How advanced persistent threats bypass your network security

Quick-hit hackers may grab the money/data and run, but APT rogues hunker down and steadily mine your sensitive data

Hundreds of companies around the world have been thoroughly compromised by APTs (advanced persistent threats) -- sophisticated forms of cyber attacks through which hackers mine for sensitive corporate data over the long term. APTs aren't easily purged; rather, victimized companies often spend day after day trying to make a dent in them. Meanwhile, some security practitioners consider "APT" an overblown marketing term. It isn't.

One of the struggles faced by companies (and security consultants) is determining whether a breach is, indeed, an APT. They will call every found singular bot and Trojan an APT and dream up long-term, radical threats from invisible attackers. I've had to disagree more than once with other consultants on whether APT was part of a security threat. The evidence was not there. The first step in fighting ATP is understanding what separates it from a traditional, targeted human-hacker attack. The follow-up step, which I will discuss next week, is detecting and eliminating these kinds of attacks.

[ Also on New malware technique targets intrusion-prevention systems | Learn how to secure your systems with InfoWorld's Malware Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Most people will immediately point to the "persistent" part of the definition as the key differentiator. The normal targeted attackers break in, look around, and immediately target the most valuable found assets. They figure that the faster they get in and out with the treasure, the more money and the less risk they face.

By contrast, APT attackers are there to stay as long as they can. The attackers aren't trying to steal everything at once. Instead, they exploit dozens to hundreds of computers, logon accounts, and email users, searching for new data and ideas over an extended period of months and years. Their interests (and keyword searches) change from one day to the next, as if their "customers" have given them a shopping list.

APTs are professionally run attacks, managed just like legitimate corporations instead of in the manner you'd expect of a black-attired, greasy-haired hacker kids hopped up on Mountain Dew. Many APT companies work in skyscrapers; have CEOs, recruiters, and payrolls; and pay taxes. APT hackers work in eight-hour shifts and take off holidays (at least those of the originating country).

Individual APT hackers appear to boast different specialties, whether it's compromising particular types of servers and workstations, dumping passwords, placing back doors, collecting data, or loading remote-access Trojans. Their malware creations have evidence of development team breakouts with development forks, beta testing, and updates. Victims often tell me they know when a particular hacker is at work simply by the methods and tools used.

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline