Leonardo da Vinci and the ‘Real APTs’

by Geoff Webb of Credant Technologies

Leonardo da Vinci once said, “Even the richest soil, if left uncultivated, will produce the rankest weeds.”

It’s a sentiment with which gardeners everywhere can empathize. If there’s one thing you can be certain of, when it comes to weeds, it is that they thrive on a lack of attention. Much like computer crime.

Although many of the details are still not known, it looks as though the recent disclosures of a (very) long lasting breach at Nortel could be a prime example of the risks of not dealing swiftly with a breach.

Back in 2004, it seems administrators noticed some very odd activity associated with certain senior employees’ accounts, specifically downloading sensitive documents. When they investigated, it became apparent that a breach had occurred, and they took steps to shut it down. However, those steps didn’t go far enough.

Nortel’s downfall aided by APTs?

Anyone who’s ever dealt with weeds will tell you that you can’t just pull up the stems; you need to get to the roots. And in the case of the Nortel attackers, the roots were still very much intact. During the initial breach the hackers placed spyware on Nortel’s spyware that allowed them to continue stealing information for a long, long time. Years, in fact.

The extent to which Nortel management knew they still had a problem is not clear. What is clear is that once a breach has been discovered the investigation has to be sufficiently thorough to eradicate all traces of the attack.

Much like a weed infestation, the problem doesn’t go away if the response isn’t complete enough it simply goes underground until the time is ripe for it to resurface. Indeed, all that happens is that while some steps get taken to clear up the symptoms of the breach, the attackers in many ways gain time to consolidate their foothold and look for new opportunities. Worse, they may now know their initial attack has been detected and will purposefully “lay low” for a while to throw off investigators.

And here is the real difference between the average run-of-the-mill cyber criminal, bent on stealing credit cards or whatever other valuables can be snatched off a poorly protected server, and the highly professional and possibly state-backed actor targeting valuable intellectual property. For while most organizations rightly spend time defending against the drive-by attackers looking for a quick buck, there are obviously certain industries, especially R&D heavy ones, that must also face the very real threat of focused, technically capable, and above all patient attackers — attackers who don’t think in terms of weeks or months, but years, if necessary. The real, advanced persistent threats (APTs), in fact.

Such attackers require a different level of diligence and real investment to fight off. Organizations must also recognize that building defenses in layers is the only hope of catching them. Such defenses must start not from the perimeter and work in, but from the sensitive data itself and work outward, especially in a world of highly mobile information on increasingly distributed networks of devices.

Defending against attackers such as these is never going to be easy or cheap, but unless we are comfortable with the prospect of widespread IP leakage, and the long-term competitive disadvantage that goes with it, a commitment must be made both on the commercial and federal level to build those defenses. The type of attackers who so thoroughly breached Nortel aren’t going away. Indeed they have improved significantly since 2004. It’s a long term fight, and it’s one that we really can’t afford to simply draw a line under and claim, as Nortel did back in 2004, that the problem has been addressed.

Otherwise, as Robert M. Pyle said, “Make no mistake: the weeds will win; nature bats last.”

Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others. Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.