is that ideally the victim should not be aware of the breach. “Run silent, run deep” is the classic watchword of successful spies and fraudsters. Another popular term is “run low and slow,” referring to how the exfiltration of information happens slowly and gradually to avoid detection.

APT attacks are certainly stealthy. They start with genuine-looking phishing emails. They pass easily through signature-based malware detection systems. They store themselves in out-of-reach places. They hide among network traffic, maintaining radio silence until ready, and then they are activated to accomplish their goals. They are able to disguise themselves using obfuscation techniques and adapt their appearance in order to evade attempts to prevent or detect their presence.



41

Other forms of cyberattack are not like this. Denial-of-service attacks, for example, cause obvious and immediate business disruption, triggering recognized operational and technical responses, which can be quickly deployed to limit the damage. But APTs are different. APT attacks are unannounced and invisible, covering their tracks extremely well.

APT attacks exploit privileged knowledge of zero-day vulnerabilities to gain access and avoid detection. They can bury their payloads deep in the IT infrastructure in boot sectors, live memory or other hidden places where routine searches will not find them.

The stealthy nature of APT intrusions has been demonstrated time and time again over the last decade. Attacks on Fortune 500 companies with well-resourced security functions have gone undetected for months and sometimes years, leaving lingering doubts as to the full extent of the business damage and generating continuing uncertainty about whether all back doors have been completely removed.

Research by Mandiant, a Washington DC-based company specializing in APT analysis, shows that in 2012 the median length of time that attackers were present on a victim network before detection was an alarming 243 days.24 Yet even this measure was considered to be a vast improvement over previous years.

Covert attacks present a number of major challenges to chief security officers. In particular, they raise the following difficult questions:• How can one tell if an attack has taken place?• How does one assess the damage for a long-running intrusion?• What evidence can be gathered if audit trails have been changed?• How does one know when an infection has been completely eradicated?

These questions are hard to answer and indicate the need for a holistic approach to tackling APT threats. A full spectrum of security controls is required to prevent, detect and respond effectively to APT attacks. Further measures are also needed to eradicate the infection and deliver to stakeholders assurance about the effectiveness of the remedial action taken. Mature enterprises will have many of the necessary controls already in place, but it is likely that some new controls and processes will be needed and many existing ones will need to be extended or strengthened in order to effectively mitigate the risk.

PersistentWhen thieves, hackers or fraudsters are spotted, they will generally give up, run away and lie low, but this is not the case for an APT. Most perpetrators of APT attacks operate without fear of retribution, and some might even consider themselves to be

24 Mandiant, “M-Trends® 2013: Attack the Security Gap™,” USA, 2013, www.mandiant.com/resources/m-trends



42

above or immune from the law. It has been said that being the victim of an APT is more like being pursued by a stalker than being struck by a mugger: It may not be as immediately painful, but the effect is long-term and potentially life-changing.

If an organization is of interest to an organized crime group or a foreign intelligence service, it is unlikely the attacker will cease to take an interest in the target simply because the organization has managed to counter a particular attack. The attack may return with a vengeance.

It has to be said that not all attacks by organized criminals are persistent. Many gangs prefer to chase soft targets. But a high-street25 bank or even one of its compromised customers might well be regarded as a promising long-term target for theft of money and identity data. Familiarity with the victim’s internal systems, processes and infrastructure is also a great aid to future cyberattacks.

Many APTs are long-term projects. A good slice of activity will be focused on reconnaissance or measures to assist future penetrations, such as the insertion of Trojan horses and monitoring processes. In that way, if one avenue of attack is closed down, another can open up, perhaps through a back door inserted during an earlier attack, or by trying a new attack vector. Constant vigilance is the price that must be paid for peace of mind by any enterprise that might become the target of an APT.

ExceptionsThere are always exceptions. Not every attack from an APT source or exploiting APT techniques exhibits all of the above characteristics. There are several reasons for this and they are worth mentioning because they can help shed light on some of the anomalies that will be found in any analysis of APT incidents.

It is common to find state-of-the-art techniques employed by professional agencies in attacks mounted by amateur enthusiasts who are likely to cause serious business damage. This is because the code and vulnerabilities used in professional APT attacks are analyzed and publicized as soon as they are discovered. This publicity can generate a wave of look-alike attacks that may or may not be an APT, depending on which definition is chosen.

It is not unknown for different types of actor to collaborate or at least exchange their knowledge, skills or data. For example, an organized crime group might be the enemy of many intelligence agencies, but also the friend of a few. They may often operate as a subcontractor or a seller of useful assets, shedding further confusion on attempts to understand precisely who is behind an attack.

25 A term originating in the UK to refer to large retail banks which have many branch locations. The term “high street” is meant to indicate that these banks are major, widespread institutions, such as those that would be found in the main commercial sector of a town or city. High street is roughly synonymous to the American term “Main Street.”



43

There are a limited number of top-end, sophisticated hackers. In a rapidly growing field, demand will outstrip supply. Even top intelligence agencies might find it necessary to employ less experienced staff, perhaps even trainees, to scale up their capabilities. This might result in marked variations in the level of sophistication of attacks carried out by the same source.

Speed and stealth are often mutually exclusive. Sophisticated agencies like to keep a few secret weapons in reserve, but their cyberbullets might have a limited shelf life. There is always a risk that a target platform with an identified vulnerability, especially a secret one, might be patched, upgraded or retired before it can be fully exploited. Occasionally caution will be abandoned in the interest of capitalizing on investments, resulting in a wave of rushed attacks that catch victims by surprise.

1.10 Stages of an APT AttackMost APT attacks follow a distinct life cycle pattern, although no two attacks are identical. The approach varies according to the attacker’s objectives, the results of initial attack findings and the desired timescale for exploiting the information gathered.

Attacks by intelligence agencies are professionally planned and managed. They will generally be based on a structured intelligence-gathering cycle, which starts by defining client requirements; then progresses through target selection, attack planning, collection and analysis of material; and ends with the dissemination and exploitation of the intellectual property or knowledge gathered.

There is no clear dividing line between cyberespionage and cyberwarfare because the former is necessary to enable the latter, although there may be marked differences in doctrine, speed and impact between an attack designed to steal trade secrets and one in support of military operations. But when a conflict commences, the attacker will adopt a fast-moving “kill chain” based on real-time analysis, decision making and exploitation.

The most commonly encountered attack cycle consists of six stages of activity, as illustrated in figure 4 and described in more detail in the following paragraphs.



44

Target SelectionOffensive activities need to be prioritized and scheduled to maximize the value of the intelligence gathered as well as the use of available resources. Targets are selected on the basis of client requirements and strategic priorities, or perhaps short-term needs to support other attacks in progress. Plans might be adjusted when new opportunities present themselves, for example, the discovery of a new vulnerability, the breaking of a security mechanism, or perhaps as the result of new intelligence gathered from an earlier target.

Target ResearchEach target is researched to identify potential sources of information and suitable points of attack. The attacker needs to understand the nature and structure the organization and identify employees or contractors with access to information of value to the attacker’s customers.

Sources of information, such as company reports and web sites, are carefully studied. The attacker collects useful material, such as IP addresses, email addresses and personal details of employees, to support the attack. Social networks, such as LinkedIn and Facebook, are an excellent source of information on targeted individuals to help prepare customized attacks.

InformationExploitation

IntelligenceDissemination

DataExfiltration

TargetDiscovery

Commandand Control

TargetPenetration

TargetResearch

TargetSelection

APT RiskManagement

04Stages in the APT Attack CycleFI

GURE



45

Well-positioned managers or support staff are selected as initial targets to help gain a foothold into the infrastructure. Their interests, both business and personal, and relationships are researched to provide sufficient background knowledge to craft a compelling email invitation encouraging the victim to visit a particular web site or open an attached file.

Target PenetrationThe attacker aims to gain an initial penetration of the target enterprise infrastructure through a simple social engineering attack, often referred to as spear phishing. Typically, an email is sent to the targeted individual, appearing to come from a trusted colleague and on a topic of direct interest to the victim.26 The attacker is invited to open an attached file or click on the URL of a web site, unconsciously installing the payload for the first stage of the attack.

This initial compromise draws on malware that exploits known vulnerabilities that are likely to pass through antimalware filters, such as zero-day exploits that have yet to be publicized. The initial payload then aims to create one or more back doors, enabling the network infrastructure to be readily penetrated at any future time by the attacker.

Command and ControlThe next step is to establish a command and control capability with regular reporting of progress back to the attacker’s control system.

The first objective is generally to establish communication with the attacker’s central controlling system. At this stage, additional modules may be downloaded and the initial configuration adjusted or updated to support further attacks.

Planted malware is generally structured into numerous modules, each of which is designed to carry out a particular activity. Some modules are designed to search for particular databases or files of interest. Others have the task of monitoring and reporting back progress. Some operate in an offline mode; others remain permanently online. The collective aim of the planted malware is to enable the attacker to direct searches, extract data at will, monitor events of interest and cover all traces of intrusion.

Target DiscoveryOnce inside the targeted infrastructure, the attacker explores (using either automated or manual methods) all networked platforms within reach, mapping out the network, compromising further machines, targeting selected systems and file types, harvesting user credentials, and aiming to escalate privilege levels to gain administrator control of domains and platforms.

26 The Red October spear-phishing attack employed an email advertising a diplomatic car for sale to entice diplomatic service offices to trigger the infection.



46

Further back doors are planted to ensure that the attacker can get back into the network in the event of the initial compromise being detected. Sophisticated attacks might also seek to monitor incident reporting systems to ensure early warning of any detection.

Data ExfiltrationWhen appropriate privileges have been established, the targeted data are collected and funneled to an internal server where they are compressed and encrypted for onward transmission to the attacker’s chosen outside location.

To cover their tracks, attackers often forward data to the attacker’s location through intermediary proxy sites. Attacks appearing to originate in one country may, in fact, be launched and controlled from an entirely different location.

Intelligence DisseminationDissemination of intelligence is not as straightforward as one might imagine. The data have to be kept secure because any leaks might compromise attack sources and methods, or create a major diplomatic incident.

Customers receiving the data need to be trusted and vetted, and the systems storing the data need to be secured to a high standard. This is not easy for a commercial enterprise, especially one not used to operating to government security standards and employing a global workforce.

Information ExploitationSome stolen data, such as tender bids, can be exploited immediately. Suppliers bidding for major contracts are likely to be seriously disadvantaged by a competitor with inside knowledge of prices and specifications.

Other stolen secrets, such as trade secrets, research findings or new product designs, might take time—perhaps years—to exploit. New companies might have to be created, factories built and rival products designed. The business impact may not be felt for the best part of a decade.

Not all data are exploited to the victim’s detriment. Local skills may be available to develop products or services to the same quality. Rival products might be aimed at a completely different market or might lag too far behind the original ones to cause an impact. In fact, much of the competitive edge in successful products can lie in manufacturing or marketing skills.

The greatest danger is when a rival manufacturer gains inside information on product plans, designs, pricing and marketing strategy and is able to exploit this intelligence in real time.



47

1.11 Where Might This Lead?APT attacks have evolved rapidly. In just over a decade, the world has transitioned from a state of ignorance to a call for action. The prospect of malware causing a major physical disaster was regarded as fantasy by most security professionals at the start of the century. Today the threat is real and all leading enterprises are in the firing line.

The attackers have progressed from small beginnings to industrial-scale production and possession of sophisticated malware. Moreover, the number of actors developing APT capabilities has grown from a handful of forward-looking intelligence agencies to the governments of most major countries.

Targets have spread from government ministries to enterprises with trade secrets and supply chains supporting critical national services. Malware is now considered by armed forces to be an effective weapon of war. Cyberwarfare doctrine and rules of engagement are being drawn up. The need for new international laws and treaties is being debated.

Where or when will it end? The answer is that it will never cease or decline. The capabilities and resources assigned to cyberwarfare and intelligence gathering will progressively escalate for many decades to come. Business enterprises and citizens are still a long way from reliably securing their systems and infrastructure from Trojan horse attacks, and new vulnerabilities are emerging each week.

APT malware is becoming increasingly sophisticated and the organizations that exploit it are becoming better resourced. Many of the attacks discovered in recent years were the results of developments conceived around a decade ago, and they were not detected for several years. Based on these precedents, we must assume that there is a new generation of sophisticated and stealthy attacks in operation.

Over the next decade we can also expect to see real cyberconflicts between nations or communities, as well as the emergence of terrorists with APT capabilities. Targets are also likely to extend farther down the supply chain to encompass smaller contractors and software suppliers. In addition, attacks will become better planned because their perpetrators build on knowledge gained from previous attacks and exploit intelligence gained from increasing use of social networks by company staff and customers.

Security technology will certainly improve, but in the absence of any major breakthroughs it is likely to be little more than enhanced versions of the tools we already have today. Network management and incident response capabilities will also improve as enterprises develop or purchase the services of security operations centers with enhanced monitoring, mining, and command and control capabilities.



48

All enterprises, however, will remain vulnerable to human error and social engineering attacks that might allow an attacker to gain a foothold in the infrastructure. Humans will never be perfect in their discipline or behavior. Unless systems can be built that are not immediately compromised by a single human mistake, there will always be risk of an APT attack.

1.12 Learning PointsThis chapter examined the various sources, objectives, modus operandi and characteristics of APT attacks, and described some real-life attacks. Here is a brief summary of the learning points to note:• APT attacks can be mounted by intelligence services, organized crime, terrorists,

activists or armed forces. Cyberespionage enables massive quantities of information to be stolen remotely, cheaply, surreptitiously and with little personal risk to the perpetrators.

• Any organization that holds secrets of interest to foreign intelligence agencies is likely to be targeted for a cyberespionage attack. Around three-quarters of all attacks are aimed at commercial enterprises.

• Criminal gangs who mount APT attacks often have contacts with intelligence services or information brokers and may steal information for onward sale to the highest bidder.

• Assessing the potential risk of a terrorist attack is difficult because they are unpredictable, constantly changing and largely directed against general communities with randomly selected victims.

• Military APT attacks may form part of a reconnaissance operation to gather intelligence or a mission to plant a back door or Trojan horse to assist future attacks.

• APTs attack companies of all sizes in all sectors, through individuals of all levels of seniority, ranging from administrative staff to chief executives. A small company or contractor might be targeted because it is a supplier to a larger, targeted one. An individual might be selected because he/she is a stepping stone for gaining access to the ultimate target.

• Most APT attacks gain access to enterprises by tricking the user to visit an infected web site or click on an infected attachment or pop-up window.

• Countering a sophisticated attack by a well-resourced adversary requires more than a set of baseline security practices. It demands specialist skills and state-of-the-art technology.

• The only effective defense against a zero-day exploit is a malware detection process that is able to analyze the behavior of incoming code.

• Most cybersecurity defenses are designed to prevent or detect attacks that have been encountered previously. Risk assessments should also take into account new forms of attack that are outside the experience of the organization.

• With speedy identification and response, the immediate damage from an intrusion can be successfully contained. Companies with good crisis management and communications can survive the most severe of incidents.


Chapter 2. Assessing the Risk of an APT

49

2. Assessing the Risk of an APT2.1 The Risk Management CycleThere is no enterprise that operates without risk. It is an integral part of the business landscape. Not every risk is inevitable, however. When analyzed carefully, some risk is found to be the result of operating a particular line of business, while other risk is created, unconsciously or deliberately, by people’s actions or lack of attention.

Risk management helps to mitigate the former and prevent the latter. Once the major risk to the business is recognized and assessed, a decision can be made whether to aim to avoid, mitigate or accept the risk. The criterion for the decision is a function of the likelihood and the potential business impact.

Risk management is a continuous cycle of assessing risk, identifying mitigating controls, implementing remedial actions and monitoring their effectiveness, a process that is illustrated in figure 5.

2.2 Identifying Assets at RiskThe starting point in identifying APT risk is to recognize the value of the various assets that could be at risk if the enterprise is attacked. Once the nature of the enterprise’s most critical, sensitive or valuable assets is understood, the enterprise will be in a better position to assess the likelihood and business impact of an APT attack. Assets can be physical, financial or intellectual.

APT RiskIdentification

APT RiskMonitoring

APT RiskAssessment

APT RiskManagement

05APT Risk Management CycleFI

GURE



50

Physical AssetsPhysical assets are the easiest form of asset to recognize and value, but it can be difficult to assess the feasibility of a damaging APT attack on physical infrastructure or gauge the full potential impact on business operations.

Attacks on industrial control systems that could bring a processing plant to a dangerous state are possible, but precedents are few and far between, making the risk assessment very difficult to quantify in probability or impact.

The theoretic risk is real, however, and cannot be ignored. There have been several reported examples of such damage:• The best known is the Stuxnet worm attack, first discovered in 2010, which is alleged

to have damaged up to 1,000 Iranian centrifuges used for uranium enrichment by alternately increasing and decreasing their operating speeds for brief periods.

