Profiling Advanced Persistent Threat (APT)
Advanced Persistent Threat or APT is a buzzword for a class of targeted attacks usually aiming stealing of sensitive data. The attacks might be described as advanced due to multi-step phases and as persistent because of specific targets. A conventional attacker looks for passwords, ID info, credit card numbers and etc. where it is easier to find. While APT focuses on a particular information from a specific target.
Few examples of remarkable APTs:
- "Operation Aurora" resulted in IP theft from Adobe Systems, Juniper Networks, Rackspace, Yahoo, Symantec, Northrop Grumman, Morgan Stanley, Dow Chemical and Google who discovered that attack
- Leak of sensitive information related to SecureID two factor authentication products from RSA, The Security Division of EMC. The leaked information was used by attackers to penetrate L3 Communication, Lockheed Martin, Northrop Grumma and number of other companies
- Verisign has admitted being attacked and loss of sensitive data
- "Operation Shady RAT" victimized over 70 organizations.
Some experts say that nearly all Fortune 2000 firms have been compromised.
So, why million dollars budgets spent on equipment, experts, policies and compliance do not work? Why access control, encryption, firewalls, IPS, anti-malware and so on cannot detect and confine APT threats?
The answer is complexity. The IT infrastructure grows and gets out of control of regular policies. Besides, the conventional approach to APT largely relies on securing of the network rather than on protection of sensitive data itself. The reason is that traditional DLP (Data Loss Prevention) solutions fail to address such threats. The notable example is RSA, leading DLP vendor, that faced an IP theft. Even DLP vendors cannot maintain comprehensive DLP configuration capable to recognize and stop APT.
An APT always attributes to some detectable outlier activities. This is confirmed by the fact that most of APT successfully discovered after the fact. Thus APT steps might be spotted via anomaly detection. Let's consider mentioned IP theft from RSA. According to the disclosed attack anatomy the intrusion might be recognized through the following anomalies:
- Unusual amount of data sent via FTP channel,
- Unseen application (attackers backdoor) transferred archive file to an external location,
- FTP destination to which users never sent any data.
Not all anomalies indicate an attack but most of APTs cause anomalies.
The anomaly detection approach is leveraged by Active Profiler which is integral part of PowerBroker DLP. The Active Profiler monitors the behavior of end users and applications, creating baselines of normal activity for each of them. It automatically identifies and alerts on irregular patterns attributing to data leaks.
