Sunday, January 31, 2010

Who are the APT targets?

I've been publicly quiet on the whole APT discussions as of late, with good reason. There are lots of blogs out there which share (and do not share) my opinion, so there is no need for me to chime into the myriad of voices out there.

However, an anonymous comment on one of the recent taosecurity posts brought up a point that I have not seen anyone else talk about. The comment stated:

Reading the Mandiant Report, we see:

1.) Government
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).

Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.
The part I'd like to focus on is the last statement. The APT problem is not only the problem of those seen as the enemy of certain nation states. It is the problem of everyone.

If you read Mandiant's excellent report, you will see specific examples (mentioned in the comment above) which are documented APT targets. Yes, these are what you think of as nation-state attack targets.

However, I have personally seen the APT attack and compromise systems in networks which have no ties to that nation-state and you would not consider enemies of that nation-state (or any for that matter). In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors.

Of course, there are those that will say that this is the same technique that all attackers use - compromise less secure systems and use them as a go-between to attack other systems. And I will 100% agree with them on that! But that re-enforces my point as well! No one is safe from attack from APT and therefore there should be no reason why organizations should not take every reasonable precaution to against these (or any) attackers and learn as much as they can.

Yes, there will be those companies that use the term APT as a marketing tool. Yes, there will be those who say this is a limited threat to some organizations (and to some extent I agree with that). But in the end, it is a real threat that exists and any organization that does not perform the due diligence to at least learn about the potential threat will be at a disadvantage when they do get attacked; maybe not by the APT but by the next threat.

3 comments:

freedomfiles said...

"Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states."

Very much true. Don't forget economic interests are also seen as national security interests, and those who threaten national security are considered enemies.

Reasoning this way, you can see oil companies as "enemies" of nation states, to offer an example.

However Mandiant shouldn't overlook the fact that APT's are not by definition state sponsored attacks, and that APT's can also be purely criminal in nature, without politics being involved.

freedomfiles said...

"In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors."

Those companies are not targets from an APT point of view, although the systems were used in the attacks.

After all, APT targets will remain the focus of the attack, regardless whether they mitigate against the threat, because the attacks are persistent.

When finding a target for C&C however, they will just take a (SMB) system which is poorly secured. If they don't manage to get in to a system, they move to another target, making the threat -for the SMB- non-persistent ?

Security Shoggoth said...

freedomfiles:

"Those companies are not targets from an APT point of view, although the systems were used in the attacks. "

You are absolutely correct. I should have said victims, not targets.