• The earliest claimed example of a damaging cyberattack was the reported destruction of a Siberian oil pipeline in 1982, allegedly through a logic bomb planted by the CIA in SCADA software stolen from a Canadian company by the KGB. The resultant explosion was claimed to have the power of three kilotons of TNT.

• In 2007, researchers at the US Department of Energy’s Idaho National Labs demonstrated in a video publicly screened by Homeland Security the destruction of a US $1 million Aurora electrical power grid generator by manipulating the SCADA controls.

Many industrial plants are far from immune from deliberate cyberattack because that type of threat was not conceivable when the installations were originally designed. Components were not built to withstand sophisticated technical attacks, and control systems were designed to be readily accessible across networks to mobile engineers.

Big equipment can be surprisingly easy to damage. It is often vulnerable to inertial attacks that accelerate moving parts beyond their safe limits or resonance attacks that create damaging standing waves. Plants are also vulnerable to a surge attack if control valves can be manipulated to funnel fluids to a vulnerable point, resulting in a hydraulic shock known as a water hammer.

It must be assumed that the armed forces and intelligence agencies of many countries would be interested in building a capability to mount such attacks against the critical national infrastructure of enemy countries. It is also possible that terrorist groups will seek to develop such a capability, although the prospect would seem an ambitious one at present.



51

The starting point for developing any such attack would be an intelligence gathering exercise on the design of the facility. Gaining access to the ladder logic software used to program controllers can often provide the necessary insight in how to send a plant into a dangerous state.

Financial AssetsFinancial assets are more liquid than physical assets, which makes them vulnerable to theft or covert manipulation. They are regularly targeted by organized crime groups for personal gain and occasionally by activists or terrorists for political motives.

In April 2013, for example, the Dow Jones Industrial Average plummeted by 150 points in a seven-minute period, temporarily destroying billions of dollars in stockholder value. The loss was triggered by a bogus tweet on the Associated Press’s Twitter account claiming that two explosions had shaken the White House. A group calling itself the Syrian Electronic Army claimed credit for hacking the account. The Dow index recovered immediately, demonstrating two major learning points: (1) A single fraudulent message can cause a major swing in the perceived value of intellectual assets, and (2) such a fluctuation can be quickly corrected.

Financial assets at risk to APT attacks are broad and varied. They may include any of the following:• Online payment system accounts• Credit card data and card verification values• Compromised social network accounts• Money laundering or offshore banking opportunities• Manipulation of equity pricing information or timing of transactions• Manipulation of contractual rights to receive money or assets• Derivative contracts that might be settled to the attacker’s benefit through

manipulation of market values or financial records

Intellectual AssetsMany information security programs focus on safeguarding information or IT assets, such as hardware, software and media, but other forms of intellectual asset are also important in providing competitive advantage in business.

Key intellectual assets to which special attention should be paid, because they might be exposed to an APT attack, include the following:• Information• Know-how• Relationships• Reputation• Brand value



52

The value of nontangible assets is always difficult to assess because contemporary accounting standards do not acknowledge their value. Stock prices might reflect the commercial leverage gained by such assets, but accountants and investment appraisal boards rarely recognize the value that resides in information, networks and application systems.

For many organizations, assessing the value of intellectual assets will be a new exercise, but a meaningful assessment of the risk of an APT risk cannot be made without a clear idea of what assets an intruder might seek to steal on behalf of a rival company.

InformationInformation is the primary focus of cybersecurity attacks. Data that enable product leadership or other commercial advantage are sought by intelligence services in support of their industries, or by organized crime groups aiming to sell information to interested clients. Specific targets might include the following:• Sales information containing customer requirements, orders and product prices of

direct interest to competitors• Human resources records containing personal identity information of direct interest

to organized crime groups Email and office files revealing business strategy, details of competitive bids or personal details of individuals, to facilitate future social engineering attacks

• Trade secrets, which may include proprietary recipes, algorithms, research findings or new product designs

Know-howFor many enterprises, the know-how possessed by key staff is the primary source of competitive edge in winning contracts.

Know-how is a challenging asset to steal, but it is often allowed to leak away to competitors through recruitment of knowledgeable staff. Some companies even share their know-how openly with potential competitors through joint ventures in order to be successful in new markets. Others prefer to guard their superior know-how to protect competitive advantage.

Research or product secrets stolen without the in-depth know-how of how they work or how to exploit them in practice can be next to useless. In some cases they can be downright dangerous, as shown by the example of the Siberian pipeline explosion.

It is perfectly reasonable for an enterprise to assess the impact of stolen intellectual property by a foreign power as negligible if the country concerned is judged to be incapable of deploying it effectively.



53

RelationshipsOne contributor of intellectual value that is often overlooked by accountants is the potential value lurking in relationships. This aspect of networks was first noted by Robert Metcalfe, co-inventor of the Ethernet, who discovered that the potential value of a network is proportional to the square of the number of users of the system.

What this really means is that the number of relationships within a network grows much faster than any growth in the size of the network. Commercial value drawn from relationships in fast-growing social networks offers huge growth potential.

When networks are relatively small, we rarely notice this effect. But when we contemplate modern social networks such as Facebook, the business potential is huge. But privacy and trust in networks are pivotal to successful exploitation. A single data breach can steal details of relationships and permanently damage trust in the network service provider.

Relationships can also be exploited by attackers, especially through social networks. Successful experiments have been carried out to gather sensitive military intelligence using fake user profiles designed to attract victims.27

Reputation and Brand ValueCorporate reputation is a difficult asset to value. It is hard to measure as a lever of sales, which can be the product of numerous initiatives and assets. Reputation may take many years to build, yet can collapse overnight in the wake of a damaging incident. It is the type of asset that is rarely fully appreciated until it is gone—yet that is precisely what happens following a major breach.

2.3 Identifying Specific APT Threats to AssetsHaving gained an understanding of the nature of APT attacks and the actors behind them, the next step in the risk assessment is to identify specific threats to the major intellectual assets at risk in the enterprise.

In practice, this is a difficult, subjective exercise. APT attacks are generally unprecedented, unexpected and uncertain. Business managers (who understand the potential business impact) are unfamiliar with the threat and may be inclined to dismiss it without concrete evidence. Investment appraisal boards are also likely to challenge expenditure on measures that address theoretical risk for which there is no precedent.

27 See www.darkreading.com/privacy/robin-sage-profile-duped-military-intell/225702468.



54

It is important, therefore, to ensure that senior, influential managers and directors are fully briefed and engaged in the threat assessment process because it is easy to dismiss real threats as impossible or improbable.

At the same time, it is important to keep threats in perspective because some that appear alarming at first sight, such as a theft of trade secrets, might turn out to be relatively harmless, e.g., if the attacker has no significant capability to exploit the stolen material.

The opposite might also be true as well, i.e., a threat that sounds harmless to a business director, such as an attacker gaining access to a source code library, might be damaging (even fatal) if left unchecked.

When identifying specific threats to valuable intellectual assets, the following questions should therefore be borne in mind:• Is the potential attacker in a position to understand and realistically exploit the

stolen assets?• Does the attacker in question operate in the same marketplace?• Could the attacker sell the stolen information to a rival enterprise?• Is there any likelihood that the attacker would use the know-how gained to damage

or disrupt business operations?• Could an attacker be attracted by the prospect of installing a back door for a future

attack, e.g., in the event of hostilities breaking out in the region?

These are always difficult questions for ordinary business managers to answer because of their unfamiliarity and uncertainty. It is important to brief managers fully and allow them time and opportunity to reflect on the full implications to everyday business operations.

2.4 APT Risk IdentificationThere is great potential APT risk associated with a modern enterprise, so careful selection and clear priorities are essential to avoid generating too many minor actions that would reduce the attention given to bigger and more important risk.

Risk can be identified for specific business processes, but it is easier to manage a portfolio of risk across the enterprise because risk to multiple business processes often shares a common mitigating action. The risk identification process should consider the most critical, sensitive and valuable assets as described in the preceding chapters.

Risk can be assessed when security vulnerabilities are discovered in controls in physical security, operating procedures, personnel, platforms or applications. The presence of security vulnerabilities plays a major factor in the likelihood of a risk



55

occurring and its potential impact. The risk identification process should note and consider all known security vulnerabilities, which will help inform the risk assessment process and enable mitigating actions to be identified.

2.5 APT Risk AssessmentThe next step is to assess and rank the identified risk in terms of probability and impact. This process ideally should be conducted in a workshop where key stakeholders and knowledgeable managers can voice concerns and vote on the likelihood and severity of the risk. Teamwork also helps to reduce the likelihood of errors being introduced by lack of knowledge or personal bias.

A risk heat map, as illustrated in figure 6, is a useful tool to help assess, rank and record risk. This approach is recommended because experience has shown that it is much faster, easier and more accurate for managers to assess types of risk in relation to each other, rather than to attempt to score them in isolation.

Serious damage toa processing plant

Majorcustomerrecords databreach Theft of

tradesecrets

Permanent loss of ERPdatabase

Major ITinfrastructurefailure

DDoSattack

Loss ofkey staffto a rivalenterprise

Compromiseof majortender bid

1 2 3 4 5

5

4

3

2

1

Probability

Impact

High

HighLow

Low

06APT Risk Assessment Heat Map ExampleFI

GURE



56

Risk that is plotted in the top right corner of the heat map represents the most serious challenges and justifies immediate remedial action. Risk in the bottom left corner can largely be ignored. More difficult to address is risk in the center of the map, which requires more consideration and debate.

Risk in the top left corner justifies longer-term contingency measures. For example, in this assessment there is a real, but unlikely, risk of serious damage to a processing plant. This is a typical assessment for a risk of this kind, generally justifying longer-term consideration but no immediate remedial action. It underlines the need for regular refreshment of the risk assessment and more considered thought about the actions to take to address risk of extremely high impact but very low probability.

Such assessments can change markedly in the event of any increase in political tension in the country in which the plant is sited. A further consideration is whether an attack might be mounted by a potential future adversary to gain advance intelligence or plant a back door in support of any future offensive operation.

The scale on each axis of the heat map can be used to generate numeric scores for the risk, enabling a league table of risk (risk register) to be developed. The advantage of such a table is that it can readily be expanded to record additional dimensions of the risk, such as ownership, mitigating actions, target dates and other details.

2.6 Moral HazardA major problem with many types of security risk that require expensive treatment is that the party responsible for creating or managing the risk might not be the party that suffers the damage from any associated incident. In many cases, it is the consumer or citizen who experiences the real impact of a major data breach (although there is always the prospect of legal action).

This is a well-known problem termed “moral hazard” and it is hard to address because many business managers responsible for a hazardous process might regard themselves as being insulated from the full consequences of a major incident. It is important, therefore, to ensure that risk assessments take into account the full impact of a threat, whether to consumers, business partners or other stakeholders. Otherwise, there is a possibility that assessed impacts will be understated.

2.7 APT Risk MitigationFor each identified risk, the risk assessment team should agree on the appropriate mitigating action, and assign ownership of each risk to a manager to oversee the implementation of the mitigating action.



57

Actions to mitigate risk might include any of the following:• Applying appropriate controls• Knowingly and objectively accepting the risk, providing it clearly satisfies the

organization’s policies and the criteria for accepting risk (see below)• Avoiding the risk• Transferring the associated business risk to another party, e.g., an insurer or supplier

The agreed action should take account of the cost, timescale and difficulty of implementing potential mitigating measures as well as the probability and impact of the risk. A further important consideration is the existence of any associated legal, regulatory or contractual requirements.

Acceptance of risk should be considered only if the impact and probability are within risk appetite levels. Acceptance of any identified risk should be formally approved by the executive board or risk committee and documented in the organization’s risk register.

2.8 Making the Business Case for CountermeasuresAny major expenditure requires a business case made to management or, if it is a significant expenditure, an investment appraisal board. This can be a difficult hurdle to overcome because security is rarely able to show concrete evidence of a positive return on investment. A further problem is that increasing expenditure on security reduces the likelihood of incidents, which tends to lower people’s perception of the need for further measures.

Most everyday security spending can be justified on the grounds of mandatory legal or regulatory compliance requirements. APT attacks are different. The type of action required goes well beyond the measures required to satisfy compliance demands. It must, therefore, be approved on the basis that it is a sensible business investment.

When presented the facts about APT attacks, any executive board will almost certainly demand action. The problem is, without a detailed understanding of the subject matter, the board will not be able to judge how much security expenditure is enough. Gaining executive board and business manager support for security improvements requires a compelling presentation of the costs and benefits. Good presentation and relationship management skills are important. It obviously helps to show a financial return on investment, but saving money is not the only way to demonstrate value.

A good business case presents a compelling argument for immediate change, together with clearly identified benefits that can be aligned with business strategy. It also helps to show that costs and benefits have been carefully assessed and any risk associated with implementing the changes have been identified and will be managed.



58

2.9 Learning PointsThis chapter examined the process of risk management as it might be applied to the assessment and mitigation of APT risk. Here is a brief summary of the learning points to note:• Risk management is a continuous cycle of assessing risk, identifying mitigating

controls, implementing remedial actions and monitoring their effectiveness.• Risk assessment helps identify, agree on and prioritize the necessary action to

mitigate the risk of an APT attacks.• Risk is ranked according to likelihood and its potential business impact.• The starting point in identifying APT risk is to recognize the value of the assets at

risk. Assets can be physical, financial or intellectual.• Attacks on industrial control systems that could bring a processing plant to a

dangerous state are possible but fortunately very rare.• Financial assets are highly vulnerable to theft and manipulation. They are likely to

be targeted by organized crime groups for personal gain.• The value of nontangible assets, such as corporate reputation, is substantial

but difficult to measure because contemporary accounting standards do not acknowledge the value.

• APT risk creates enterprisewide impacts that are best addressed through an organizationwide initiative. Risk can be identified for specific business processes, but it is better to manage a portfolio of risk across the enterprise because risk to multiple business processes often shares a common mitigating action.

• A risk heat map is a useful tool to help assess, rank and record risk. This approach is recommended because it is faster and easier than other methods, and generally produces more precise results.

• “Moral hazard” is the term used to describe a situation where the party responsible for creating or managing the risk is not the party that suffers the damage.

• Actions to mitigate risk might include implementing additional controls or taking action to accept, avoid or transfer the risk.

• Mitigating actions should take account of the cost, timescale and difficulty of implementing them, as well as the probability and impact of the risk.

• The business case for change should present a compelling argument for immediate change, together with clearly identified benefits that can be aligned with business strategy.


Chapter 3. Security Management for APT Threats

59

3. Security Management for APT Threats

3.1 IntroductionThis chapter examines the wide range of security controls, processes and technical countermeasures that can be applied to help prevent, detect and mitigate the impact of an APT attack.

The existing security countermeasures found in the typical contemporary enterprise are unlikely to be sufficient to prevent or even detect a well-planned, sophisticated attack. There is research to confirm this assertion. An independent survey conducted by the Ponemon Institute revealed that two-thirds of organizations admitted that their own defenses were insufficient to stop a targeted attack.28 According to research by Verizon, approximately 70 percent of breaches are discovered by an external party, not by the victims themselves.29

This might not come as a surprise to experienced security professionals, many of whom have long struggled to sell good security practices to disinterested systems developers and business managers, who generally view security as an unnecessary, costly and time-consuming distraction. In this context, APT intrusions have become a game changer that raises corporate concerns by an order of magnitude and demands a similar change in security posture and response processes.

This chapter provides an overview of the security management improvements that are needed to respond to the challenge of the APT. Unfortunately, there is no single additional countermeasure, technical or operational, that can be guaranteed to prevent, detect or eradicate an APT infection. The solution lies in a holistic approach that combines tighter physical, technical, educational and operational measures, coordinated through an effective security management system.

Combating an APT attack also requires specialist skills. Attacks are targeted and might be tailored to exploit the perceived weaknesses of the victim. They cannot be matched by general policies, baseline controls and off-the-shelf products. A customized response is needed, supported by a high degree of creativity and improvisation. This requires the development or recruitment of specialist skills, sourced either from within the organization or through an external support service.

28 Ponemon Institute, “2012 Cost of Cyber Crime Study,” USA, 2012, www.ponemon.org29 Verizon, “2013 Data Breach Investigations Report,” USA, 2013, www.verizonenterprise.com/DBIR/2013



60

Victims of APTs typically exhibit numerous security weaknesses, examined in the following paragraphs, but no attack is perfect or completely invisible. APT attacks have weaknesses, too. However sophisticated they might seem in their ability to hide through disguise, code obfuscation or the use of different attack vectors, there will be recognizable signs and occasional weaknesses. An experienced security analyst with a good set of tools will eventually detect, deflect and eradicate even the most sophisticated of intrusions. This chapter explains many of the measures needed to attain this capability.

