Bryan Owen

25Jan2010 - “Advanced Persistent Threat” hits the tabloids

Blog Post created by Bryan Owen on Jan 25, 2010

Blogs, newsrooms, and even congress are sizzling over the Google breach and Operation Aurora. Remarkably, Microsoft's out of band IE patch has already been pushed but I doubt this will be the end of the story.


In a nutshell, Advanced Persistent Threat (APT) is real.  Like process industries, APT operates 24x7. Highly skilled teams develop and execute targeted attacks - persistent is a characteristic of the mission not just presence on the target. Cited examples are most often military and defense contractor oriented targets. Of course, industrial espionage and theft of private information are also very real concerns (but before now there wasn't much evidence of APT in these arenas).


Kris Harms of Mandiant delivered a timely keynote address on APT at last week's S4 conference (full disclosure: OSIsoft is a Digital Bond S4 sponsor; the DoE "Portaledge" project by Digital Bond uses PI as a security event monitor for SCADA systems). Kris's message about APT focused on incident response and forensic details. This was a big hit with many CERT organizations in attendance. It was also interesting Google's response team used Mandiant.


Unfortunately there have been way more APT incidents than I was aware of. Kris provided many examples showing why you don't want to challenge APT with respect to technical competency. If you had any lingering hope for security by obscurity - forget it! Perhaps even more interesting is how APT often uses crypto technology to keep security savvy operators in the dark.  In fact, most targets are unaware of successful breaches involving APT until reported by a 3rd party (eg. perhaps a disgruntled low bidder for black market intellectual property).


I don't plan to re-ignite the "encrypt or not to encrypt" dilemma here but simply offer that for many industrial use cases data confidentiality is not the most important security objective.  Perhaps CIP 101 but still relevant to APT, communication across the electronic security perimeter must be tightly monitored and controlled.


A relevant use of crypto in defense of APT is digitally signing all executables.  Mandiant highly recommends this approach as signed executables dramatically reduce surface area for persistence. Kris cited examples where APT actors exploited a lone exception using an unsigned Windows SENS service. (The approach was advanced... SENS functions were optimized to create space for the APT code).


Many of you are probably aware of Microsoft's Windows Logo Certification program and that the PI Server is certified. In light of APT, signing all executables is indeed a well founded requirement.  Operationally for administrators, signing also eases configuration of Windows Software Restriction Policies (now called AppLocker).


The rigors of certification help prevent digital signature errata but may not be for everyone. Regardless, signing is a good security practice and should be included in your security development lifecycle. Please be sure your ISV applications deliver only signed executables and verify any bundled software in your supply chain is also signed.


While signing is a simple step in the right direction for a software developer, it's likely few in our industry are generally ready for APT. Headlines from Operation Aurora may trigger increased attention on critical infrastructure protection. In closing, Kris offered the following strategic advice:

  • 1. Raise the cost of compromise - be patched, make APT use a zero day vulnerability
  • 2. Evolve incident response capability - target 1 hour
  • 3. Inject intelligence - into custom applications
  • 4. Embrace out of the box thinking - turn remediation into opportunity