APTs from FUD to Fact Part 2: Why Should I Care?

Alan commented on the initial APT post: I hope you don't spew marketing hyperbole else this will turn dull rapidly. Don’t worry. We are going to stick to the facts. In this piece, I want to separate from the buzz around these attacks and talk about why you should care.

We’ve heard from a lot of executives, “What should we do about APTs?” There is a high level of concern from large organizations with serious IP (like source code) that they know others will try to get. But there’s also a large group that thinks, “I’m a $10M manufacturing company, in Ohio. I don’t think Chinese or North Korean hackers are going to be knocking on my door anytime soon.”

And, they are right. For many companies, APTs by definition aren’t a primary concern. We’ll talk about definitions of APTs a little more later on, but the base starting point we all need to know is very simply that APTs are a type of targeted attack. This is where we start to get into the why you should care part. Because, while APTs may not be a concern for many companies, targeted attacks are on everyone’s radar. Here’s a simple fact. APT techniques used in state-sponsored attacks seeking IP are also used by organized criminal gangs looking to score your cash. No, not everything is a classic APT, but the same technology used by China to hack Google is used by cybercriminals to steal your customer data.

It’s a bit like a bullet proof vest. Foreign governments and state-sponsored agents spend huge resources coming up with ammunition that will pierce that vest. Once the ammo becomes known you start to see it adopted and utilized outside of those that developed the ammunition,

The same thing happens with attack methodologies. Let’s look at a classic APT and how quickly the techniques got into the hands of others.

The Aurora attacks of 2009 were among the first widely publicized APTs. Companies like Google, Adobe and Rackspace were targeted by a state-sponsored APT in November and December of that year. On January 12, Google publicly announced they were attacked. Only two days later, the zero-day exploit was revealed publicly. Nine days passed until Microsoft patched the primary vulnerability. At that time, the exploit was only detected by 26 percent of AV vendors. And, within a single month, Websense® ThreatSeeker® Network found more than 200 new websites using the exploit to deliver other malware.

Those sites weren’t all put up by the country that attacked Google. That exploit was put up by organized criminal gangs who knew they had a new round of ammunition to go after their primary targets –companies with customer information or credit card numbers they could quickly turn into cash.

So how’s this for some straight talk, and leaving the marketing at the door. APTs aren’t relevant to everyone. But targeted attacks are.

In the next post, we’ll look at defining an APT. There’s too much fluff out there describing what they are. What’s the simplest way you’ve heard of someone defining an APT to you?