In setting out the range of technical, human and procedural mechanisms needed to mitigate an APT attack, there is bound to be some overlap with conventional information security guidance and controls, such as those set out in the COBIT 5 family of products, the SANS Institute critical controls30 and ISO/IEC 27001 security standards. In mature enterprises, many of these controls are already in place, either to mitigate general security risk or satisfy regulatory compliance. This book does not aim to reinvent existing industry security guidance, other than drawing attention to the benefits of these controls. Instead, it focuses on the specific enhancements needed to mitigate the risk of APTs, highlighting areas in established standards where controls require further strengthening or extension.

3.2 Shortcomings in Existing Management ProcessesThe starting point in understanding the measures needed to combat APT attacks is to understand the weaknesses in existing controls and appreciate the Achilles heel of APT attacks. Figure 7 illustrates typical weaknesses as well as recommended remedial measures in management processes that are generally expected to mitigate information security risk. The technology solutions mentioned in the Recommended Remedial Action column are explained in the following chapter.

30 See www.sans.org/critical-security-controls.



61

Management Process

Typical Weakness Relativeto APT Attacks

Recommended Remedial Action

Information security management system (ISMS)

Traditional planning, implementation and review cycles are too slow to respond to fast-evolving APT risk.

Establish a fast-track APT risk assessment and mitigation process.

Security policy often lacks clarity and focus, and is poorly communicated and applied.

Strengthen policy, discipline and review processes for areas vulnerable to APT attack.

Gaps and overlaps exist in security responsibilities for systems and infrastructure affected by a potential APT attack.

Assign specific responsibility for coordinating the organization’s response to the APT risk.

Business cases for APT mitigation might not satisfy investment appraisal criteria.

Gain executive board support for a remedial program tailored to the specific demands of APT risk.

Risk management process

Business risk assessments lack specialist knowledge of APT motives and methods.

Inject specialist APT knowledge into the business risk assessment process.

Individual business unit risk assessments may not reflect the full impact of an enterprisewide APT intrusion.

Conduct a specialist enterprisewide APT risk assessment.

Risk associated with emerging technologies, such as cloud computing and mobile devices, may not be adequately considered in the existing risk management process.

Conduct risk assessments for emerging technologies and update all related documentation.

People security Staff and contractors are rarely subject to security scrutiny beyond credit checks.

Conduct security vetting of individuals with access to systems supporting critical infrastructure services.

Existing security awareness programs might not address specific APT risk.

Carry out specific education campaigns for staff in areas that might be subject to APT attacks.

Conduct social engineering tests on employees who are likely targets of APT attacks.

07Typical Shortcomings in Existing Management ProcessesFI

GURE



62

Management Process



Physical security Equipment may be exposed to “quick-plant” compromises through USB sticks or keylogger devices.

House equipment providing access to sensitive and critical systems in secure areas.

Seal off USB ports of client devices and servers in open office areas.

Periodically inspect machines in open office areas.

Executives visiting countries with aggressive intelligence services might have their laptops compromised by an “evil maid” attack (e.g., when left in an unoccupied room).

Implement strong, hardware-based, full disk encryption with secure boot protection on the laptops of traveling executives.

Implement two-factor authentication to further protect these devices.

Network architecture

Sensitive or critical systems and servers are insufficiently segregated.

Implement architecture with strict segregation, filtering and monitoring controls.

Remove sensitive or critical systems from enterprise networks, or site them in protected network domains.

Install application firewalls to safeguard exposed servers.

Network management

The network monitoring process and systems are insufficient to detect incoming APT attacks or outgoing stolen data.

Install deep packet inspection (DPI) technology to scrutinize communications.

Apply a matching communications pattern to help identify APT command and control protocols.

Install data leak prevention (DLP) technology to detect outgoing confidential data.

07Typical Shortcomings in Existing Management Processes (cont.)FI

GURE



63

Management Process



Malware detection Signature-based antivirus and intrusion detection system (IDS) scanning is not sufficient to catch APT attacks.

Anti-malware measures should incorporate a heuristic, statistical or behavioral capability.

Incoming code should be “sandboxed” to prevent malicious programs from executing.

Computer platform management

Planted APT malware is not visible to users or administrators.

Implement technology to monitor changes to file integrity and platform configurations.

Consider conducting periodic forensic inspections of platforms handling sensitive or critical data.

The patch management process is too slow to prevent security vulnerabilities on platforms.

Implement continuous vulnerability scanning, especially for Internet-facing sites.

Application access control

Access rights are not rigorously scrutinized.

Enforce a least-privilege model to reduce the scope for APT escalation.

System development and maintenance

Many information systems are designed for a private network environment and vulnerable to internal attacks (e.g., through a Trojan horse).

Eliminate security vulnerabilities in the system development process, e.g., implement a secured systems development life cycle (SDLC).

Legacy systems and platforms might contain numerous security vulnerabilities.

Conduct penetration tests and implement remedial action programs.

Incident reporting process

Early indications of APT attack are not reported to security managers.

Educate users to report suspicious email or external contacts.

Consider incentives to encourage staff to report such events.

Business continuity management

The process is designed primarily with natural disasters in mind rather than deliberate, targeted attacks.

Implement contingency plans to mitigate DDoS attacks and large-scale data breaches.

Crisis management The existing business crisis team structure might lack the specialist organization and skills to manage an APT incident.

Establish a computer security incident response team (CSIRT).

Consider developing a security operations center (SOC).

07Typical Shortcomings in Existing Management Processes (cont.)FI

GURE



64

3.3 Key Measures to Mitigate APT AttacksSuccessfully preventing and detecting APT attacks requires a large number of individual security measures. The following security principles and measures are particularly important and should be included in any APT risk reduction program.

Coordinated Risk Assessment and ResponseOne of the major weaknesses in managing the response to APT risk is the difficulty in coordinating actions across multiple business units, service functions, information systems, infrastructure and supply chains. In practice, there are numerous gaps and overlaps in responsibilities, knowledge and capabilities. The solution to this problem is to assign specific responsibility for assessing risk and coordinating the organization’s response to APTs. Such responsibility requires executive board empowerment because it will necessarily cut across existing management reporting lines.

Asset ManagementHardware and software assets are valuable items and need to identified, recorded and managed for accounting purposes. Asset inventories are also an essential tool for managing security, especially when they are extended with details of ownership and configuration status. In most organizations, enterprise directories are progressively being extended to track and control the security status of platforms and client devices. This is an essential building block in the development of an enterprise infrastructure that is free of vulnerabilities or at least understands the security posture of its platforms and devices.

Least-privilege AccessThe principle of least privilege in granting access rights is a long-standing rule for minimizing the risk of unauthorized access to information systems. Within the context of APT attacks, it is especially important to minimize the number of users with administrator rights to critical applications, servers and client devices.

APT attacks seek to achieve administrator access in order to gain full control of platforms and applications and to bury their malware inside operating system kernels. Granting administrator access to large user populations substantially increases the overall risk and, in particular, the potential business impact from a successful APT intrusion.

Removing administrator privileges to user client devices greatly reduces the potential impact of an APT infection, although it will not completely eliminate the risk. Client devices can still become compromised, for example, through a drive-by download, but the attacker will face increased difficulty in hiding the malware and broadening the scope of the attack.



65

Network SegregationThe primary benefit of networks is that they enable communication and data transfers. Unfortunately, the benefit is a doubled-edged sword: The easier it is to establish relationships and access remote resources, the simpler it becomes for an intruder to steal information and sabotage services.

Any network containing sensitive, valuable or business-critical data needs to be segregated from the risk presented by open network connections. Large enterprise networks should be divided into separate logical network domains, each protected by a defined security perimeter. Boundaries between network domains can be policed by secure gateways, such as firewalls, to filter and direct traffic between domains.

It is particularly important to ensure that servers containing highly sensitive or critical data are not allowed to freely conduct data transfers to external locations because this would enable a Trojan horse to export data to a remote attacker. External transfers should be subject to strict rules and controls.

Network segregation is the one control, above all others, that needs to be adequately addressed to mitigate the risk from APT attacks. It is a basic security requirement for any enterprise, yet experience from previous attacks has demonstrated that many enterprise networks have insufficient segregation to safeguard critical data and processes.

Vulnerability ManagementVulnerability management is the process of identifying, prioritizing and mitigating known security weaknesses in information systems and platforms. At its simplest, it involves keeping up to date with critical security patches to software systems as well as the latest releases of software and antivirus definitions. This is not a trivial exercise for platforms running critical production systems that need to be continuously available on a 24/7 basis.

Although advanced APT attacks can incorporate zero-day exploits, many rely on known vulnerabilities to infect systems, so it is vital to ensure that all platforms are patched as quickly as possible. Unfortunately, experience shows that many enterprises take far too long to implement critical patches, often days, weeks or even months. Systems containing known vulnerabilities need to be shielded (e.g., by a firewall) from the risk associated with external connections.

User EducationMost enterprises now carry out a modest degree of security education and awareness training for IT users, but this is insufficient to mitigate the risk of well-researched social engineering attacks. The answer is to extend the scope, intensity and sophistication of the educational program, focusing in on the managers and staff who are most likely to be targets for such approaches.



66

Changing people’s knowledge and perception is a hard task. Transforming their behavior is an order of magnitude more difficult. However, both objectives can be achieved with sufficient planning, effort and appreciation of human psychology.

Achieving a major change in behavior demands several levels of intervention:• Communicating awareness of the risk and recommended response, which simply

requires clear, informative communications• Influencing attitudes, which needs to be a self-discovery process, e.g., through

stories, case studies or exercises• Changing behavior, which demands compelling incentives, especially ones that are

personal, immediate and certain

Professional advice on developing awareness materials should be sought because amateur attempts are often ineffective. At the very least, in-house marketing staff or communications functions should be consulted on the design and presentation of educational material.

Technology to Mitigate APT AttacksNumerous security technologies or technical processes have been developed over the last two decades to prevent or detect malicious intrusions.

Many security technologies are based on the principle of scanning, filtering or blocking incoming or outgoing communications. The first such technologies emerged in the early 1990s and were able to execute simple filtering of traffic based on the header information contained in individual packets of data. Over the years, these technologies have become progressively more intelligent and sophisticated, digging deeper into the packet content, assembling them into streams of activity, understanding malicious behavior patterns and executing any attached code in safe “sandbox” areas.

There are many variations of scanning and filtering tools available, operating at different levels in the communications protocol stack and using an array of detection techniques. The most important point is that no single security technology can be guaranteed to prevent or detect an APT. A defense-in-depth approach, exploiting as many layers of inspection as can be afforded and managed, will help mitigate risk, and when combined with appropriate procedural and personal controls, it can allow the enterprise to reduce the APT risk to an acceptable level.

Many security appliances combine several technologies in a single device. Enterprises have can buy a multifunctional product, select separate “best of breed” devices or purchase a range of compatible technologies from a single vendor.



67

The business case for procurement of many of these technologies, as well as the necessary skilled resources to administer them, is likely to challenge traditional investment appraisal processes. These costs must be carefully weighed against the potential business impact of a damaging APT attack.

Chapter 4 describes the relevant technologies and technical processes that are most useful for mitigating an APT attack.

3.4 Disrupting the “Kill Chain”Organizations may have many security shortcomings, but APT actors also exhibit a few, and these can be enough to enable an attack to be detected and contained.

Experts from Lockheed Martin rightly point out that an effective response to an APT intrusion demands a major evolution in analysis, process and technology. They also believe it is possible to anticipate and mitigate future intrusions based on a sound knowledge of the attacker’s methods.

This strategy is an intelligence-driven, threat-focused approach to APT attack mitigation. The theory is that by studying the attacker’s methods and identifying key indicators, the enterprise can detect and mitigate future attacks.

To understand the structure and stages of an attack, Lockheed Martin developed the concept of a cyber “kill chain” (see figure 8). The kill chain is the sequence of activities conducted by an attacker to carry out an APT attack. In essence, it is their version of the APT attack cycle described in chapter 1.

Lockheed Martin experts advocate sharing across the security community recognized indicators of compromise identified in previous attacks, in order to expose the techniques, tactics and procedures used by an attacker.

An indicator is any piece of information that objectively describes an intrusion. The concept is based on the assumption that many aspects of an APT, such as IP addresses, exploits and malware code, are likely to be reused in future attacks. Once the complete kill chain is understood, then detecting just one aspect of an attack could be sufficient to identify and mitigate other aspects of the attack.

This concept can be applied to the APT attack cycle described in chapter 1 to identify opportunities to prevent, detect or disrupt the attack. Figure 9 sets out how this approach might work. The entries are intended to be illustrative rather than definitive and comprehensive.



68

08The Lockheed Martin “Kill Chain”FI

GURE

ReconnaissanceResearch, identification andselection of targets, e.g., bycrawling Internet web sites

WeaponizationCoupling a remote access

Trojan with an exploit into adeliverble payload

DeliveryTransmission to the targetedenvironment, usually through

email attachments,web sites, or

USB removable media

ExploitationAfter delivery, triggeringof the intruders’ code

InstallationInstallation of a remote

access Trojan or back doorto enable future access

Actions on ObjectivesAction taken by intruders to

achieve their objectives,typically data theft or access

to other systems

Command and ControlCommunication establishedby promised hosts with anInternet controller server



69

Stages of Attack Cycle Preventive Measures

Aids to APTDetection

APT ResponseAction

Target selection and research

Avoid unnecessary publicity for secret research, product developments or contract negotiations.

Avoid publication of personal contact details for key staff likely to be targeted by APT actors.

Train staff to report suspicious or abnormal inquiries.

Brief staff conducting web analytics for likely signs of attack research.

Consult national security agencies for advice when indications of attack planning are detected.

Target penetration Train staff to be alert to suspicious email.

Continuously scan Internet-facing platforms for vulnerabilities.

Install an intrusion prevention system (IPS).

Use sandbox simulation to identify incoming malicious programs.

Maintain up-to-date anti-malware and intrusion detection systems (IDSs), preferably incorporating a heuristic, statistical or behavioral capability.

Enlist the assistance of IT service providers and security vendors.

Obtain support from a specialist consultancy experienced in managing APT attacks.

Command and control Ensure that the network has adequate segregation of critical areas.

Log and inspect domain name server (DNS) traffic.

Scan incoming network traffic for known command and control protocols and API patterns.

Block identified command and control protocols.

Block all outgoing traffic at the perimeter, except that explicitly required to support the business.

09Opportunities in the APT Attack CycleFI

GURE



70

Stages of Attack Cycle Preventive Measures

Aids to APTDetection

APT ResponseAction

Target discovery Implement strict network security policies to limit access to critical servers.

Examine audit logs for evidence of suspicious scans and browsing.

Establish an internal network surveillance capability (e.g., an internal IDS system).

Set up a honeypot to attract the attacker.

Tighten network security controls (e.g., close down unused ports).

Review audit logs to establish extent of intrusion.

Data exfiltration Configure the network to prevent exfiltration of data from critical servers.

Investigate suspicious data transfers (e.g., outside of regular hours).

Install a data leak prevention (DLP) system.

Block unauthorized data transfers to unknown locations.

Intelligence dissemination and exploitation

Ensure that trade secrets have legal protection.

Look for signs of exploitation, such as unexpected failures to win contracts or announcements of rival products with similarities to company designs.

Consult national security agencies for help.

3.5 Tell-tale Signs of an APT AttackThe stealthy nature of APT attacks makes detection a challenging task, which is reflected by the large number of intrusions that have gone unnoticed for months or years in enterprises—even those with experienced security functions. Nevertheless, by adopting the additional measures recommended in this chapter, it is certainly possible to identify an attack before any major business damage arises.

The key capabilities needed to detect an APT attack can be summarized as follows:•Understanding what to look for•Knowing where (and when) to look•Being able to differentiate APT activity from normal behavior•Having access to the skills and tools needed to detect and isolate APT malware

09Opportunities in the APT Attack Cycle (cont.)FI

GURE



71

These requirements are examined at length in the rest of this chapter. As with preceding chapters, there will be useful summary of learning points at the end.

The kill chain concept is an elegant one and it provides a useful structured approach for searching for indications of an APT attack and understanding where else to look for further signs of activity.

A professional APT attack is likely to probe weaknesses and gather intelligence through a number of communication channels, including telephone calls and phishing emails, as well as any externally facing platforms and devices. Although designed to be stealthy, there are always potentially detectable signs of an attempted or actual intrusion.

In the same way that a householder might discover the presence of vermin through tell-tale traces of droppings and missing, damaged or disturbed items, so enterprises can develop a capability to spot an APT attack through indicators of compromise in the behavior, performance or configuration of the surrounding systems, processes and infrastructure.

In some cases, this can be done through physical indications such as suspicious communications. In other cases, it might be achieved through automated checks, e.g., on incoming or outgoing network traffic. But to be absolutely certain, there will be a need to conduct a degree of expert analyst on audit logs, stored data, communications and computer memory activity.

