RSA recommendations about APT attacks
Date : March 01, 2012
1) Introduction
Attacks by infiltration, which are often referred to with the acronym APT (Advanced Persistent Threat), now constitute a major threat for companies. As discussed in our annual review regarding flaws and attacks, in 2011 we observed a soaring number of such attacks (e.g. the attacks against RSA, Areva and the French Ministry of Economy and Finance) ; and the question for companies is not whether or not they will experience this type of attacks, but when the attack will occur, and how the company will detect and respond after the attack.
RSA has been victim of these attacks (in March 2011 attackers have managed to compromise the company's internal network and to steal critical data related to SecurID tokens sold by the company). On the other hand, this company also published last year, four reports related to APT attacks where it analyses how to counter this threat. We present below these 4 reports.
2) RSA Security Briefing, February 2011: Mobilizing Intelligent Security Operations for Advanced Persistent Threats
This 13 pages long report (available here) was published before RSA suffered an APT attack. It was co-written by RSA and VMware and is mainly focused on the tools (typically virtual environments and « cloud » oriented solutions) that can help detect and limit the impact of an APT attack. The main ideas of this report are as follows:
- The company’s security must be driven by risk analysis and should protect at first the most important assets of the company.
- The SOC (Security Operation Center) is the key component responsible for monitoring security. It must have a global view of the company IT systems. It must analyze the security risks, monitors the key infrastructure components (identified by the risk analysis) and define the reactive measures that will be applied when an attack is detected.
- The virtualization of IT systems makes the technical environments easier to monitor and offers specific defensive features (including the "sandbox" mechanism that limits the impact of an infection and an easy reconfiguration of IT systems to adapt the environment in case of attacks).
Overall, the report is mainly oriented towards the demonstration that a virtualized environment, supervised by a SOC team is the most promising architecture to counter the APT threat. The fact that this report was co-written with VMware probably explains the emphasis put on virtualization. Because of its strong technical orientation, this report seems to us less interesting than the other reports that we describe below.
3) RSA APT Summit, July 2011: Advanced Threats - The New World Order - RSA APT Summit Findings
In July 2011, RSA and TechAmerica organized a one day meeting in Washington entitled "The APT Summit". That private meeting was dedicated to share knowledge between the participants on the subject of APT and on how to counter this threat. A preliminary report of three pages (available here) was made public in early September. A more detailed document (available here) was released in October 2011.
The preliminary document gives a clear summary of the summit findings:
- Attack vectors are shifting from technology to people (through social engineering attacks).
- Organizations must consider that some attacks will actually succeed and compromise internal IT systems.
- Being aware of the attacks seen by other companies to better know the threats.
- Supply chain poisoning is on the rise.
- Incident response is not just a security function, and the response plans should be prepared in advance.
- Signature-based defences (e.g. antivirus) are ineffective to stop APT attacks.
- Establish better information sharing among companies is a top priority.
- Organisation must get creative to detect attack earlier and to disrupt attacker often.
- APT headlines are the tip of the iceberg.
- Existing infrastructures are often too complex and should be simplified to be more secure.
4) RSA SBIC report - August 2011: When Advanced Persistent Threats Go Mainstream
This 20 pages long report was written by the RSA SBIC (Security for Business Innovation Council). This is a study group, led by RSA, which brings together top security leaders from large companies.
This report (available in English and in French) gives on the first hand a very good introduction on the APT phenomenon. The rest of the document proposes seven recommendations to fight against this threat.
- Recommendation 1. Up-level intelligence gathering and analysis.
To fight against APT, the report recommends that the company develop a specific security expertise, which is dubbed as "cyber risk intelligence". This intelligence is oriented on gaining a deep knowledge in two distinct areas: first on the company IT systems (what are the critical systems? What defences are in-place?) , second on the threat to fight. This topic is further described in the 4th RSA report that we present in the next chapter. - Recommendation 2. Activate smart monitoring.
This second recommendation emphasizes the need to monitor the company IT systems security via a dedicated structure such as a SOC (Security Operation Center). This idea was already described in the 1st RSA report we presented above. - Recommendation 3. Reclaim access control (limit the privileges granted to each user and prevent users with elevated privileges to use these privileges on multiple systems through the company).
- Recommendation 4. Get serious about effective user training. It may be noted that the recommendations on this topic are quite coercive and probably not appropriate for European cultures.
- Recommendation 5. Deal with the expectations of executive leadership (convince them that APT is different by nature from the security issues already treated, and is far more difficult to counter).
- Recommendation 6. Rearchitect IT (ban flat network architecture and isolate critical systems).
- Recommendation 7. Participate in information exchange (with other companies or governmental authorities).
Apart from the need of support from top management (see recommendation 5), the other recommendations fall into three categories:
- conventional security hardening measures such as defence in depth and user awareness (see recommendations 3, 4 and 6),
- the establishment of a permanent security supervision capability via a SOC-like structure (recommendation 2),
- the development of a specific capability (called the "cyber risk intelligence") and the information sharing with the community (recommendation 1 and 7).
This last point is further developed in the next RSA report that we present below.
5) RSA SBIC report, January 2012: Getting Ahead of Advanced Threats
This report first states that “most organizations do not know enough about the threats or their own security posture to defend themselves adequately against the rising tide of cyber attacks“.
To overcome this weakness, RSA recommends to develop a "cyber risk intelligence" capability and proposes a 6 steps roadmap to acquire this capability. Our understanding is that this "cyber risk intelligence" is implemented through a dedicated security team which is responsible for identifying the new threats, analysing how the company is exposed to these threats, and defining the measures to set up to counter them. From our point of view, this "continuous watch on the new risks" activity already exists in most companies. But we assume that the differences RSA makes on that topic are on the following aspects (these are assumptions and were not explicitly mentioned in the RSA document):
- Greater resources must be given to these teams. In the case of APT attacks, attackers have substantial resources (several months of work are probably spent on each attack). Defenders must have resources proportional to the attackers' ones.
- The case of APT attacks must be explicitly addressed by these teams. But rather than a "task force" action to tackle the APT issue, a permanent structure should be set up to continuously adapt defences to new attacks.
- The company must look beyond its perimeter and share with the community on the topic of security incidents. Information sharing will allow participants to accumulate experiences rather than having to build alone its own expertise.
6) Conclusions
The APT is a threat that cannot be ignored. These attacks are smart: there are not virus spreading automatically and blindly across the network, but cyber-tools remotely controlled by human beings. Such human beings can easily adapt to the defences and exploit every weakness they find.
The answer to the APT threat is not trivial. There are few in-depth publications on this subject and the RSA reports that we have presented in this article are:
- an excellent view on the issue and its causes (see especially the results of the "APT summit" in chapter 3),
- a valuable basis to review when studying the possible solutions.