This is a personal blog. My other stuff: book | home page | Twitter | CNC robotics | electronics

February 21, 2011

Give me A, give me P, give me T

Following my earlier entry about HBGary, several people asked if I did not believe in the fashionable concept of Advanced Persistent Threats.

My view is a bit different. Any organization that focuses solely on prevention of non-targeted attacks is making a grave mistake. This hasn't changed at all in the past two decades: attackers interested in a particular target, and willing to spend several weeks on such a pursuit, were always a huge problem. In a vast majority of documented cases, they did not need to be unusually sophisticated to succeed, too - and in proportion to the size of the online economy, I don't think they are more numerous than, say, ten years ago.

Fending off these attackers in large and complex environments is very difficult, and requires in-depth in-house expertise, lots of ingenuity - and even then, it may occasionally fail. Alas, at the behest of vendors and infosec pundits, many organizations made exactly the wrong choice, and spent the bulk of their efforts on ISO 27002, PCI, SOX, and off-the-shelf AV and IDS tools - building a more measurable and familiar, but ultimately vulnerable, world.

It is increasingly evident that the value of these solutions in containing determined attackers is fairly small. The parties involved would prefer to say that they had done the right thing, and the threat landscape has changed in the meantime, instead. But the claim that they are facing a brand new, incredibly sophisticated adversary is a very self-serving one.

So, I am simply saddened by the emphasis on the "advanced" part of the term, and the Cold War rhetoric employed to push even more expensive and ultimately meaningless products and approaches. Whether you are a government agency or a Fortune 500 corporation, chances are, buying services such as 0-day vulnerability notifications or botnet monitoring is not an efficient use of your money.


  1. How to build "a world" witch is hard to penetrate by determined attackers?Re-think.On witch basis?

    I guess that maybe advanced should not refer to the skill level. But what is Your name for organized crime and government effort shifting more and more into the cyber world?

    Yup, I agree it is used up just like any other marketing buzz world: cloud computing, APT, web 2.0,reasonable disclosure and so on.
    But what can be done about it?

  2. I am not arguing about the name. I just think that any such shift is largely irrelevant, because a more fundamental problem remains unsolved.

    Jumping from defending yourself against non-targeted threats (off-the-shelf AV, IDS) to trying to tackle extremely well-funded (and relatively rare) attackers still leaves out a giant, far more realistic middle ground. That middle ground hasn't changed much in recent years, and we probably should be focusing on this problem instead.

  3. People like HBGary are overconfident. One shouldn’t pick up a fight if he is not ready to take a punch. They live by their past achievements and forget that security is a constant process/method of staying secure rather than implementing a set of tools that You can buy.
    You either live by it or die by it.

    This might not be the place to discuss this, but please correct me if my view is wrong(I live in lower middle ground of attack surface).For example:
    1.Keep everything as simple as possible. Remove all unnecessary software/services. Everything that’s maintaince overweighs its benefits should be removed. If You can’t handle maintaining something, don’t implement it.
    2.Do everything as good as reasonably possible, no compromises. Well hardened/jailed/sandboxed applications make better security than frivolously configured 20k UTM.
    3.Dont buy a way out of problems, learn it first.
    4.Follow basic principles without exception. Consider each as a layer of security.
    5.Good practices do not exist. They are just practices to be implemented.
    6.Protect the data. Can’t avoid being breached. Be ready. Onion layers of security.
    7.Dont follow the fashion. Stay with reality. Don’t chase tail. Implement solutions that will help improve general security instead buying specialized solutions against latest, narrow, hyped threat.
    8.Educate users.
    9. Try being unpredictable. War is about deception. Deception influences attackers efficiency. It’s another layer of security.
    10.Do not generalize skills. Being good at perl –e ‘{print “A”x1000} doesn’t make an expert at or 1==1 or general security. Despite some is considerably more l33t it is all equally necessary.

    Anything important I have missed? What else could make a life of determined middle ground attacker harder?

  4. "Whether you are a government agency or a Fortune 500 corporation, chances are, buying services such as 0-day vulnerability notifications or botnet monitoring is not an efficient use of your money" //I agree, but then what do u think is the best way to spend money to try to prevent APTs or targeted attacks? Thanks.

  5. I don't think there are easy solutions. Getting even close to "doing it right" probably involves developing in-house expertise that goes beyond compliance checklists and firewall / AV logs management; winning exec support; and finding the right balance between business goals and security requirements, which should then translate to development practices, testing regimes, and so on.

    In most cases, the more emphasis there is on compliance, turnkey security products, and delegating auditing tasks; and the less rigor is placed on in-house and contract system engineering; the more dysfunction tends to be present, and the more exposure to determined attackers there is.

  6. Michal, I 100% agree with you that the only defence against a determined attacker is an educated security and response team with a solid understanding of their environment.

    Compliance, while it has helped to raise the bar at some firms, as also created a "that's good enough" mentality in which attackers essentially rub their hands together in glee when they see SAS70 or PCI compliance. They know exactly where to focus their efforts because the soft chewy parts have been pointed out to them by the fact the company has expended its focus on compliance efforts.

    Question: do you know of any good studies or papers (especially ones with economic analysis) that have analysed the two approaches?

  7. Not really, and I would be surprised if there are any. Reliable, large-scale data about this is extremely hard to get :-(

  8. So it seems then that the only people who can really defend against attacks are security professionals that are very knowledgeable about the particular target that is to be defended. Yet the attacker does not need to be as well informed about that system.

    In fact it seems that the attacker does not need to be well funded, well informed or 'advanced'.

    But again - the only people who can truly defend a computerized system are those who have intimate knowledge that particular system - and a good understanding of security procedures and pitfalls.

    I guess it is simply a digital version of the fact that it is hard to create good and beautiful things and easy to destroy them.

    But buildings and other structures usually stand up to the standards and 'codes' that they are built to.
    ( With a couple of notable exceptions. )
    We have fire drills, fire codes and fire stairwells in buildings. They seem to work as expected, and fail only when their tolerance is exceeded. Or if they are not actually built to that specification. Each company does not need its own firefighters or its own construction team on the payroll 24/7.

    But network firewalls don't work.
    Compliance standards don't work.
    So why cant standards and 'codes' be developed for ... code, networks, and behavior in a networked environment?

    It is far easier to a
    It is easy to automate attacks, but not easy to come up with an automated way to prevent them.