Advanced Persistent Threats (APT) are the current bane of information-security professionals. Researchers at McAfee Security, an Intel company, believe they know why. Advanced Evasion Techniques, or AETs, have the ability to cloak communications between the attacker and the APT malware inside the victim's perimeter.
McAfee researchers also believe the advantage afforded the APT/AET combination is enhanced by one or both of the following reasons: either those responsible for network security do not realize AETs exist, or they do not comprehend AETs. To find out what's what, McAfee commissioned Vanson Bourne to survey security professionals around the world, asking the sec pros what they knew about AETs. The survey's top findings:
- One in five admitted their network was breached ( second source), and nearly 40 percent of those breached believed AETs played a key role.
- Nearly 40% of IT decision makers did not believe they had methods to detect and track AETs within their organization.
- More than 60% said the biggest challenge when trying to implement technology against AETs is convincing the board they are a real and serious threat.
Based on the above results, McAfee researchers believe most respondents misunderstand AET technology, and because of that have ineffective security measures in place.
The McAfee report publishing Vanson Bourne's survey results, The Security Industry's Dirty Little Secret, offered another interesting conclusion. The report said, "Because of the debate about the very existence of AETs, hackers continue to use these techniques successfully to exfiltrate information. The longer the industry continues to debate the existence of AETs, the longer businesses will be vulnerable to them."
What is an APT, AET, and what are the differences?
For this discussion, let's define APT and AET. The following APT definition is from the National Institute of Standards and Technology (NIST):
"An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future."
The NIST's definition emphasized an APT's ability to:
- Pursue its objectives repeatedly over an extended period of time
- Adapt to defenders' efforts to resist it
- Maintain the level of interaction needed to complete its objectives
As for AETs, McAfee does not consider them to be attacks per se. The report said, "The bits of code in an AET are not necessarily malicious, they are used to disguise an attack. The danger lies in that AETs provide the attacker with undetectable access to the network."
The report also mentioned how AETs use fragmentation and obfuscation techniques to provide their stealthiness. The McAfee slide above represents how the two techniques combine to cloak command and control traffic from the attackers. Once safely ensconced inside the perimeter, the smaller pieces reassemble, and proceed with the attack. The APT/AET attacks targeting South Korean organizations last July are a good example of this approach. As mentioned in a previous TechRepublic article, McAfee offers a free tool that tests for AET persistence.
For perspective on what all this means, McAfee interviewed John Masserini, vice president and chief security officer for MIAX Options. In this post, Masserini said, "We are no longer dealing with a random drive-by scanner that is just looking for obvious entryways into your network. In today's interconnected world, we are dealing with adversaries who spend weeks or months studying your public-facing network footprint, looking for that one small sliver of light which will allow them to gain a foothold into your networks."
What is the solution?
As for a solution, that's a bit nebulous. If an attack process cannot be defined, or there are those who do not acknowledge the existence of AETs, it's hard to manufacture an effective solution. What does not work, according to McAfee and others, are traditional firewalls. McAfee suggested that any solution used to combat AETs include the following:
- Detailed, real-time inspection
- High availability
- Correlation capabilities and network visibility
Lane Cooper, editorial director at Biz Tech Reports, said, "AETs are the next step in the dynamic and accelerating arms race between malware producers and the enterprise-security community." It seems like a good time to stop debating whether AETs exist or not.
Information is my field...Writing is my passion...Coupling the two is my mission.