How APTs are like Insider Threats – or not!

by Norman Johnson

There is so much hype lately about Advanced Persistent Threats or APTs that many experienced professionals refuse to use the label of APT to describe any cyber threat, in order not to get caught up in the marketing hype that preys on our worst fears. Many question if the characterization is even useful as a threat description. In the last blog on the Shamoon Wiper attack, we concluded that “we are back to the pre-Stuxnet assessment that critical infrastructures...are deeply vulnerable to skilled amateurs. And we do not have to invoke the sophistication of the super-malware like Stuxnet to motivate the urgency of addressing the asymmetric cyber threat.”  In this and the next blog, we’ll dig deeper into advanced threats and how they resemble–or not–current or emerging threats.  Let’s first set the stage by summarizing what we know about advanced threats.

The common characteristics, and possibly clichés, of APTs are below – with the top ones being more accepted and the latter being more controversial:

  1. APTs go anywhere and are impossible to stop. Operation Shady Rat is the best example, where the McAfee analyst stated: “In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.“
  2. APTs target specific organizations or class of organizations (Mandiant 2010 APT report), rather than knocking on the door randomly until they get in. They often target specific resources within these organizations (Report on targeted attacks - comparing Aurora and Stuxnet).
  3. APTs are “advanced”: use one or more zero-day exploits, are semi-autonomous – including avoiding/disabling defenses, have advanced command-and-control functions, uses peer-to-peer (PTP) networks for advanced operations – including coordinated actions and sharing updates to minimize outside network communications, and/or have unique capabilities to circumvent high security barriers – “leaps air-gaps in a single bound” (Stuxnet features).
  4. APTs are “persistent”: they are in it for the long haul - no drive-by attacks (Mandiant 2010 APT report).  Operation Shady Rat report documented one intrusion that lasted 28 months.
  5. APTs are perpetrated by nation states and organized crime syndicates (Mandiant 2010 APT report).  Because attribution is difficult, at least publically, the source of an attack is inferred, often based on the next item.
  6. APTs require large resources and long durations to develop, test, and deploy (Stuxnet required years and $10s of millions).
  7. APTs are not an asymmetric threat. Most cyber threats are labeled as asymmetric to describe how a few individuals with minimal resources and skill can cause significant damage without attribution. For a check out Dave Aitiel in the must-see talk argues advanced threats are symmetric, can cause kinetic damage and are attributable, contrary to the street wisdom.
  8. APTs require significant remote/outside support. The activity of the APT malware within an organization is just the tip of the iceberg of total effort required: significant resources support the function and persistence of the malware (Stuxnet required reach-back operational support for years).

The main problem with the label of APT is that there is no community consensus as to which of the above characteristics should be included in the definition of an APT.  Indeed, exceptions can be found for each of the above characteristics in recent “advanced” threats, for example, Shady Rat used unsophisticated spear-fishing to inject common malware into internal networks (see Kaspersky's “Shoddy” Rat blog and Symantec’s analysis).  Maybe we are guilty of labeling any highly successful threat as “advanced,” independent of the actual capabilities of the threat.  In the case of Shady Rat, weak defenses made the success possible, not the capability of the threat!  

The time spent arguing about what is or is not an advanced threat suggests that we should be thinking about threats differently.  A discussion of threats in isolation of the state of the organization being attacked misses an opportunity.  We need to have a more defense-focused view of threats: possibly focusing on the common threat capabilities and how these exploit defensive vulnerabilities.  Maybe the threats actually are more similar than different, and if so, then this viewpoint will improved our preparedness and response.   

For example, the previously hyped mega-threat was insider threats, with the often cited urban myth that 80% of all attacks are from internal threats. How do insider threats compare to advanced external threats?  Most studies conclude that the greatest risk to companies is still insider threats, which the frequency (but not impact) of the threat is shifting to outside threats.  For example, a recent report by Symantec on The Global Cost of Data Breach Study (March 2012) concluded that “insiders—employees, contractors and other people who have legitimately been given access to corporate information—were actually the leading cause of data breaches, accounting for more than 36 percent of incidents globally. Malicious (outside) attacks were responsible for 34 percent of data breaches globally, trailed by system glitches at 29 percent.”  While the frequency of outside attacks are slightly larger than insider attacks, the cost per incident is as much as 50 times more for inside attacks.  A thoughtful study Inside the Mind of the Insider by Shaw summarized: “A 1998 survey conducted jointly by the Computer Security Institute and the FBI found that the average cost of successful computer attacks by outside hackers was $56,000. By contrast, the average cost of malicious acts by insiders was an astounding $2.7 million,” When the expected risk of insider threats is evaluated (equal to the frequency of an incident times the impact of the incident), the risk to insider threats easily dominates those from outsider threats.