Staff across the organization will need to be briefed and encouraged to be alert to and report indications of suspicious behavior, especially at times when there is an identified risk or in locations where there is an enhanced threat.

Concerns about espionage have traditionally been closely guarded assessments. However, the risk has now increased to a level where any concerns about employee “need to know” are likely to be far outweighed by the need to engage the eyes and ears of as many as possible staff across the enterprise.

A clearly identified reporting point for all such incidents must be established, and it is recommended that the enterprise adopt a policy of “prudent overreporting,” encouraging staff to report any event that arouses suspicion.

Suspicious BehaviorExamples of suspicious behavior or network activity worthy of investigation follow.



72

Human BehaviorEarly warning indicators of potential APT attacks are likely to include:• Unusual telephone calls to personal assistants or sales staff, especially requests for

unpublished contact details, such as email addresses• Email from unknown sources containing attachments or URLs• Email that does not look genuine purporting to be from colleagues

Network ActivityFactors associated with APT attacks include the following changes:• Sudden increases in network traffic, especially outbound transfers• Unusual patterns of activity, such as large transfers of data outside normal office

hours or to unusual locations• Repeated queries to dynamic DNS names• Unusual searches of directories and files of interest to an attacker, e.g., searches of

source code repositories• Unrecognized, large outbound files that have been compressed, encrypted or

password-protected• Detection of communications to/from bogus IP addresses• Presence of software containing anti-disassembly or anti-debugging features• External accesses that do not use local proxies• External requests containing application programming interface (API) calls• Unexplained changes in the configurations of platforms, routers or firewalls• Increased volume of IDS events/alerts

APT attacks generally aim to avoid leaving any identifiable signature. There are, however, patterns of activity that are difficult for an attacker to vary, such as the preprogrammed protocols used by planted malware to connect with a remote command and control server.

3.6 Times Justifying a Heightened AlertA state of heightened alert should be encouraged at times when there is a higher risk of attack. Examples of such times follow.

Following PublicityAny publicity about an invention or ground-breaking product development in, for example, a leading newspaper or business magazine, is likely to draw the attention of government ministries responsible for promoting the competitiveness of their industries, perhaps encouraging an intelligence-gathering exercise to steal trade secrets.

When Entering New MarketsThere is likely to be a higher risk of an espionage attack when the company enters a new market in a country with a known, aggressive APT capability, such as when



73

launching in selected countries a new product range that is in direct competition to a state-owned competitor.

When Negotiating Major ContractsOne of the quick wins for cyberattacks is gathering advance data on negotiating strategy or competitive bids for major commercial contracts. This risk is likely to be particularly high when the enterprise is negotiating a deal or bidding against an enterprise that might be the beneficiary of government intelligence, such as a state-owned organization.

Following an Identified VulnerabilityThe organization should assume a higher state of alert following the identification of any major vulnerability in an application or platform that is widely used because this might encourage opportunistic attempts to exploit the weakness.

3.7 Learning PointsThis chapter examined the range of security measures that can be applied to mitigate the risk of an APT attack. Here is a brief summary of the learning points to note:• The existing security measures found in contemporary enterprises are rarely

sufficient to prevent or detect an APT attack. Most breaches are discovered by an external party.

• There is no single additional countermeasure that can be guaranteed to prevent, detect or eradicate an APT infection. A holistic approach is needed.

• Combating an APT attack requires specialist skills, creativity and improvisation, not just policies, controls and products.

• Organizations have many security weaknesses leaving them vulnerable to APT attacks, but no attack is perfect. An experienced, well-equipped analyst will eventually detect and eradicate the infection.

• Key security measures needed to mitigate an APT attack are asset management, coordinated risk assessment and response, applying the least-privilege principle, good network segregation, up-to-date vulnerability management, and targeted user education.

• A wide range of security technologies are available and can be extremely effective in helping to prevent or detect APT attacks. They are described in detail in chapter 4.

• The kill chain is the sequence of activities conducted by an attacker to carry out an APT attack. The intrusion can be stopped by understanding, detecting and/or disrupting these activities.

• Staff should be instructed to report any suspicious behavior or network activity that might indicate an APT attack is being planned or mounted.

• The organization should be on heightened alert when there might be a higher risk of attack, e.g., following publicity about a new product, when entering new markets, when negotiating major contracts, or immediately after an identified vulnerability comes to light.



74



Chapter 4. Security Technology Measures to Mitigate APT Attacks

75

4. Security Technology Measures to Mitigate APT Attacks

4.1 OverviewThis chapter looks at the wide range of security technologies or technical processes that can be employed by enterprises to assist with the prevention and detection of APT attacks. It covers basic measures, such as antivirus systems and firewalls, as well as the most advanced security technologies and techniques, such as Trusted Computing and the security development life cycle which are found in only a small number of leading enterprises. Over time, however, it is expected that more and more organizations will adopt these advanced measures.

4.2 How Much Security Is Required?How much security is actually needed to prevent an APT attack, or at least to successfully detect it and close it down as quickly as possible? The real answer has to be “as much as you can afford and justify,” although this is not a palatable prospect for any business organization seeking to keep down costs. However, the truth is that eliminating APT risk requires levels of security technology, management, education, skills and vigilance that go far beyond the demands of regulatory compliance and everyday information security management.

To put this into a more practical context, it is helpful to consider security measures in levels of increasing effectiveness, corresponding to perceived risk and protective capability. Unfortunately, it is an inescapable fact that there is a clear correlation between the level of security delivered and the cost, difficulty and time needed to achieve it. In the words of Professor Fred Piper, a well-respected cybersecurity expert, “If it is not difficult, then it is not secure.”

This is where risk management can help, although it is important to carry out a coordinated, enterprisewide APT risk assessment to ensure that the collective business impact from an intrusion can be fully appreciated and the necessary response coordinated as a single risk mitigation program.

Figure 10 illustrates the various tiers of security measures that might be considered, ranging from the basic security measures that can be found in every prudent enterprise, to the more advanced, long term solutions, all of which are feasible and proven, although rarely encountered, even in government departments and Fortune 500 companies.



76

Each of these levels is explained in more detail in the following paragraphs. The four levels are intended to be indicative rather than absolute. For example, it is possible to find enlightened small enterprises applying the security development life cycle and leading enterprises failing to implement effective vulnerability management.

4.3 Basic Security MeasuresThe following security measures are the absolute minimum required to safeguard a typical enterprise from everyday security threats. They are essential building blocks for developing a secure infrastructure, but by themselves would be insufficient to prevent or detect a sophisticated APT attack employing a zero-day exploit.

Antivirus SystemsAntivirus systems need little introduction—they should be familiar to every computer user. What is of more importance is to appreciate the various strategies and techniques employed by these systems and recognize their respective strengths and weaknesses.

10FIGU

RE

Basic Security Technology MeasuresAntivirus, intrusion detection, firewalls, penetration testing,

strong authentication

Advanced Security Technology MeasuresIntrusion prevention, data leak prevention, vulnerability scanning, sandbox

simulation, database activity monitoring, application security testing

Specific APT CountermeasuresDeep packet inspection, communications pattern matching, file integrity monitoring,

security configuration management, security information and event management

Best Available Security Technology PracticesTrusted computing, forensic inspections, application whitelisting,

honeypots, systems development life cycle

Levels of Security Countermeasures



77

Antivirus systems are generally software-based defenses widely used to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware. Different approaches can be used. In particular, one or both of the following strategies are generally employed.• Signature-based detection relies on scanning incoming or outgoing files for known

malicious patterns of data within executable code. The limitation is clear: New forms of malware cannot be detected by this approach. A further limiting factor is the continuous growth in new patterns of malware, demanding an increasing level of effort to identify the signatures.

• An alternative strategy is to employ a heuristic (experience-based) approach, such as by inspecting the characteristics and behavior of an executable file for recognized signs associated with malware. This approach has the advantage of being able to detect new forms of attack, but it is also likely to throw up spurious false positive reports.

The most important factor in administering antivirus systems (as well as any other signature-based prevention or detection system) is to ensure that the latest versions and signatures are implemented as soon as they become available.

Intrusion Detection SystemsAn intrusion detection system (IDS) is a hardware appliance or software system that continuously monitors network traffic for recognized malicious activity or security policy violations. IDS systems inspect network communications and record information relating to security events, notifying administrators in real time of important categories of events or when preprogrammed thresholds have been exceeded. Network traffic is examined against identified patterns or heuristics associated with common computer attacks. This can be based on predefined attack signatures, established attack patterns, or a statistical analysis of normal and anomalous behavior.

Intrusion detection systems are often combined with firewalls and antivirus systems in general-purpose security appliances.

FirewallsFirewalls are used by all prudent computer users. A firewall is a software- or hardware-based technology that aims to control incoming and outgoing network traffic by analyzing the headers of passing data packets and determining whether they should be accepted or rejected according to a programmed set of security rules and policies.

Enterprises generally use stateful firewalls, which are able to keep track of the state of a network connection and scrutinize network traffic within that context. Stateful



78

firewalls can filter packets of data according to their source and destination addresses, port numbers, and protocols as well as the current stage the connection has reached (e.g., initiation, data transfer or completion).

Application-level firewalls have additional filtering capabilities. They can examine connections to specific processes according to a more complex set of rules, and they can differentiate among alternative uses of the same protocol.

Penetration TestingA penetration test is a process for evaluating the effectiveness of the security measures safeguarding a network infrastructure through a combination of tests designed to simulate an attack from an external attacker attempting to gain access or an insider attempting to escalate his/her permitted access rights.

Most security-aware enterprises carry out regular security penetration tests, either to demonstrate the effectiveness of existing security measures or deliver compelling evidence of the need for security enhancements. In many cases, regulatory compliance demands are a major motivation for conducting penetration tests.

It should be noted that such tests alone do not improve security. In fact, they might even increase the risk because they will highlight identified vulnerabilities to a broader community. They do, however, deliver a road map of necessary security improvements, which must be regarded as a fundamental building block of sound vulnerability management.

Strong AuthenticationStrong authentication is now a standard industry practice for most remote business communications, although it has yet to fully replace password-based security for internal connections to information systems. Most large enterprises, however, are progressively replacing traditional password-based mechanisms with single sign-on (SSO) mechanisms based on smart card or token-based authentication.

The fundamental principle behind strong authentication is that it relies on more than just a shared secret, such as a password. It is a multifactor authentication control, employing an additional mechanism, such as a physical token, smart card or biometric attribute (such as a fingerprint).

Whatever the solution employed, the important point is that a software-based authentication measure alone is insufficient to prevent an APT attack. Hardware-based mechanisms, based on strong cryptography and tamper-resistant storage, are now a mandatory requirement for enterprises at risk from an APT attack.



79

4.4 Advanced Security MeasuresAdvanced security measures are a step up from the basic measures described in the preceding section. They are the type of practices that can be found in larger enterprises with more mature security functions. Implementing multiple security measures may increase the cost of an attack to a point that is no longer profitable for the culprits, which may force them to redirect the attack to other targets.

Intrusion PreventionIntrusion prevention systems (IPSs) are similar in concept to intrusion detection systems, but go a step farther, aiming to monitor system activities as well as network traffic for malicious activity. IPS technology can be positioned within the network or installed on a host machine. It is also designed to block any intrusions that are detected, although there is a risk of genuine business traffic being blocked if erroneously identified as a false positive match.

IPS products can operate on the basis of recognized signatures of malicious traffic or through a statistical or behavioral analysis of communications traffic and protocols.

Data Leak PreventionThe ultimate goal of many APT attacks is to remove quantities of confidential data. Placing blocks or restrictions to prevent malware from exporting data files is an essential defense to mitigate the risk of data theft or espionage.

Data leak prevention (DLP) is a security technology designed to detect and block potential data breaches, such as outgoing transmissions of confidential data. DLP appliances use a number of techniques for identifying confidential or sensitive information, including searches for preregistered content or keywords as well as statistical analysis of outgoing traffic.

DLP is not a trivial technology to implement because it involves significant planning and administration. It is, however, very effective when used selectively, for example, in the financial sector to help maintain separation between traders with conflicting interests or those operating in different jurisdictions.

Vulnerability ScanningA vulnerability scanner is a software system designed to assess network-connected computers, networks or applications for security weaknesses based on up-to-date databases of known flaws.

Many vulnerability scanning products are designed primarily to support security professionals conducting penetration tests of enterprise infrastructures. However, some are designed and intended for general use by security administrators or



80

computer users to scan their platforms and applications for security vulnerabilities, incorrect settings and outdated versions of software.

The most important point to note is that the need for vulnerability scanning has evolved from a prudent requirement for periodic checks to an urgency for continuous (or at least daily) scans.

Vulnerability scanning cannot be expected to prevent a zero-day exploit from penetrating the enterprise infrastructure, but it will help stop attacks based on known exploits and help reduce the potential impact of any attacks that manage to evade perimeter defenses.

Sandbox SimulationMalicious code designed to trigger infections can often be detected by executing incoming code in a safe environment (called a sandbox) in order to study its behavior prior to allowing it to enter the enterprise infrastructure. Contemporary sandbox-based security technologies are able to assess potentially malicious files, including executable code and office documents in real time. Email attachments can be exploded and executed in a choice of virtual environments, and their behavior examined to detect potential malicious activity.

Security appliances often combine this function with other security scanning technologies, such as deep-packet inspection and intrusion detection or prevention. Although a good practice, it may be defeated by advanced malware containing sandbox detection code that could hide the malware from analysis.

Database Activity MonitoringDatabase activity monitoring (DAM) is a technology that enables database access to be controlled, monitored and recorded independently from the database management software. DAM technology can operate across multiple database management systems, correlating events and user activity, enforcing segregation-of-duties policies, and generating alerts of security policy violations.

DAM systems employ a range of methods to detect database activity, including network monitoring of SQL activity and analysis of database tables, logs and memory. They can generate alerts based on predefined rules or by comparing user activity against profiles of normal behavior.

DAM technology is widely employed to enforce regulatory compliance requirements, but it is also effective at helping to prevent, detect and respond to APT attacks. In particular, it can highlight unusual database read or update activity, block SQL injection attacks, and monitor database attacks in real time.



81

Application Security TestingApplication security testing is similar in concept to penetration testing, but operates at a higher level in the communications protocol stack. Essentially, it looks to exploit vulnerabilities in source code or those created by unpatched or outdated releases of software. Ideally, security testing should begin at the outset of the development cycle, although such initiatives are surprisingly rare.

Application security testing is best carried out through a mixture of automated scanning tools combined with handcrafted tests and inspection of source code. It is progressively becoming the norm for Internet-facing systems, but it is a long way from becoming a business-as-usual process for system developers who are often under increasing pressure to meet stretch targets for systems implementation.

4.5 Specific APT CountermeasuresThe following security measures have proven to be successful in helping to prevent or detect APT attacks and are recommended as worthy of consideration by all enterprises facing an identified APT threat.

Deep Packet InspectionDeep packet inspection (DPI) is a security technology that inspects the data content of an incoming or outgoing communication against predefined criteria, searching for malicious software, attempted intrusions or undesirable content. DPI appliances can report, redirect or block network communications. Many are capable of analyzing accumulated flows of network packets rather than just conducting a packet-by-packet inspection. DPI can be used to assess network traffic against blacklists of known threats or against whitelists of permitted protocols and content.

Firewalls alone cannot achieve this because generally they are able to examine only the header of transmitted packets of data. Many DPI devices combine the functionality of an intrusion detection and prevention system with a traditional firewall. They can be deployed in a nonintrusive way, conducting a read-only inspection of network traffic, correlating events of security interest and reporting anomalies according to preprogrammed rules.

Because many malicious files are compressed or encrypted to avoid detection, it is important to employ technology that has the capability to decode such communications.

Communications Pattern MatchingA weakness in many APT attacks is the use of identifiable signatures in communications. For example, a simple analysis of URL paths within network traffic can often detect planted malware sending beaconing messages to a remote command and control server.



82

Although APT attacks employ a variety of different remote servers, they generally communicate using consistent protocols, destination addresses and headers, which can be readily detected via a simple scan once the malware has been professionally analyzed and the communication methods have been identified. The remote access Trojan used in the GhostNet attacks, for example, produced identifiable network traffic starting with a “Gh0st” header.

Malware often employs bogus IP addresses (referred to as “bogons” or “martians”) that can be identified by comparison against lists published by the Internet Assigned Numbers Authority (IANA).

A further detection aid is the fact that malware will not be aware of local proxies used to access external sites. Any attempts to access web sites without using the correct proxy are potential indicators of the presence of APT malware. Such traffic could be directed to by a “black hole” router employed as a collection point for rejected network traffic.

