In-Depth

Will Advanced Persistent Threats Grow in 2012?

What predictions can we draw from the threats IT battled in 2011 about what’s ahead in 2012?

By Chris Harget, Senior Solutions Marketing Manager, ActivIdentity

Did advanced persistent threats (APTs) peak in 2011, or is the worst still to come? Many IT professionals are making 2012 plans and would like to know what to expect. Let’s look at the facts and see what implications we can draw for IT departments.

In the first six months of 2011, the top six data breaches alone resulted in approximately 220 million stolen “records.” APT were specifically identified in high-profile hacks such as RSA’s loss of approximately 40 million one-time password (OTP) token seed files, necessitating token replacement for enterprise users. Sony estimates their first breach of 2011 involved 100 million records and cost them more than $170 million. Breaches at Epsilon, HBGary, and Diginotar were also large and costly.

Some hacks were politically motivated (e.g., Anonymous and Lulzsec), some were financially motivated, and others we probably never heard about were government sponsored, although their targets may have been private companies. The attempted hack of Lockheed Martin using compromised OTP token information was likely such an attack.

All told, 2011 was an epic year for data breaches. Could 2012 possibly be worse?

Yes. Here’s why.

These large-scale breaches are proving the model for APTs. Foreign agents, organized criminals, and corrupt business competitors are getting better at using APT attack doctrine to get what they want. High-profile events such as the Summer Olympics will create inviting targets for the political-minded hackers. The financial stakes of online activity continue to grow, so the hacking opportunities for illicit profit grow as well.

State-sponsored hacking, depending on whom you believe, is either a serious problem or an insanely mind-bogglingly serious problem. Some experts suggest that The People’s Army of China’s hacking division has begun methodically hacking competitors of Chinese-state-owned companies to gain financial advantage. Economic power and military power are two sides of the same coin it seems. McAfee announced research this year that seemed to confirm state-sponsored hacking was widespread, on the rise, and consistent with some of the more dire estimates of the scope and scale of state-sponsored hacking.

What has been the response from IT departments? Understandable confusion. APTs are amorphous, changing form to suit the target, which is part of why APTs are so effective. It’s important to note that APTs are not a single kind of attack but rather a complete attack doctrine. APTs do have tendencies, however.

Typically, APTs begin with selecting and researching a specific target of interest. They may search for the names of key IT employees on public social networking sites such as LinkedIn or Facebook. They may discover some of the IT systems and tools used within the target organization by analyzing career opportunity descriptions and required system knowledge. APTs often include social engineering, calling into the main number and asking questions about key people and technology to better case the target. Once they have profiled the IT defenses, their most common first objective is to steel or crack the credentials of a legitimate user.

There are many ways APTs can attempt to compromise a legitimate user’s credentials. They may devise custom malware to help them take over a legitimate user’s account. One prominent breach in 2011 involved sending an infected PDF (2012 Recruitment Plans) to a small list of key employees. The infection contained an unknown key logger that allowed hackers to steal credentials.

Alternatively, credentials can be stolen with spear phishing attacks, dictionary brute force attacks, or rainbow tables, exploiting sloppy password reuse from compromised social media and gaming sites, sniffing wireless signals in a coffee shop near the target’s office building, or simply looking over a laptop user’s shoulder. However the credentials are compromised, the second stage of the APT is to use those credentials to probe the network and escalate account privileges until they obtain the data they want.

In reality, the problem is not that there will always be another zero-day key logger, cracking algorithm, or untrustworthy insider. The problem is that the passwords can be stolen in the first place. Static passwords are simply not effective for VPN or Windows login.

Perhaps the most practical way to inhibit APT is to employ multi-layered strong authentication to limit exposure in the first stage, and absolutely inhibit the second stage of APT attacks. The strength of the credential is crucial to the overall defense of the network from the repeated efforts of an APT. What’s more, multi-layered strong authentication has the potential to protect against many future attack vectors as well, so the security benefit would more likely be a lasting security benefit.

What does multi-layered strong authentication look like? It can take a variety of shapes: either different two-factor authentication devices for different network layers (perimeter, desktop, cloud applications, or servers) or a single smart card covering all of those layers. The benefit of a smart card is that it can be easier to manage than multiple devices and can be a badge used for secure facilities access. Historically, smart cards were complex to deploy and manage, but that has recently changed. New credential management appliances can be deployed in just a few steps without professional services and easily allow day-one smart card issuance. Smart card credential management system appliances include preconfigured best-practice policies and make military-strength smart card credentials accessible to organizations of almost all sizes.

Whether APTs are a distant worry or a very immediate concern, IT departments would do well to begin taking steps to reduce vulnerability. Trends suggest APTs will get worse in 2012 because of the paradigm shift they create for IT security practices and the many publicized (and likely secret) successes to date.

Chris Harget is the senior solutions marketing manager at ActivIdentity, a business of HID Global. Harget has been a senior software and hardware marketing executive at leading Silicon Valley security companies for more than 15 years. He has trained thousands of technology professionals while working at McAfee, Remedy, WebEx, Blue Coat Systems, Citrix, Aruba Networks, and ActivIdentity. He has written extensively on network, PC and mobile security trends, while investigating best practices and emerging threats. He holds a masters degree and is a native of Cupertino, Calif. You can contact the author at charget@actividentity.com

Must Read Articles