What makes insider cyber threats so effective?  Simply, we have met the enemy and he is us: The insider has legitimate electronic access, has physical access that can circumvent perimeter defenses, knows our vulnerabilities, and knows the value of our assets.  

So how does the characteristics attributed to APTs above apply to insider threats? Here is a blow-by-blow comparison:

  1. Go anywhere and are impossible to stop. Because of the inside knowledge and access, insider threats are relatively unencumbered, even using personal relationships on unknowing colleagues to get access and resources. And because they are often security professionals, they often have the capabilities comparable to the skilled outside threats.
  2. Target specific resources. Insider threats often are disgruntled employees and choose specific targets that are the most valuable, make specific statements or cause the most damage. The insider Shamoon attack that wiped 30,000 hard disks achieved all three.
  3. Are advanced.  This is the most interesting in the list. Where a successful outside threat needs to be “advanced” to get past barriers in defenses, the insider replaces advanced skills with insider access and knowledge.  Some of the most famous insider cyber attacks weren’t sophisticated, only persistent with the necessary access.
  4. Are “persistent.” Not all advanced threats are persistent –it depends on their objectives. Same with insider threats.  But if either of the threats chooses to be persistent, they can without difficulty – again with the insider using inside knowledge and access instead advanced skills. Interestingly, persistent threats, whether inside or out, are risk averse, because being caught will end their activity.  This is very different than hit-and-run threats that are indifferent to being caught or even wanting to be discovered once the damage is done.
  5. Are perpetrated by nation states and organized crime syndicates.  Just as for advanced threats, insider threats have many possible motivations, possibly coordinating with an outside threat for payment or increase effectiveness.  Advanced threats require high-end offensive resources that are available from nation states (next item), where insiders don’t need advanced exploits but will coordinate with larger players to access monetary or dissemination resources.
  6. Require large resources and long durations. Similar to the last point, insiders require less time, skill and resources because they have unique knowledge and access.  Therefore, this item appears less true historically for insider threats than any other characteristic.
  7. Is not an asymmetric threat.  Similar to the last two points, insiders don’t require much in time, skill, or resources to accomplish their objectives–only personal risk. Significantly, most defenders in retrospect say that an insider threat was identifiable before the attack, but indicators of trouble were ignored – a trusted agent remains trusted.  From this viewpoint, while the potential impact of the insider threat is extreme, the effort by the insider and the effort by the defender to prevent the insider may well be symmetric, if the insider threat is realistically addressed. This says that while the effort for the advanced threat is much greater for both the defender and adversary, the symmetry of the adversary and defender is comparable for both types of threats.
  8. Require significant remote support. Similar to #6 above, insiders as a rule do not require outside support.  That said, insider could benefit from coordination with outside resources to increase their impact and penetration.  

Summarizing, insider threats can have the impact of external advanced threats, but do not require advanced resources or support, because insiders have inside knowledge and access from the start.  If the insider is persistent, their effectiveness may be limited by their skills, where an advanced threat currently seems unstoppable, but at the expense of requiring significant support resources.  In both threats, the sustained activity of a persistent threat results in the threat being vulnerable to detection, although the insider has the advantage of physical access that can limit the observable signatures.

Overall the big ah-ha of the above is that there are remarkable similarities between the two major threats facing organizations currently - their targeted nature, their high impact, their deep penetration, and the opportunity to be persistence. And if they are persistent, they will hide their activity from existing security measures and detection.  This ah-ha suggests that a unified defense approach could be used to address both threats, such as a capability that detects anomalous activity that doesn’t violate any security measures.  We will develop this idea more in a future blog.  

To lead into our next blog on mobile threats, what capabilities or resources do external advanced threats not have?  Because external threats do not have a physical presence, many intelligence, access, or attack options are not available.  For example, physical access enables insiders to circumvent perimeter or point defenses, exploit conversations with other employees for information or social engineering, observe when facilities are unwatched, or simply map the physical layout of the facility and resources.  These are significant restrictions and are the reason that advanced threats require unique assets, which in turn requires time to develop, test, and operate the cyberthreat.