Malware is designed to resist analysis by employing a wide range of techniques to prevent debugging, disassembly and reverse-engineering. These measures are rarely employed by genuine software, so a simple scan for indications of such measures can be used to detect APT attacks with a relatively high success rate.

Many remote access Trojans used in APT attacks use HTTP or HTTPS ports for remote communication because these ports are generally open on most firewalls. Monitoring for non-HTTP traffic on these ports, especially remote requests using application programming interface (API) calls, can also help identify a potential APT attack, although filtering on such general criteria is likely to create alerts for a large amount of genuine enterprise traffic.

Many communications with remote command and control servers include fixed-length, “keep-alive” requests at specified intervals, which can be detected by monitoring for repeat requests at fixed intervals, although this type of analysis is likely to throw up a large number of spurious false positive matches.

A comparison of incoming SSL digital certificates against suspicious or known malicious certificates can also be effective in identifying APT attacks. Comparing the digital certificate against ones known to have been used in previous attacks is a good starting point because these are often reused in future attacks against new victims. Other SSL certificates can be flagged as suspicious, thus warranting a further investigation, if they appear to use default setting and random or empty values in certificate fields.



83

Analysis of outgoing traffic to identify unauthorized exfiltration of enterprise data is a helpful, although time-consuming, activity. Obvious communications to look for are those that contain large, compressed, encrypted archives such as .RAR files, although some APT attacks have employed small data transfers to avoid detection.

The key to successful detection of APT attacks through network monitoring is to adopt a strategy of “prudent overreporting,” recognizing there will be many false positive alerts and inconclusive investigations before a genuine attack is detected. Patience, vigilance and a willingness to invest resources in intelligence-led monitoring are the keys to effective APT detection, supported by efficient technology and trained administrators.

File Integrity MonitoringFile integrity monitoring (FIM) is a security technology that monitors and confirms the integrity of key files used by operating systems or information systems. It operates by calculating a cryptographic checksum on each file and regularly recalculating it to detect any unauthorized changes that might have occurred, which may indicate an infection by an APT attack. The concept for this technology was first created by Tripwire, an open source product developed in the early 1990s that is now a commercial security technology.

Monitoring the integrity of databases is especially important for ensuring their fitness for business use. Attacks that aim to change the integrity of enterprise information systems can represent the highest risk to information systems and cause unrecoverable damage to business processes.

Security Configuration ManagementFile integrity monitoring may be considered a subset of a broader subject area aiming to ensure security configuration management. Maintaining the integrity of information systems perhaps represents the ultimate goal to ensure that business processes are unaffected by any attempts to subvert their content.

Ideally, all servers, databases and client devices, as well as backup and fallback systems, should be continuously monitored to identify unauthorized changes. Security configuration management is a broader, end-to-end process that aims to assure the integrity of platform security configurations and the information systems they support.

Security technologies are emerging that can continuously scan enterprise platforms, analyzing changes to thousands of attributes and reporting any changes that appear to indicate the presence of an APT attack. Such technologies are likely to generate a number of false positive reports, but they will substantially increase the likelihood of detecting and responding to an intrusion in real time.



84

The requirement for this technology is expected to grow in importance over time as APT threats become more damaging to everyday business processes.

Security Information and Event ManagementSecurity information and event management (SIEM) technology enables analysis and management of security alerts generated by application systems, platforms and network devices. This technology provides a range of functions, including monitoring and correlation of events as well as notification of security alerts. Its main function, however, is to serve as a central point for the collection, storage and analysis of events of security interest across an enterprise infrastructure. SIEM systems provide a powerful capability for viewing system activities and events, but they demand a team of trained security resources to analyze and respond to reported information. Such technology provides an excellent basis for a secure operations center (SOC).

In addition to SIEMs, there is a growing family of open source tools emerging from the community emergency response team area to help analyze and respond to potential indicators of an APT attack. The AbuseHelper platform, for example, helps to track, deduplicate and automate the response to an attack. The Collective Intelligence Framework is a cyberthreat intelligence management system, allowing computer security incident response teams (CSIRT) to combine and warehouse malicious threat information from many sources and use it to identify, detect and mitigate potential attacks.

4.6 Best Available Security PracticesThe final category of technologies and technical processes are those that represent the best available security practices, yet they are rarely seen, generally because they are difficult to sell to business application owners or because they are longer-term investments demanding strict control over development plans and technical architecture.

Trusted ComputingTrusted Computing (TC) is a technology based on a set of open standards developed by the Trusted Computing Group, an alliance of leading vendors including HP, IBM, Microsoft and Intel. The technology exploits a secure reference monitor embedded in a tamperproof chip called a trusted platform module (TPM), which is preinstalled in virtually all professional laptops and servers.

The TPM serves as a secure “root of trust” for strong authentication and encryption key storage. This provides a tamperproof authentication mechanism for identifying remote client devices signing on to networks and systems. The TPM can also store keys and measurements to verify the integrity of firmware and software whenever a platform is initially switched on.



85

In effect, this enables only known devices running known applications to be connected to enterprises, substantially reducing the risk from unauthorized access or malware. TC also enables secure signing of device configuration reports for asset management and health checks. It can also be used to verify the integrity of the firmware and software when a platform is switched on, eliminating the threat of deep-rooted, boot-sector Trojans and providing protection against evil maid attacks that aim to insert a Trojan code into the boot loader on laptops to capture passwords entered when users power up their machines.

Forensic InspectionsPeriodic forensic inspections of machines that are likely to be targeted by an APT attack are an effective means of identifying APT attacks or providing assurance that platforms containing sensitive or critical data have not been compromised.

Many APT attacks do not leave any obvious traces on computer hard drives. They aim to reside only in memory or hide themselves using a rootkit. Finding them requires forensic analysis skills, up-to-date knowledge of current APT attack methods and appropriate technology to conduct independent forensic inspections of physical memory.

Forensic memory tools are able to extract dumps of live memory independently from the operating system and reconstruct information about the processes running in the machine. This provides a reliable picture of the runtime state of the system, console input and output buffers, and command histories. Searches for known malware signatures can be carried out. Such inspections can be a time- and labor-intensive countermeasure, so they should be employed selectively for high-value clients and servers.

Open source tools to support forensic memory analysis are available as are proprietary products, some of which are able to automatically classify and rank the potential threat severity of software modules residing in memory.

Application WhitelistingApplication whitelisting is a long-standing idea, but one that is rarely seen in practice because of the difficulty in implementing the approach and the ongoing overhead of maintaining the lists of permitted applications.

The concept is simple. Instead of aiming to block blacklisted malware, application whitelisting permits only approved files to be executed. This can be achieved by creating an integrity check, such as a secure hash code or digital signature, for each approved application. Only software that matches a known code is allowed to execute. An environment that maintains strict control over the applications that can run is sometimes referred to as a “walled garden.”



86

The main challenge in adopting such an approach is users’ resistance to losing the capability to load and run software of their choice without restriction. Whitelisting requires every software entity to be identified, authorized and registered in advance. The concept is a sound one from a security point of view and technically feasible to implement. It should certainly be considered for high-security environments.

HoneypotsA honeypot is a trap designed to attract intruders. An example is an additional server containing information that might seem highly valuable to an attacker, but which, in fact, is artificial and worthless. Honeypots can help to detect, monitor and collect evidence of an APT attack. It can also serve as a useful distraction to increase the attacker’s workload and deflect his/her attention from more valuable potential targets.

Honeypots vary considerably in sophistication and effectiveness, ranging from a simple, passive store of information designed to serve as a simple, crude indicator of an attack, to a fully interactive production system that is continuously updated and monitored in order to enable an attack to be closely monitored for as long as possible. Clearly, the greater the levels of time and resources invested in building and maintaining a honeypot, the longer an attacker will be distracted and the greater the intelligence and evidence that can be collected.

Security Development LifecycleMicrosoft’s Security Development Lifecycle (SDL) is a software development process that helps developers to build more secure software. It is not a technology, although it does require a sound technical appreciation to implement. Applied correctly, it will help reduce overall development and maintenance costs by identifying security problems at a much earlier stage when they are cheaper and easier to correct.

The SDL is a holistic assurance process that embeds security and privacy considerations throughout all phases of the development process, based on three core concepts: education, continuous process improvement and accountability.

4.7 Learning PointsThis chapter of the book reviewed a range of security technologies and technical processes that can be employed to assist with the prevention and detection of APT attacks. Here is a brief summary of the learning points to note:• Basic security measures, such as antivirus systems, intrusion detection, firewalls,

penetration tests and strong authentication, are essential building blocks, but they are insufficient to prevent or detect a sophisticated attack.



87

• Signature-based malware scanning systems cannot detect new forms of malware. On the other hand, behavior-based systems are likely to generate false positive reports. Over time, however, heuristic methods are likely to improve, while signature-based systems will struggle to keep pace with new virus patterns.

• More advanced security measures, such as intrusion prevention systems, data leak prevention, vulnerability scanning, sandbox simulation, database activity monitoring and application security testing are needed to mitigate the APT threat effectively.

• Specific countermeasures for preventing or detecting an APT include deep packet inspection, communications pattern matching, file integrity monitoring, security configuration management, and security information and event management. These technologies should be considered by any enterprise facing an identified APT threat.

• Best available security practices, such as Trusted Computing, forensic inspections, application whitelisting, honeypots and implementation of the SDL are rarely seen because they are expensive, long-term and often disruptive initiatives. They are strongly recommended, however, for organizations that have experienced a major breach and are determined to avoid another.



88



Chapter 5. Managing an APT Incident

89

5. Managing an APT Incident5.1 OverviewThis chapter provides comprehensive advice on the principles, processes, tools and resources required to mount an effective response to an APT attack. It begins with an overview of the preparatory work required as well as the various stages encountered in managing a major incident. The chapter includes advice on how to build a computer security incident response team (CSIRT) and a security operations center (SOC) as well as how to manage a major incident, conduct a forensic analysis and investigate the likely business impact.

There is also guidance on how to learn from incidents by conducting a root cause analysis in order to identify any additional controls needed to prevent, detect and mitigate future attacks. It includes advice on how to prepare a post mortem report for senior management, and concludes with a list of general learning points.

5.2 Creating a CSIRTExperience over more than two decades has shown that managing sophisticated technical attacks demands specialist skills and support tools. Managing an APT incident demands a specialist team of IT and security professionals, generally referred to as a CSIRT or computer emergency response team (CERT).

The concept of a dedicated CSIRT arose immediately following the outbreak of the Internet worm created in 1988 by Cornell University (New York, USA) student Robert Morris. The Morris worm was the first major malware infection of the Internet and it required a large-scale, coordinated response to contain and repair the damage.

The incident prompted the Defense Advanced Research Projects Agency (DARPA) to establish a CERT coordination center at Carnegie Mellon University in Pittsburgh, Pennsylvania, USA. The original center has now evolved into a network of individual CERTs in universities, government agencies and companies across the world. CERT is a registered trademark and can be used only by authorized members of this community, so enterprises building new response teams are advised to adopt the term CSIRT.

Role of the CSIRTA CSIRT is a central or virtual team established within an organization to respond to computer security incidents. The starting point for building an effective APT incident management capability is to understand the principle activities of such a team.



90

Most large or medium-sized organizations are likely to already have a professional IT incident management team as well as a portfolio of emergency response procedures, business continuity plans and crisis management teams. The CSIRT should not aim to duplicate, reinvent or compete with these structures, but rather to augment and support them by bringing specialist skills, knowledge and capabilities to the table.

In particular, a CSIRT should aim to deliver the following key capabilities and services:• Computer security incident analysis• Intelligence assessments• Incident resolution (where appropriate)• Specialist security investigations• Forensic evidence collection• Coordination of findings and responses with external stakeholders, such as

government agencies, law enforcement and other CSIRTs• Proactive advice, such as alerts, warnings, vulnerability assessments, specialist

training and awareness building

There is no fixed template for a CSIRT. It can be formed from a selected subset of a central security function or a virtual network of security focal points embedded in business units or overseas locations.

Larger organizations should also consider establishing a dedicated SOC to help detect incidents and provide the specialist response required.

5.3 Creating a Security Operations CenterA security operations center (SOC) is a centrally located facility designed to monitor the security of an enterprise’s IT infrastructure and information systems. Typically, it takes in data feeds and audit information from firewalls, intrusion detection systems, servers and information systems for immediate analysis in real time. Ideally, a SOC is manned 24 hours a day, seven days a week. It is an expensive, but necessary, facility for organizations that can justify the investment.

Among other resources, a SOC requires a team of highly trained staff and a dedicated environment equipped with state-of-the-art monitoring software. Its implementation involves establishing numerous interfaces with enterprise platforms, devices and information systems. This is not a trivial exercise, although there are commercial, shared services available as an alternative to building a dedicated enterprise center.

The benefits of a SOC are substantial when aiming to detect, monitor and respond to APT attacks because the key to effective incident response is possessing visibility of security events and appreciating their context.



91

Use of an externally provided managed security service might be a practical alternative for many small or medium-sized enterprises, although this is a relatively new type of service and it remains to be seen how successfully a service provider can understand a customer’s risk profile, security policies and normal behavior patterns, and then interpret cyberevents within that context.

It is a truth universally acknowledged that if the activity in a network cannot be seen, it is essentially out of its owner’s or manager’s control. However, the number of observable events within a modern infrastructure is enormous—more than sufficient to generate frequent false alarms (false positives) that might be triggered by events that are out of the ordinary, but are neither sinister nor illegal.

Managing false positives is a major challenge for SOCs. Understanding the context of a reported event is vital because it helps determine its true significance and legality. Achieving this recognition is not trivial because it demands a fusion of events data with other supporting, contextual information to provide a historical or environmental context to the actions in question.

At the very minimum, the SOC requires a secure, dedicated environment. Beyond that, there is a range of highly desirable tools, ranging from simple office technology to sophisticated data mining, fusion and visualization technology to enable speedy analysis of incoming data feeds and rapid identification of anomalies that might indicate the presence of an APT attack.

The SOC should serve as an early warning system to highlight the need for higher states of alert as well as the need for immediate action to mitigate identified exposures that might enable an APT attack to succeed. Determining the level of alert requires up-to-date threat intelligence, risk profiling and incident data.

Ideally, the information required to identify, assess and respond to an APT attack should encompass feeds from network perimeter devices, such as firewalls and intrusion detection systems, as well as audit logs from front-end user access control platforms and back-end information systems.

The true goal of every SOC should be to continuously expand the visible horizon of threats, exposures and event data, drawing in any useful sources of available information that could help shed light on the context of detected and reported security incidents. Fusing data from other sources with event data can provide a greater understanding of context. Risk profiling, for example, enables vulnerability data to be filtered according to its relevance and the perceived level of risk and security policy associated with an information system or platform.



92

The scope for data fusion is limited only by our imagination. To enhance our interpretation of the significance of reported events, we can take account of information such as the time of day, source location, previous behavior patterns, current threat levels, or even less obvious factors such as the weather, staff holiday arrangements, and significant dates or anniversaries.

The technology to achieve all of this is available, although its potential for creative exploitation has not yet been fully leveraged.

Not all significant events can be spotted by technology alone. People are needed to monitor information feeds for indications of exposures or attacks. However, it is essential to present data to administrators in a way that allows anomalies to be quickly spotted across multiple fast-moving streams of information.

The most effective approach lies in the smart use of data visualization technology, which can significantly scale up a person’s capacity for absorbing incoming information. Reading textual information is a slow, serial process, which serves as a barrier to rapid absorption. In contrast, multiple graphical images can be quickly analyzed in parallel, enabling operators to see relationships between otherwise disparate events.

5.4 Interfacing the CSIRT With Other Crisis TeamsMultiple Team StructuresMany crises begin as small events and progressively escalate into major incidents. The response process needs to be escalated to match the severity of the incident. In particular, it is necessary to enhance the seniority and capability of the response team. Managing an incident of growing severity requires a hierarchy of crisis teams as well as a well-defined escalation process. No two organizations or crises are the same and there are numerous ways to structure, link and populate the response teams within the enterprise.

Key factors to take into account when designing an efficient and effective crisis team structure are the size of the enterprise and the structure and geography of its business units and IT service functions. A further important consideration is the nature of the supply chain, such as the degree of outsourcing and the crisis arrangements of external service providers.

Figure 11 illustrates a generic crisis team structure for a typical medium-sized or large enterprise. It is an oversimplification because many organizations also have geographic regions, decentralized support functions, multiple supply chains and matrix reporting structures. In addition, there is likely to be more than one level of crisis team, reflecting the need for coordinated, but devolved strategic, tactical and operational responses.



93

In addition, there may be response teams with specific functions and compositions, such as:• Local emergency response teams for managing fires or other major hazards. Such

teams may need to be brought into play if a SCADA system is at risk.• Devolved business continuity teams for invoking contingency arrangements and

managing relationships with key clients and suppliers in the event of a major loss of a business service or facility. Such teams may be helpful in assessing business damage and determining priorities for recovery.

