RSA: Google Exec Says 'A-Team' Required To Fight Security Threats
Advanced Persistent Threat (APT) is the latest buzz-phrase from a security industry that cranks them out like clockwork. In a panel discussion Thursday at the RSA 2011 security conference, security experts acknowledged the dangers posed by APTs and said the industry is ill-equipped to deal with them.
APTs are generally focused on specific companies or individuals and target specific information, as opposed to being motivated by financial gain. APTs employ multiple tactics, including social engineering, spear phishing, Windows exploits, Active Directory compromises, and use of remote administration tools.
Heather Adkins, an information security manager at Google, says companies will have to enlist the aid of their top security talent and experience to react to APTs. "We need an 'A-Team' to respond to these threats," she said during the panel. "It's not an easy task, but you should start evaluating what talent you have inside and what you need to do to build such a team, because your adversary has one."
Google has firsthand knowledge of the impact APTs can have on a company. In last year's Operation Aurora attacks, Google -- along with Intel, Adobe and more than 30 other corporations -- had its network compromised by hackers in China that were able to access and abscond with source code and other confidential data.
Perhaps for this reason, Adkins isn't bullish on the long term outlook for dealing with the coming scourge of APTs. "Our conclusion is that it does seem to be futile, at least with the tools we have today," said Adkins."I don't think we are prepared today and I think we have a long way to go."
One of the big problems with APTs is the ease with which miscreants can carry out attacks. "The ROI for these attackers is so high, I don’t see them ever stopping," said Adam Meyers, director of cyber security intelligence at SRA International. "The level of investment to get a successful attack in is minimal, and there is minimal risk for the attackers."
Another APT example is the ongoing attacks on global oil, energy, and petrochemical companies that began in November 2009 -- which McAfee has dubbed "Night Dragon" -- that also appears to have its origins in China.
George Kurtz, worldwide CTO and executive vice president at McAfee, said Night Dragon is notable because despite being relatively unsophisticated from a technical standpoint, it has proven very effective for the masterminds behind it. "Until the cost of the intrusion goes up for the attackers, we're not going to see this solved," he said.
Kurtz likened the attackers behind APTs to penetration testers operating without rules of engagement, free to breach networks, move laterally and "exfiltrate" data once they're inside. "It's very scary to have a permanent pen test with no rules," he said.
Next: APTs and the Cyber War Potential
The U.S. Department Of Defense and other government agencies are getting better visibility into APTs, as they've been targeted the most. But certain industries are more vulnerable to APTs than others, according to Kevin Mandia, CEO of Mandiant, an Alexandria, Va.-based security research firm.
Mandia said law firms and health-care organizations are least prepared to deal with APTs and provide a soft target for attackers looking for confidential data.
In the case of China based APTs, while the theft of confidential data is troubling, a greater threat would be if APTs were used in a formalized way to sabotage U.S. government interests. Ongoing tension between the U.S. and China makes this a genuine possibility, but Mandia said he hasn’t yet seen this materialize.
"I have never seen the threat actors [behind APTs] be destructive," said Mandia. "They're not changing things yet and no one has thrown any pie in anyone's face over the China versus U.S. thing. Right now everyone's very comfortable with hacking the heck out of us and stealing our trade secrets."
In the short term, education, diligent patching and measures such as two-factor authentication, which Google recently added to its consumer Gmail product, can help mitigate the dangers of APTs, according to the panelists. But Google's Adkins says the long-term outlook will require a great deal of industry introspection and a radical new approach to the issue.
"We have to seriously evaluate whether the platforms we have in place today are defendable. By that I mean, can we actually defend them in an attack like this," Adkins said. "In the next five to ten years we're going to need to evaluate whether to start over on the platform."