Wall Street Journal – By Mark G. Graff
On Tuesday, Feb. 19, my inbox was flooded with people forwarding me a milestone report: Mandiant Corp.’s APT1: Exposing One of China’s Cyber Espionage Units. The resulting media attention surrounding the report on a hacker unit’s suspected ties to the Chinese People’s Liberation Army – and recent high-profile hacks – have brought light to an extremely important topic that I have been researching and defending against for just about 10 years now. The topic, of course, is Advanced Persistent Threats (APTs).
Several nation-states today conduct industrial espionage on a large scale, with sophisticated tools, against leading companies around the world. We are way beyond teenage thrill seekers and petty web site defacement these days, aren’t we? So let me pose a general question for my fellow chief information security officers (CISOs): “What can your company do to help defend against Advanced Persistent Threats (APTs) – and other similar nation-state activities?”
The first step is to determine if your company is likely to be a target for infiltration from a foreign state. Two concepts are key here, cyber espionage and cyber war. Cyber espionage focuses on exfiltrating intellectual property. Countries attacking companies under the motivation of “cyber war”, on the other hand, are primarily looking to build the hypothetical capability to disrupt a nation’s economy or critical infrastructure. Ask, therefore, “Is our company part of the critical infrastructure, and/or do we have intellectual property of significant economic or strategic value to a nation-state actor?” If the answer is no, your company is unlikely to be targeted by a major state.
Another leading indicator is an increase in spear-phishing and social engineering attacks against your company. Targeted emails, often personalized by attackers researching their victims on social media, are being used more and more often. The recent hack of the New York Times is believed to have originated from a spear-phishing email. It’s a very popular favorite method of entrée. If your phishing numbers are way up — especially for strategic personnel, such as C-level execs — that’s a signal for action.
Here’s the gist of what I’ve learned in 10 years of APT defense, in 3 easy steps.
1. Filter what comes in to your network. To have any reasonable chance, you have to be filtering and analyzing what comes into a network. There are many detection mechanisms, designed to work on various layers, from firewalls to host intrusion detection systems (HIDS) on your servers to endpoint protection. Sure, this is basic blocking and tackling – but note that if you are not employing one of the newer products that feed mail attachments and such flotsam into a virtual machine for malware detection, you’re missing a bet.
2. Control what goes out of your network. The next important step in detecting APT is to monitor what leaves the network. This is what I call “Egress Control”. Done strictly, it’s difficult, and you’re going to need support from the top to do it. The idea is to narrowly monitor and constrain points of egress – all of them — and then look for anomalous connections and attempts by automated malware to “phone home”. Your goal is to ensure that when something leaves your network, it’s the result of an act of human volition by an authorized user. For example, if you see a process attempting a WWW connection to a server in a country you do not do any business with, this geo-located connection would be suspicious, and could signal an APT. This exercise of controlling egress from your network complements your data loss prevention (DLP) methods, too, of course.
3. Analyze what remains on your network. If the network has been compromised by an APT, detritus will likely remain. One way to detect it is by looking for anomalous entries inside the Windows Registry, or filenames containing suspicious special characters (or settings) that inhibit their appearance in a directory listing. Note also that attackers will often target neglected back alleys of networks – derelict systems that are forgotten and unmonitored – as places to store contraband or operate spying software. Check such locations frequently for misuse. Even better, search for unneeded systems routinely and shut them down aggressively.
Remember also that APT attackers live to move laterally, often compromising the Active Directory tree for this purpose. Such a dire circumstance can be hard to detect. Several companies can provide experts.
There are also companies that can help you mount a thorough search for APT compromise. Two well-known ones are Microsoft Corp. and Mandiant; but there are several good choices available to you, at a variety of budgets.
Your last defense against APT is employee education. Training about identifying spear-phishing emails is especially important. What do you think is the “click-through” rate at your company – that is, what percentage of your folks will click on a “spear-phishing” email? I like to see that number, as a rule of thumb, under 10%. Consider driving that number down with your own educational spear-phishing campaign, or engaging one of the many established companies (example: PhishMe) that will manage that process for you.
You probably cannot erase your company’s name from a foreign intelligence’s target list. If they attack you with a determined force, furthermore, you may not be able to keep them out indefinitely. (You couldn’t evade a cruise missile aimed at headquarters, either.) Still, proactive changes like the ones I suggest here – coupled with employee awareness of today’s new threats – will help harden your attack profile and increase your chances of detecting or deflecting an APT-style attack.
Mark G. Graff is the Chief Information Security Officer at NASDAQ OMX and former cyber security strategist at Lawrence Livermore National Laboratory.