• Dedicated support teams, e.g., for human resources issues (health and safety), media relations and other specialist activities

A further complexity is that the nature of the crisis response becomes increasingly sophisticated with the severity of the impact:• Minor incidents can often be dealt with through local action. The impact is

generally limited and the required action routine. Such responses can usually be defined and scripted in advance.

• Major incidents present a more complex set of problems, often resulting in an impact of the more abstract, intellectual assets of the organization, such as competitive edge, trade secrets, customer satisfaction, legal standing and corporate reputation.

Major incidents demand a response that is flexible, creative and empowered. They also need to be supported by expert business, IT, legal, media and security advisors. The CSIRT is an essential component of such a response. A major crisis requires different treatment from an everyday incident. As the potential business impact of an incident increases, so will the scale and scope of the response required, demanding the involvement of a broader set of managers and specialist support staff across the enterprise.

11Typical Crisis Management StructureFI

GURE

EnterpriseCrisis Team

IT CrisisTeam

BusinessCrisisTeams

CrisisSupport

Unit

Suppliers’CrisisTeams

E-businessCrisis Team

CSIRT



94

Incidents can also be quite different in the pace of their development. For example, denial-of-service attacks are fast-moving and interactive, demanding instant decisions and immediate reporting of events. In contrast, a deep-rooted espionage attack might develop at a much slower pace, requiring a deeper level of analysis and a longer-term perspective.

How Many Teams?A good question to ask is “How many teams does the enterprise need to manage a crisis?” The answer is not obvious. A single team is insufficient to deliver all of the skills to address all of the problems thrown up by major enterprise crisis. A hundred teams are far too many to coordinate. On one hand, it is good to see every part of the organization involved, but on the other, it is important to achieve a clear focus for decisions, actions and communications.

Large organizations generally aim to manage these contrasting demands by establishing a strict hierarchy of response teams, commonly termed gold, silver or bronze teams, to address the different levels of strategic, tactical and operational responses. As the crisis grows, local or junior teams will be supplanted by senior teams with broader responsibility. The role of the CSIRT, however, should remain unchanged: It is a specialist support team with an enterprise perspective and global reach. It can potentially draw on advice and support from CSIRT teams operating in similar industries or in national or international roles. The CSIRT should be ready to connect at every level and to adapt to the changing reporting lines as the situation evolves.

The Value of Preparation and ExercisesSpeedy, but smart, decision making is essential when responding to a fast-moving cyberattacks. Unfortunately, it is far too easy to jump to the wrong conclusions when under pressure to determine actions. The key to ensuring that quality decisions are taken, even in haste, is through regular rehearsal and drills, and by maximizing the scope for predetermined responses to known stimuli.

Crisis management gets easier with practice. As US President Richard M. Nixon once put it: “The ability to be cool, confident, and decisive in crisis is not an inherited characteristic, but is the direct result of how well the individual has prepared himself for the battle.”31

Regular crisis exercises are an excellent means of preparing the response team for real incidents and helping to identify useful support tools, equipment and data that can improve or speed up decision making when dealing with a real incident.

31 Leonard Roy Frank, Quotationary, Random House, USA, 1998), p. 641



95

The more analysis that is required when dealing with events, the slower the deployment of the correct response. In a fast-moving crisis, it is a major challenge to take account of several alternative options, think through their likely consequences and then select the most appropriate course of action. The alternative to this is considering common scenarios in advance and developing well-considered, predefined actions.

A good analogy to help understand the value of predetermined responses is to consider the way a driver responds when seeing a red brake light appear on the car in front. The instinctive reaction, without logical thinking, is to hit the brakes immediately. It is an automatic, life-saving decision.

There is a limit to the scope for developing prepared responses in advance. In practice, a good deal of creative improvisation is needed when responding to a threat. Regardless of the uniqueness of the situation, however, there is much that can be determined or prepared in advance to achieve quicker and better decision making. It helps to have essential facts and figures at hand, pre-agreed examples of text for press releases, and pre-approved authorization for any likely responses that are considered beyond the remit or budget of the security function.

A CSIRT requires a high degree of delegated authority in order to operate decisively in the face of a serious attack. The team might need to take immediate decisions with significant risk for the enterprise, such as taking a production server offline, closing down a local network, intercepting internal communications or perhaps even engaging an attacker. Ideally, such scenarios should be identified and discussed, and permission or authorization processes agreed in advance with senior management.

5.5 Stages in Major Incident ManagementNo two organizations or crises are the same. There are numerous variations in response team organization, incident-handling procedures and crisis management strategies as well as major differences in incidents and attacks. Some are fast-moving and dynamic; others progressively unfold and evolve. All incidents, however, follow a general path from initial detection to eventual closure, and all require the application of a blend of skills, processes and tools. Figure 12 illustrates the various stages in managing a major APT incident. Each stage is described in turn in the subsequent paragraphs.



96

5.6 Incident IdentificationAccording to research published by Verizon, approximately 70 percent of breaches reviewed for the research were discovered by an external party.32 These organizations were not aware that their security had been breached until the third party alerted them to the problem.

This situation can be substantially improved with good network and platform monitoring processes, and educational initiatives to encourage staff to report suspicious email or external contacts. It also requires central reporting points to collect, analyze and respond to reports of suspected intrusions or social engineering exercises.

5.7 Damage AssessmentDetermining the level of damage is essential for deciding the nature and degree of response required. Key steps in this process are:• Establish the nature of the incident. Is it a piece of malware designed to steal data or

a worm intended to cause damage?• Identify the extent of the compromise. Is it one machine, one network or enterprisewide?

12Stages in Major Incident Planning and ManagementFI

GURE

InvestigationInvestigation of attacker,

motives and impact

RecoveryEradication of malware

and back doors

Lessons LearnedRoot cause analysis of

contributing factors

Post Mortem ReportPresenting findings

to management

ContainmentAnalysis and

containment of damage

Incident IdentificationIncident detection

and reporting

Damage AssessmentInitial assessmentand containment

Crisis ManagementManagement of

the response




97

• If possible, try to determine how long the infection has been present because this might influence the recovery strategy (e.g., backup copies might also be corrupted).

• Estimate the skills and level of resources required to contain and repair the damage.• Prepare a brief report for the CSIRT team.

Incidents can vary greatly in their nature as well as their severity. The terminology also changes with the seriousness of the incident. Many people would regard a disaster as a hugely damaging event, but an incident as something relatively minor. Recognizing these subtle differences in terminology has major implications for determining the level of response to reported events.

There are no set definitions for these terms, primarily because their impacts are subjective, but there is a clear hierarchy of words that convey levels of potential damage, starting with an event (clearly something significant or unusual) and escalating through an incident, an emergency, a disaster and, ultimately, a crisis:• An emergency generally suggests a serious local incident, requiring

management attention.• A disaster suggests a much larger level of impact or damage, something equivalent

to a burning building or a flood. Declaring a disaster often invokes fallback plans.• A crisis is more serious and implies that a major incident is spiraling out of control

and growing in severity. If a company crisis team decides to meet, it is a very serious situation.

Levels of seriousness or business impact cannot be easily defined in advance. They can be decided only at the time of the incident. An incident becomes a crisis only when the response team decides it is.

5.8 Crisis ManagementFormal plans can be developed for many types of minor incident, but when a serious APT strikes it is more important to have a well-rehearsed CSIRT team in which each member understands his/her role and is equipped with the necessary tools and resources to assess and contain the damage. Good crisis management skills are rare, however. They demand more than an enthusiastic and determined response to the challenges. A crisis can be averted only by a thoughtful application of analysis, problem solving, supervision and communications skills. Crisis management includes providing responses to the media, stakeholders, the public, regulators and, in some cases, government agencies. The enterprise should include in the plans the necessary steps to engage with the public and maintain a good reputation during and after the crisis.

Crisis management is a hard task. It demands confidence, strategic thinking and continuous challenge. This is difficult to achieve in a fast-moving, stressful environment when it is hard to think clearly and team members might feel



98

unqualified, anxious or tired. The most important skill to call on is the ability to harness the resources of the enterprise behind the crisis team. Exploiting that potential requires a level of vision and imagination that is not generally found in a high-pressure crisis environment.

The power of effective crisis management is indisputable. Research has shown that companies that perform well in a crisis can boost their market value. There are good reasons for this. A crisis generates publicity that can be for better or worse. The enterprise that performs well in a crisis impresses customers and stakeholders alike. The RSA crisis response is a good example of that. Enterprises that perform badly will see shareholder value sink. Also, the climate created by a crisis can enable managers to drive through difficult changes to resolve long-standing weaknesses. This presents an opportunity for the security function to achieve the security enhancements needed to prevent and respond better to future APT attacks.

5.9 ContainmentContainment of the damage should proceed in parallel with, but under the direction of, the overall crisis management effort. It is unlikely to be a fast process. Research by Verizon indicates that 60 percent of breaches take a week or more to contain; fewer than one in 10 is contained within a day.33 Key steps to take are:• Identify the systems that have been compromised and the files that have been accessed.• Isolate the infected systems as far as possible.• Determine how the infection appears to be spreading and close down potential

channels of further attack or infection.• Preserve the integrity of all evidence gathered.• Review firewall and IDS logs for indications of intrusion.• Examine systems for unauthorized processes or applications. Search affected

machines thoroughly for planted malware.• Search for signs of compromised data on other machines.

5.10 RecoveryEffective remediation requires a good understanding of the changes made to applications and platforms by the malware. Key actions that will be needed include:• Remove the malware and any associated back doors.• Close ports that have been opened by the malware.• Change modified configuration settings to their correct values.• Restore deleted or corrupted files.• Repair changes made to registry entries.

In many cases, it will be necessary to restore platform operating systems, although automatic tools are available that claim to be able repair APT damage without the need for a reboot.




99

5.11 InvestigationThe next major step is a detailed investigation to identify the attacker, investigate the motive for the attack, and, on the basis of this knowledge, assess the likely consequential damage and the future business risk. Key questions to ask are:• What is the origin of the attack? Is it a known source of APT attacks?• Have any other organizations been attacked by this source or method?• What appears to be the motive for the attack? Is it to steal information, cause

damage or gather intelligence for use in a future attack?• What is the nature of the data that might have been compromised—trade secrets,

financial data, customer records, details of commercial bids or product plans?

No technical analysis can indicate the likely business damage of an intrusion. It depends on a careful consideration of the attacker, the motive for the attack, the attacker’s capability to exploit the information stolen or damage caused, and the options for mitigating the damage from the attack.

5.12 Learning From IncidentsIdentifying and learning lessons from major security incidents is an essential process to pinpoint weaknesses in security and understand how best to prevent and minimize the impact of future attacks. All enterprises should conduct a root cause analysis of major incidents to help prevent them reoccurring. It is a surprisingly simple, yet powerful, exercise that can provide a much greater insight into the underlying causes of the incident than can be gained by speculation or anecdotal evidence.

There are a number of management tools for helping to carry out such an exercise. One of the simplest and fastest techniques is the Ishikawa “fishbone” diagram,34 which can be used to brainstorm and record the possible causes of a problem, structured according to the most likely categories and subcategories of fault. An example of such a diagram is given in figure 13. It can be seen that this approach provides a simple, quick means of identifying and structuring the contributory causes to an incident.

34 It is named after Kaoru Ishikawa, the Japanese professor who invented the technique.



100

5.13 Post Mortem ReportThe final stage in managing a major incident is to compile a post mortem report and present the major findings and recommendations to management. Key considerations in carrying out this task are:• Explain the source, timescale and current status of the incident.• Identify the key actions and decisions as well as who took them and why.• Estimate the approximate costs of the incident, including direct costs, such as

physical damage, lost production time, recovery and investigation costs, and legal costs as well as indirect costs, such as lost sales and potential reputation damage.

• Highlight the strengths and weakness in the response process.• List the learning points from the root cause analysis.• Make firm recommendations for changes and security enhancements.

5.14 Learning PointsThis chapter of the book examined the principles, processes, tools and resources required to mount an effective response to an APT attack. Here is a brief summary of the learning points to note:• A computer security incident response team (CSIRT) should be established, as either

a central or virtual team, to respond effectively to computer security incidents.• Larger enterprises should consider creating a dedicated security operations center

(SOC) to monitor the security of the IT infrastructure and information systems.• The CSIRT must interface with other enterprise and supply chain crisis teams.

There is no standard blueprint for this because every organization is different.

13Illustration of an Ishikawa DiagramFI

GURE

Environment

PeopleManagement

MajorIncident



101

• Key factors to take into account when designing an effective crisis team structure are the size of the enterprise and the structure and geography of its business units and IT service functions.

• Good crisis preparation and regular exercises are essential to ensure a fast, optimal response to a major incident.

• All incidents follow a general path from initial detection to eventual closure, which can be used to help structure the overall crisis strategy.

• It is important to learn from previous incidents. A root cause analysis exercise should be carried out after every major incident.



102



Chapter 6. Conducting an APT Controls Review

103

6. Conducting an APT Controls Review6.1 IntroductionThis chapter of the book provides guidance to security managers and IT auditors on how to go about conducting a controls review specifically for APT risk. It includes advice on determining the objectives, focus and scope for the review; sets out a step-by-step methodology for its conduct; and identifies useful supporting tools and techniques.

6.2 MethodologyThe effectiveness of a review is determined to a large extent by the degree of planning and preparation. Key steps on the process are illustrated in figure 14 and described in more detail in the following paragraphs.

Understand the Business, its Processes and AssetsAPT controls reviews need to be wide-ranging and enterprisewide, reflecting the nature of the threat itself, which is to establish a foothold within the organization infrastructure and progressively broaden the access gained to steal or compromise valuable intellectual assets.

Key activities are:• Appreciate the bigger enterprise picture.• Pinpoint sensitive or critical assets and processes.• Identify responsible directors and managers.

The major output from this first stage is a set of key assets or processes for review and a list of responsible owners or decision makers.

14Stages in Conducting an APT Controls ReviewFI

GURE

Understand thebusiness, its

processes and assets.

Identify the keysecurity riskand assets.

Assess risk tocritical systems

and infrastructure.

Communicate andagree on findings and

recommendations.

Review securityperimeters

and controls.



104

Identify the Key Security Risk and AssetsThe next step is to consult with the directors/managers responsible for these key assets and processes and develop a high-level assessment of risk, based on previous risk assessments or using the techniques described in chapter 2.

The key tasks for this stage are:• Communicate the nature of the APT risk.• Conduct/review high-level assessments of APT risk.• Highlight risk of high impact and high probability.• Bring together risk identified by different business areas into a single heat map.• Identify sensitive or critical systems and supporting infrastructure.• Highlight risk associated with the adoption of emerging technologies.

The key outputs from this stage should be a high-level heat map of security risk and a list of sensitive or critical systems and infrastructure.

Review Security Perimeters and ControlsAssessing the adequacy of system controls requires an appreciation of the security of their surrounding environment. Systems do not operate in a fully secure environment or a completely open one. The starting point is to establish a realistic picture of the security of the organization’s internal networks.

The key tasks for this stage are:• Work “outside in” to assess layers of protection from external threats.• Assess the security of the enterprise network design and its controls.• Review key points of ingress and egress, and determine their capability to control,

block or monitor information flows of security interest.

The output from this stage should be a high-level map of the enterprise networks, with an indication of the effectiveness of the measures taken to protect or segregate sensitive or critical systems and their users.

Assess Risk to Critical Systems and InfrastructureThe security vulnerabilities associated with individual systems can then be evaluated within the context of the security of the network perimeter. Unacceptable risk can be pinpointed and recommendations made to strengthen controls at the platform or network level.

The key tasks for this stage are:• Review vulnerabilities of critical applications and platforms.• Assess potential risk of compromise.• Identify missing or inadequate controls.

The output from this process is a list of risk and recommendations for remedial action.


Chapter 6. Conducting an APT Controls Review

105

Communicate and Agree on Findings and RecommendationsThe final stage is to assemble the findings and recommendations into a program of remedial action and to agree on each action with the responsible stakeholder.

The key tasks for this stage are:• Develop plan of remedial actions.• Communicate and agree shortcomings and recommendations with system or

asset owners.• Report findings and recommendations to management.



106



Appendix A: APT Questionnaire/Checklist

107

Appendix A: APT Questionnaire/Checklist This appendix includes a simple questionnaire/checklist for helping managers to consider and evaluate the risk associated with APTs, drawing on the guidance set out in this book.

It is intended to serve as a useful reference guide for business, IT or security managers in reviewing and addressing the APT risk.

Is the enterprise a likely target for an APT attack?Does the organization:• Have political or state secrets?• Possess trade secrets or other competitive business advantages that would be of

interest to overseas competitors?• Develop leading-edge products that foreign competitors would like to emulate?• Deliver or support business services that might be considered of critical

national significance?• Develop, manufacture or support products in the military field?• Operate in competitive overseas markets?

