A recent string of cyberattacks against large companies, government contractors, financial institutions, and even security providers themselves has highlighted a new type of heist: the advanced persistent threat, or APT.
This spring, these ambitious attacks have hit organizations that have valuable data and the resources to defend it well, including Google, Citigroup, and the International Monetary Fund. A recent APT-style attack on RSA, which provides security technology to some of the biggest banks, alarmed RSA’s high-profile clients and appears to have led to an intrusion at Lockheed Martin, an RSA customer.
Unlike recent website takeovers by brazen “hacktivists” or massive thefts of credit card data, APTs are elaborate and sustained con jobs that are difficult to detect. The term was coined by government organizations accustomed to fighting online espionage, says Tom Cross, manager of the IBM X-Force Advanced Research security team, but these kinds of attacks are now becoming common enough to be discussed in corporate boardrooms. In a March survey of 563 IT security specialists by nCircle, a security technology company, 16 percent of the respondents listed APTs as their biggest security concern in 2011. That made it the second-most-worried-about security issue; 26 percent of respondents said their top priority was complying with security-related regulations.
RSA did not respond to Technology Review’s requests for interviews, but Uri Rivner, the company’s head of consumer identity protection, described some details of the attack in a company blog. First, one employee, who had limited administrative access to internal files, fell for a phishing scam and opened a spreadsheet labeled “2011 Recruitment plan.xls.” Rivner said the file exploited a zero-day (previously unknown) security hole in Adobe Flash software. The hackers then installed a remote administration tool and breached multiple employees’ accounts before extracting information over FTP, or file transfer protocol. According to Rivner and Cross, the breach had many of hallmarks of advanced persistent threats: repeated attempts to find a weak human link, a zero-day opening, sophisticated malware, and strategic methods to avoid detection while extracting data. APTs may lie dormant for months before finding a strategic moment to extract information.
“The first thing that these people do is collect info about their target,” Cross says. “We put a lot of information about ourselves— both our personal and work life—on the Internet, so it’s easy to do research and develop a profile of an organization.”
That’s one reason why many security experts urge companies to assume they are going to be targeted. “That’s the reality,” says Catherine Lotrionte, executive director at the Institute for Law, Science and Global Security at Georgetown University. As a result, she advises companies: “Make sure you have the best intrusion detection in place.”
When RSA was attacked, it was using the services of a company called NetWitness to detect unusual activity across its networks. NetWitness was in fact “instrumental” in detecting the intrusion, says Eddie Schwartz, who was that company’s chief security officer and has held the same title at RSA since it recently acquired NetWitness. Schwartz declined to reveal details of how the company detected the intrusion. However, he says that overall, the idea of securing networks by trying to “build a gigantic wall that nobody can climb over” is outdated. Training all employees to better detect phishing won’t significantly help, he says, essentially because there will always be someone who will fall for a scam.
IBM’s Cross disagrees; he thinks more companies should try training employees to be more alert for phishing or other signs of cyberattacks. “The goal is not to stop everything; the goal is to detect something,” he says. “If you educate these people and show them that there is a real threat, they become your front line.”