What might be the impact of an APT attack?Has the organization: • Considered the effect of the theft of trade secrets, research or product plans by a

foreign competitor?• Assessed the business impact of a high-profile data breach involving customer or

employee records?• Taken seriously the possibility of SCADA systems controlling industrial processes

or equipment being compromised, resulting in a major safety incident and/or prolonged loss of service?

• Calculated the likely cost of a lengthy security investigation and costly remedial program?

How exposed is the organization to an APT attack?Has the organization:• Conducted a risk assessment to establish the likelihood and potential business

impact of an APT attack?• Maintained strict control over all external network connections?• Implemented a network architecture that segregates sensitive or critical systems

and users?



108

• Ensured that computer platforms and applications are free of known vulnerabilities?• Invested in security monitoring technology to detect unauthorized intrusions?

How prepared is the organization for an APT attack?Does the organization:• Have one or more experts who are sufficiently knowledgeable to help identify the

risk from an APT and respond according to an incident?• Maintain an effective CSIRT and business crisis management process?• Conduct regular crisis exercises, including the possibility of an APT attack? Have

established relationships with national security and law enforcement authorities?• Possess call-off contracts or arrangements with companies that can quickly provide

specialist APT advice and services?


Appendix B: List of APT Attacks

109

Appendix B: List of APT AttacksThe table below lists key assessments of major APT attacks experienced over the last 15 years, in order of their emergence. Because of the sensitivity of the damage and the consequential secrecy maintained by victims, many factors remain unknown and can only be guessed. All statements in this appendix, however, are based on reported or alleged claims in the public domain.

Name of Attack

Likely Source or Beneficiary

Innovative Features

Organizations Targeted or Hit

Impact orOutcome

Moonlight Maze1998-2000

Traced back to a computer in the former Soviet Union, although denied by the Russian government. The stolen information might have been sold to the highest bidder.

Large-scale, sophisticated cyberespionage attack

The Pentagon, NASA and US Department of Energy as well as universities and research labs involved in military research

Tens of thousands of files stolen, including maps of military installations, troop configurations and military hardware designs, resulting in millions of dollars of damage

Titan Rain2003-2005

Claimed to be of Chinese origin, although the Chinese government denied any involvement

Exploited social engineering attacks on selected individuals

US defense contractors, including Lockheed Martin, Sandia National Labs, Redstone Arsenal, and NASA

Not disclosed. Likely to be similar to Moonlight Maze

Sykipot2007-2012

Not known. The targets suggest an intelligence service is the likely beneficiary. An analysis of Sykipot attacks in 2011 indicated that most servers were based in China.

Exploited zero-day vulnerabilities

Western companies across a range of sectors, including defense, computers, telecommunications, energy and chemicals, and government organizations

Trade secrets stolen, including design, financial, manufacturing and strategic planning information from US and UK companies, resulting in loss of competitiveness

GhostNet2008-2009

Reported to have originated from China, although the Chinese government denied any involvement

Able to use audio and video recording devices to monitor the physical environment of infected computers

Political, economic and media targets in over 100 countries, including many embassies and the Dalai Lama’s exile centers

Political and economic data compromised on more than 1,000 computers in over 100 countries



110

Name of Attack


Innovative Features


Impact orOutcome

Operation Aurora2009-2010

Reported to have originated in China

Targeted and modified source code repositories

Numerous technology companies, including Google, Adobe Systems, Juniper Networks and Rackspace, as well as banks, defense contractors, security vendors and energy companies

Large quantities of intellectual property stolen, resulting in substantial losses in competitiveness

Gozi2007 onward

Created by a Russian national with the support of accomplices from neighboring countries, and subsequently sold to criminal groups

Bulletproof hosting service to preserve the anonymity of criminal users. The 2013 version infects the hard disk master boot record.

Targeted financial institutions in the US, UK, Germany, Poland, France, Finland, Italy, Turkey and elsewhere

Infected more than one million computers around the world, causing tens of millions of dollars in damages

Zeus2007 onward

Used by a variety of criminals in US, UK and Ukraine for committing bank fraud and money laundering

A complete APT tool kit, including modules to capture user keystrokes and web form data through a man-in-the-browser attack

Initially used to steal information from the US Department of Transportation, but subsequently used to steal banking credentials and credit card payments or credentials used to log in to social networks

Compromised tens of thousands of FTP accounts on company sites and several million bank users, resulting in the theft of hundreds of millions of dollars

SpyEye2009 onward

Similar to Zeus and used by a wide variety of criminal gangs. Has been retailed for US $500 on Russian underground forums

Later variants able to modify displays of bank statements and balances

Designed to steal credentials from bank customers across US and UK and then initiate transactions when the victim logs onto his/her bank account

Millions of dollars stolen from the customer accounts of several hundred banks across the world


Appendix B: List of APT Attacks

111

Name of Attack


Innovative Features


Impact orOutcome

Stuxnet2010

Claimed to have been created by the US and Israel to attack Iran’s nuclear facilities

First malware to subvert industrial process systems. Contained four different zero-day exploits. Programmed to erase itself on a specific date

Specifically targeted Siemens industrial software and equipment, and contained safeguards to limit the spread of the infection

The malware was reported to have caused substantial damage to the centrifuges at the Natanz nuclear enrichment laboratory in Iran.

Duqu2011

Similarities to Stuxnet suggest a source with access to the code. Servers were based in many countries, including Germany, Belgium, Philippines, India and China.

Similar to Stuxnet in sophistication, but with a different purpose

The code has been found in a limited number of enterprises, including those involved in the manufacturing of industrial control systems.

Captured information that might enable a future APT attack on industrial control systems

Flame2012

Claimed by The Washington Post to have been jointly developed by the US National Security Agency, CIA and Israel’s military at least five years prior to discovery, although this was officially denied

Able to record audio, screenshots, keystrokes, network traffic, Skype conversations and contact information from nearby Bluetooth-enabled devices. Can be killed instantly by a remote instruction from a central server

Used to mount espionage attacks on government ministries, educational institutions and individuals in Middle Eastern countries

Stole information from around 1,000 machines in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. Attacks ceased when publicly disclosed

Red October2007-2012

Not known. There are contradictory views about the source. Analysis of the malware indicates the code was quite different from Stuxnet, Duqu and Flame, suggesting a different source.

Adapts to multiple platforms, including routers, switches, mobile phones and external storage devices. Can be resurrected on the receipt of an email attachment

Designed to steal secrets from government and research organizations across a range of countries

Reported to have stolen hundreds of terabytes of secrets from diplomatic, trade, military, aerospace, energy, and research organizations in Russia, Iran, the US, and other countries



112

Name of Attack


Innovative Features


Impact orOutcome

Eurograbber2012

Based on a variant of Zeus

Able to circumvent SMS-based authentication system by asking the user to install new security software on his/her mobile device

Targeted banks across Europe, starting in Italy and quickly spreading to Spain and Holland

Stole an estimated 36 million euro from more than 30,000 customers in over 30 banks across Europe


Appendix C: COBIT 5 Gap Analysis

113

Appendix C: COBIT 5 Gap Analysis This appendix considers the processes set out in the ISACA business framework for governance and management of enterprise IT—COBIT 5—and indicates the areas where additional or enhanced measures, scope or emphasis are required in order to mitigate the risk presented by an APT threat.

COBIT 5 Recommended Additional Measures

Evaluate, Direct and Monitor

EDM01Ensure Governance Framework Setting and Maintenance

Recommendation:Mitigating an APT threat demands a corporate policy that is clear, well communicated and associated with strong incentives, such as compelling rewards and serious sanctions.

APT threats demand a much stronger degree of discipline to ensure business management is fully supportive and aware of the potentially damaging risk to business operations presented by APT attacks.

APT intrusions are enterprisewide, demanding a well-coordinated risk assessment and response.

EDM02Ensure Benefits Delivery

Recommendation:A major reduction in the likelihood or impact of an APT incident delivers substantial business value to the enterprise, including a reduction in the costs, losses and reputation damage associated with an intrusion.

Such costs cannot be measured precisely, but should be estimated and presented to management in support of the business case for enhanced information security measures.

EDM03Ensure Risk Optimisation

Recommendation:A special risk assessment for APT intrusions should be carried out to help identify the full impact on the enterprise. Risk can be identified for specific business processes, but it is better to manage a portfolio of risk across the enterprise because risk to multiple business processes often share a common mitigating action.

APT risk assessments should also be embedded in local risk management processes, although it is important to ensure that mitigating actions taken across the enterprise are carefully coordinated to avoid unnecessary duplication of actions and ensure consistency and compatibility of measures adopted.

EDM04Ensure Resource Optimisation

Recommendation: APTs demand a step change in the skills, discipline and countermeasures needed to mitigate the risk. Existing security programs, resources and metrics should be reviewed and enhanced to meet the challenge, drawing on an informed risk assessment.



114


Evaluate, Direct and Monitor (cont.)

EDM05Ensure Stakeholder Transparency

Recommendation:Assessments of the enterprise’s exposure to APT risk, including the potential consequential damage, should be communicated to all key stakeholders, including business risk and audit committees.

The aim should be to ensure that stakeholders are fully informed of APT risk and recognize the implications, especially the need for additional responsibilities, user discipline, preventive measures and crisis management. Specific responsibility should be assigned for coordinating the organization’s response to the APT risk.

Strict policies and confidentiality agreements also need to be rigorously enforced in relation to external contractors with access to sensitive and critical information systems.

The nature of APT attacks also requires close contact with national security agencies and law enforcement authorities.

Organizations responding to APT intrusions can gain valuable support and advice from other CERT or CSIRT teams, as well as from security vendors.

Specialist, independent reviews of the organization’s capability to identify and mitigate APT risk should be carried out at regular intervals (at least annually).

Align, Plan and Organise

APO01 Manage the IT Management Framework

Recommendation:The IT management framework needs to be reviewed to ensure that appropriate responsibilities, policy and discipline are embedded in the response to identified APT risk.

Where there is an established information security management system (ISMS), this also needs to be reviewed to ensure that there are appropriate policies, standards and security processes to enable the organization to prevent, detect and respond to APT attacks.

The scope, positioning and reporting line(s) of the CISO function may need to be enhanced to ensure there is sufficient authority to deal quickly and firmly with APT incidents or vulnerabilities that could enable an attack to succeed.

Security training and awareness programs may also require enhancement to ensure there are sufficient technical skills and staff awareness in place to reduce the risk from APT attacks.



115


Align, Plan and Organise (cont.)

APO02 Manage Strategy

Recommendation: A gap analysis should be carried out to identify shortcomings in existing security strategy and programs. This should be informed by an enterprisewide APT risk assessment. A revised information security strategy and long-range program should be developed based on the findings of the gap analysis.

The security strategy will have implications for IT strategy, e.g., identifying the need for enhancements to user access management, network management, system development and crisis management strategies.

APO03 Manage Enterprise Architecture

Recommendation: Mitigating APT risk requires broader use of technologies such as strong authentication and encryption, as well as extensive security monitoring and effective vulnerability management. These requirements will have a significant impact on the information, IT and security architectures, which will need to be reviewed to provide stronger protection for intellectual assets.

APO04 Manage Innovation

Recommendation: Established countermeasures are not sufficient to deal with APT attacks effectively. Responding to APT threats requires security research and technology horizon-scanning in order to identify measures to help prevent, detect and respond to intrusions. A small investment should be made in the research and development of new solutions.

Innovation should be encouraged among security practitioners to help devise better methods to prevent and detect attacks, although this needs to be balanced against the risk that new forms of control might not be sufficiently established to satisfy regulatory compliance requirements.

APO05 Manage Portfolio

Recommendation: Security risk should be a consideration in decisions regarding investment in the IT applications portfolio. APT risk, in particular, is significant enough to influence the potential costs associated with new applications. An enterprise risk assessment should be carried out and the results used to estimate the potential value at risk from APT attacks.

APO06 Manage Budget and Costs

Recommendation: New security processes and technologies are likely to be required to mitigate the risk associated with APT attacks. Information security budgets should, therefore, be reviewed following an enterprisewide APT risk assessment.



116



APO07 Manage Human Resources

Recommendation:Managing the response to APT risk may demand significant changes in the resources, skills and professional development of the information security function and associated IT functions, such as network management. A skills gap analysis should be carried out.

User and staff education programs should be enhanced to include greater awareness of the risk from social engineering. Staff should also be reminded of the importance of adhering to security policies. Disciplinary procedures should be strengthened, if necessary.

Enhanced vetting of staff should be carried out for staff or contractors with access to any services considered to be a component of critical national infrastructure.

Contractors should be reminded of the need to follow security policies. Nondisclosure agreements should be strictly enforced.

Crisis management arrangements and team composition should also be reviewed to ensure the enterprise is adequately prepared to manage a major APT incident.

APO08 Manage Relationships

Recommendation:Security managers need to establish stronger relationships with business managers responsible for assets that are likely to be a target of APT attacks. An enhanced communications program should be developed to brief business managers and staff on the nature of the APT risk and the range of measures needed to mitigate the impact.

APO09 Manage Service Agreements

Recommendation:Due diligence should be carried out on third-party service providers responsible for assets that might be the target of an APT attack.

All Internet-facing, third-party services should be subject to continuous vulnerability scanning. Regular penetration tests should also be carried out.

All major changes to third-party contracts should be scrutinized and approved by the CISO.



117



APO10 Manage Suppliers

Recommendation:Confidentiality agreements should be rigorously enforced for contractors with access to sensitive and critical areas.

Organizations should scrutinize the supply chain for potential security weaknesses, as this is a potential channel for an APT to penetrate the enterprise infrastructure.

Third-party connections are often a source of unauthorized access. All commercial agreements and actual practices should, therefore, be carefully scrutinized and monitored.

Security vetting should be carried out for any third-party individuals with access to systems or networks supporting critical national infrastructure services.

Outsourced software development must be strictly controlled for sensitive or critical applications, as intellectual property could be stolen and back doors or Trojan code planted. Source code libraries should be protected, as these are known targets of APT attacks.

APO11 Manage Quality

Recommendation:Minor incidents across the enterprise should be monitored, as these are an indicator of potential vulnerabilities or actual compromise.

APO12 Manage Risk

Recommendation:A special risk assessment for APT intrusions should be carried out to help identify the full impact on the enterprise.

The risk assessment should take account of the full range of intellectual assets and consequential losses, including potential reputation damage, lost sales and legal liabilities, as well as any potential physical damage that might result from a cyberattack on SCADA systems controlling operational processes.

AP013 Manage Security

Recommendation:The ISMS should be reviewed to ensure that there are appropriate policies, standards and security processes in place to enable the organization to prevent, detect and respond to APT attacks.

Build, Acquire and Implement

BAI01 Manage Programmes and Projects

Recommendation:Program and project management methodologies should be reviewed to ensure that APT risk can be identified and addressed at an appropriate early stage.

Existing security programs may need to be strengthened to meet the challenge presented by APT risk, drawing on an informed risk assessment.



118


Build, Acquire and Implement (cont.)

BAI02 Manage Requirements Definition

Recommendation:Security should be firmly embedded in the systems development and maintenance process, starting at the requirements stage with a professional security risk assessment. The Microsoft SDL is recommended.

Requirements analysis should take account of APT risk, drawing on an enterprisewide assessment. The analysis should take account of the potential risk to other information systems sharing the same infrastructure or environment.

BAI03 Manage Solutions Identification and Build

Recommendation:APT attacks are designed to spread across an enterprise, targeting specific systems or data of value to the originator. Solutions for systems handling critical information data or those delivering critical services should, therefore, be designed to resist any attacks arising from within the enterprise infrastructure.

BAI04 Manage Availability and Capacity

Recommendation:Special attention should be given to the bandwidth requirements of e-business sites that may be subject to a distributed denial-of-service (DDoS) attack.

BAI05 Manage Organisational Change Enablement

Recommendation:The risk of social engineering attacks should be communicated to staff operating or administering systems that are likely to be the target of an APT.

BAI06 Manage Changes

Recommendation:System changes are a potential source of insecurity and a major opportunity for introducing security improvements. Security should be embedded in the change management process, especially for systems handling sensitive or critical data that are likely to be the target of an APT attack.

BAI07 Manage Change Acceptance and Transitioning

Recommendation:Change requests, including emergency changes, should be examined to identify whether there are any associated security risk and, if necessary, referred to the information security function for information and advice.

Applications should be security tested to identify potential vulnerabilities prior to implementation.

Strict separation of development, test and operational facilities is essential to minimize the risk from any compromised accounts.

All authorized changes should be formally controlled and recorded to ensure that unauthorized modifications made by APT malware can be more easily identified.



119



BAI08 Manage Knowledge

Recommendation:Security classification guidelines, standards and procedures may need to be revised to reflect the special nature of the APT risk.

System documentation and source code libraries are a major target of APTs and should be carefully protected from unauthorized access.

BAI09 Manage Assets

Recommendation:Assets that are likely to be targeted by APT attacks should be clearly identified and subject to a specialist APT risk assessment.

Assigning ownership of sensitive and critical assets is crucial for safeguarding them against APT attacks.

Misuse of IT facilities, e.g., loading unauthorized software on business machines, might also present exposures to APT attacks. Strict control should, therefore, be applied to prevent business assets being used for nonapproved purposes.

BAI010 Manage Configuration

Recommendation:Strict control of platform configurations is essential to help prevent and detect APT intrusions. Such attacks introduce changes to platform configurations. Review and testing of operating system changes can help detect any unauthorized modifications by APT malware.

File integrity and security configuration management are recommended technologies to ensure that business processes are unaffected by any attempts to subvert their content.

Continuous (at least daily) vulnerability management is recommended to detect security weaknesses in applications and platforms as early as possible.

Deliver, Service and Support

DSS01 Manage Operations

Recommendation:Operating procedures for systems handling sensitive or critical data that are likely to be the target of APT attack should be reviewed and revised to reflect the enhanced risk.

Sensitive or critical systems should ideally be disconnected from general enterprise networks or sited in dedicated network domains with strictly managed access policies and connection controls.

DSS02 Manage Service Requests and Incidents

Recommendation:Existing incident reporting channels need to be enhanced to incorporate alerts to potential APT activity. Criteria for identifying signs of potential attack should be developed. Security focal points should be established to receive and respond to reports of actual or suspected security events.



120



DSS03 Manage Problems

Recommendation:Problems can be indicators of possible APT compromise. Procedures for problem analysis should include questions that can help to identify the presence of APT malware.

DSS04 Manage Continuity

Recommendation:Business continuity planning should take account of the potential damage from an APT intrusion, including the possibilities of a large-scale data breach or irrecoverable damage to the integrity of a critical application system.

DSS05 Manage Security Services

Recommendation:Exceptionally tight control must be maintained over network connections and connected devices, especially those connected to systems and domains that contain sensitive or critical data that might be the target of an APT attack.

Continuous vulnerability management is recommended, in order to detect security weaknesses in applications and platforms as early as possible.

DSS06 Manage Business Process Controls

Recommendation:Outsourced business processes are a potential target for APT attacks. Management controls and contracts should be reviewed and, if necessary, strengthened for any services that are judged to be a target for APT attacks.

Segregation of duties is an important security principle for minimizing the risk from any compromised accounts. It should be strictly enforced when designing business process controls.

Monitor, Evaluate and Assess

MEA01 Monitor, Evaluate and Assess Performance and Conformance

Recommendation:Performance monitoring processes can provide an early indication of APT compromise. Reporting processes should include a consideration of the security implications of unexpected, unusual changes in system or infrastructure performance.

MEA02 Monitor, Evaluate and Assess the System of Internal Control

Recommendation:APT threats demand regular (at least quarterly) reviews to consider the implications of new intelligence, emerging threats and identified vulnerabilities.

MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

Recommendation:Enterprises should aim to ensure that any APT risk associated with critical services or sensitive data managed on behalf of external customers are identified and appropriate security arrangements are agreed on and implemented.


Appendix D: Glossary of Terms

121

Appendix D: Glossary of TermsAntivirus (or anti-malware) system—A technology widely used to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware

Back door—A means of regaining access to a compromised system by installing new software or reconfiguring existing software to enable remote access under attacker-defined conditions

Black hole—A point in the network where incoming traffic is discarded without informing the source that the data failed to reach their intended destination

Black hole router—A router set up to collect traffic that cannot be delivered, e.g., because it is unexpected, misconfigured or potentially malicious

Bogon—A bogus IP packet using an address that is not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR)

Botnet—A large, distributed network of previously compromised computers that can be used to mount large-scale denial-of-service attacks on targeted services

Brute force attack—An attack based on repeated attempts at guessing passwords or encryption keys, cycling through a range of possible combinations until one is successful

Chief information security officer (CISO)—The person in charge of information security within an enterprise. Individual business units might also recruit their own CISO.

Command and control server—A central controlling server designed to issue remote commands to malware in a compromised system

Communications pattern matching—A technique to detect potential attacks by examining communications for known signs or signatures of APT activity

Computer security incident response team (CSIRT)—A team established within an enterprise to respond to computer security incidents



122

Cyberwarfare—A politically motivated computer attack to gain superiority over an adversary by compromising the confidentiality, integrity or availability of the target’s information systems or infrastructure

Database activity monitoring (DAM)—A technology that enables database access to be controlled, monitored and recorded independently from the database management software

Data leak prevention (DLP)—A technology designed to detect and block potential data breaches, such as outgoing transmissions of confidential data

Deep packet inspection (DPI)—A technology that inspects the data content of an incoming or outgoing communication, searching for malicious software, attempted intrusions or undesirable content, according to defined criteria

Digital certificate—An electronic record signed by a certificate authority used to authenticate a transaction or a user

Distributed denial-of-service (DDoS) attack—A computer network attack designed to disrupt operational services by flooding, consuming or exhausting network bandwidth, memory or processing capacity

Drive-by download—A term given to a malware infection caused by a user visiting an infected web site or clicking on a fake pop-up window planted on the user’s client device

False positive—A result that has been mistakenly identified as a problem when, in reality, the situation is normal

File integrity monitoring—A security technology that monitors and confirms the integrity of key files used by operating systems or information systems

Firewall—A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet

Hacker—An individual who attempts to gain unauthorized access to a computer system

Hacktivist—A hacker who disrupts or steals information from systems of targeted enterprises for ideological or political reasons


Appendix D: Glossary of Terms

123

Honeypot—A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production systems

Information warfare—An earlier use of the term “cyberwarfare,” but generally understood to be more sophisticated, with greater focus on manipulation of information

Intrusion detection system (IDS)— Inspects network and host security activity to identify suspicious patterns that may indicate a network or system attack

Intrusion prevention system (IPS)—A technology that monitors system activities and network traffic for malicious activity and blocks any intrusions that are detected

Least privilege—A long-standing principle to minimize the risk of unauthorized access by ensuring that users are granted the minimum access permissions required for them to carry out their work

Martian—A bogus IP packet using an IP address that is reserved for special use by the Internet Assigned Numbers Authority (IANA)

Penetration test—A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers

Phishing—This is a type of electronic mail (email) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering

Rootkit—A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system

Sandbox simulation—A technology that assesses potentially malicious files, including executable code and office documents, by executing them in a virtual environment and examining their behavior for potential malicious activity

Security configuration management—A process that aims to assure the integrity of platform security configurations and the information systems they support

Security Development Lifecycle (SDL)—A software development process, developed by Microsoft, that helps developers to build more secure software

Spear phishing—A targeted email phishing attack against a carefully selected victim, exploiting knowledge about the victim’s personal or business interests



124

Strong authentication—An authentication system that relies on more than just a shared secret, such as a password, by employing an additional mechanism, such as a physical token, smart card or biometric attribute

Trojan horse—Purposefully hidden malicious or damaging code within an authorized computer program

Trusted computing (TC)—A technology that exploits a secure reference monitor embedded in a tamperproof chip called a trusted platform module (TPM)

Vulnerability scanner—A software system that assesses network-connected computers, networks or applications against up-to-date databases of known flaws, seeking security weaknesses

Whitelisting—The practice of controlling access or execution rights through a list of approved users, devices or programs

Zero-day exploit—An attack based on advance unpublished knowledge about a software vulnerability in an operating system or application that has not yet been addressed by the software vendor


References

125

ReferencesBeechey, Jim; “Application Whitelisting: Panacea or Propaganda?,” The SANS Institute, USA, 2011, www.sans.org/reading_room/whitepapers/application/application-whitelisting-panacea-propaganda_33599

Blasco, Jaime; “Are the Sykipot’s authors obsessed with next generation US drones?,” AlienVault Labs Blog, USA, 20 December 2011, labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones

Brown, Moira West; Don Stikvoort; Klaus-Peter Kossakowski; Georgia Killcrece; Robin Ruefle; Mark Zajicek; Handbook for Computer Security Incident Response Teams (CSIRTs), 2nd Edition, Carnegie Mellon University, USA, April 2003, www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm

Command Five Pty Ltd, “Advanced Persistent Threats: A Decade in Review,” Australia, 2011, www.commandfive.com/papers/C5_APT_ADecadeInReview.pdf

Context Response, “Network Monitoring,” Context Information Security, United Kingdom, 2013, www.contextis.co.uk/files/Network_Monitoring_April_2013_3.pdf

“Cyberwar: War in the Fifth Domain,” The Economist, 1 July 2010, accessed 22 August 2013, www.economist.com/node/16478792

Europol, “2013 Serious and Organised Crime Threat Assessment (SOCTA),” The Netherlands, 2013, www.europol.europa.eu/content/eu-serious-and-organised- crime-threat-assessment-socta

Franklin, Andrew; et al.; “IBM X-Force® 2012 Trend and Risk Report,” IBM Security Solutions, USA, 2013, www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=SWGE_WG_WG_USEN&htmlfid=WGL03027USEN&attachment=WGL03027USEN.PDF

Hutchins, Eric M., Michael J. Cloppert; Rohan M. Amin, Ph.D.; “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed Martin Corporation, USA, 2011, papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf

Kalige, Eran; Darrell Burkey; “A Case Study of Eurograbber: How 36 Million Euros was Stolen via Malware,” Check Point Software Technologies and Versafe, 2012, www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf



126

Krekel, Bryan; Patton Adams; George Bakos; “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage,” prepared for the US-China Economic and Security Review Commission by Northrop Grumman Corporation, USA, 2012, origin.www.uscc.gov/sites/default/files/Research/USCC_Report_Chinese_Capabilities_for_Computer_Network_Operations_and_Cyber_%20Espionage.pdf

Lacey, David; Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers, John Wiley & Sons, USA, 2009

Mandiant, “M-Trends® 2013: Attack the Security Gap™,” USA, 2013, www.mandiant.com/resources/m-trends

National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, Special Publication 800-61, 2008, csrc.nist.gov/publications/PubsSPs.html

NIST, Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication 800-53, Revision 4, 2013, nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Ponemon Institute, “2012 Cost of Cyber Crime Study,” USA, 2012, www.ponemon.org

Rasmussen, Anders Fogh; “NATO’s Next War—in Cyberspace,” The Wall Street Journal, 2 June 2013, accessed 22 August 2013, online.wsj.com/article/ SB10001424127887323855804578508894129031084.html

Stamos, Alex; “Aurora Response Recommendations,” iSEC Partners, USA, 2010, www.isecpartners.com/research/white-papers/aurora-response-recommendations.aspx

Stoll, Clifford; The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday, USA, 1989

Strobel, Warren; Deborah Charles; “With troops and techies, U.S. prepares for cyber warfare,” Reuters, 7 June 2013, accessed 22 August 2013, in.reuters.com/article/2013/06/07/usa-cyberwar-idINL1N0EF0NF20130607

Symantec, “2013 Internet Security Threat Report,” volume 18, accessed 22 August 2013, www.symantec.com/security_response/publications/threatreport.jsp


References

127

Verizon, “2013 Data Breach Investigations Report,” USA, 2013, www.verizonenterprise.com/DBIR/2013

Villeneuve, Nart; James Bennett; “Detecting APT Activity with Network Traffic Analysis,” Trend Micro Incorporated, USA, 2012, www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf

Walter, Jim; “Flame Attacks: Briefing and Indicators of Compromise,” McAfee Labs, 2012, www.mcafee.com/us/resources/white-papers/wp-mcafee-skywiper-brief-v-1-6.pdf



128



Index

129

Index

AAccess control, 121-124Activist, 33-34Adobe Systems, 22, 110Advanced persistent threat definition, 12Adware, 15AlienVault Labs, 21Anonymous, 34Application security testing, 81Application whitelisting, 85-86APT risk assessment, 55-56APT risk identification, 49APT risk mitigation, 57Armed forces, 34-36Asset management, 64Attack vector, 20

BBendelladj, Hamza, 23Black hole router, 82Bogon, 82Botnet, 17Brand value, 53Business case for countermeasures, 57

CCarnegie Mellon University, 89Characteristics of an APT attack, 38-43COBIT 60, 113-120Command and control, 45Command and control server, 40, 72,

81-82Communications pattern matching,

81-83Compliance, 22, 57, 60, 75, 78Computer Emergency Response

Team (CERT), 89-90

Computer Security Incident Response Team (CSIRT), see Computer Emergency Response Team

Containment of damage, 98Contractual rights (manipulation of), 51Coordinated risk assessment and

response, 64, 73Corporate reputation, 53, 58, 93Credit card data and card verification

values, 51Criminal gangs, 32-33Crisis exercises, 94Crisis management, 48, 94-95, 97-98Crisis team structure, 92-93Cuckoo’s Egg, 19-20Cyberwarfare, 34-36, 39, 43, 47

DDamage assessment, 96-97Database activity monitoring, 80Data exfiltration, 46Data fusion, 91-92Data Sending Trojan, 16Data visualization, 92Deep packet inspection, 81Denial-of-service attack, 17, 41, 94Denial-of-service Trojan, 16Digital certificate, 40, 82Distributed denial-of-service attack, 33Drive-by download, 17Duqu, 25-26

EEmbassies, attacks on, 21Espionage, 29-32Eurograbber, 27



130

FFalse positive, 91File integrity monitoring, 83Financial assets at risk, 51Firewall, 65, 77-78, 81Fish bone diagrams, 99Flame, 26, 40Forensic inspections, 85FTP Trojan, 16

GGhostNet, 21-22, 82Google, 22Gozi, 22-23

HHacker. 12, 28, 43Hacktivist, see activistHess, Markus, 20Heuristic (experience based) approach,

77-78Honeypot, 86Human resources records at risk, 52Hydraq, 22

IIdentifying assets at risk, 49-53Incident identification, 96Incident investigation, 99Information exploitation, 46Intellectual assets at risk, 53Intelligence agencies, 29, 43, 50Intelligence services, 13, 19, 30-32, 52Internet Assigned Numbers Authority

(IANA), 82Internet worm, 89Intrusion detection system (IDS), 77Intrusion prevention system (IPS), 79Ishikawa diagram, 99-100

KKeylogger, 15, 77Kill Chain, 67-68, 71, 73Know-how at risk, 52

LLearning from incidents, 99Least privilege principle, 64Lockheed Martin, 67-68

MMan-in the-browser Trojan, 16, 23Man-in the-mobile Trojan, 16Manipulation of equity pricing

information or timing, 51Martian, 82Master boot record, 23Money laundering, 51Moonlight Maze, 20Moral hazard, 56Morris worm, 89

NNetwork activity indicating an

APT attack, 72Network segregation, 65

OOperation Aurora, 22

PPayPal, 34Penetration test, 78People’s Republic of China, 35Persistence of APT attacks, 41-42Physical assets at risk, 50-51Polymorphism, 16Post mortem report, 100Proxy Trojan, 16-17


Index

131

RRansomware, 15Recovering from an incident, 98Red October, 26-27Remote Access Trojan, 17, 82Risk heat map, 55-56, 58Risk management cycle, 49Risk register, 56Root cause analysis, 99Rootkit, 15RSA attack, 24-25

SSandbox simulation, 80SCADA, 33SecurID, 24Security configuration management, 83-84Security Development Lifecycle, 86Security information and event

management (SIEM), 84Security Software Disabler Trojan, 17Security technology to mitigate

APT attacks, 66-67Self-replication, 15Signature-based detection, 77Single-sign-on (SSO), 78Security operations center (SOC), 90-91Social networks, 44, 53Sophistication of APT attacks, 39-40Spear phishing, 37, 45SpyEye, 23-24Spyware, 15SSL digital certificates, 82Stages of an APT attack, 43-46Stateful firewall, 77-78Strong authentication, 78Stuxnet, 25, 38, 50Suspicious behavior, examples of, 71-72Sykipot, 21Syrian Electronic Army, 51

TTarget discovery, 45-46Target penetration, 45Target research, 44-45Target selection, 44Tell-tale signs of an APT attack, 70-72Terrorists, 33Times justifying a heightened alert,

72-73Titan Rain, 20-21Trojan horse, 16-17Trusted Computing, 84-85Trusted platform module, 84

UUser education, 65-66

VVirus, 16Vulnerability management, 65Vulnerability scanning, 79-80

WWalled garden, 85Worm, 16

ZZero-day exploit, 17Zeus, 23



132



advanced persistent threats how to manage the risk to your ...egnlghana.com/pdfs/insight5.pdf ·...

Documents