How advanced persistent threats bypass your network security

Quick-hit hackers may grab the money/data and run, but APT rogues hunker down and steadily mine your sensitive data

1 2 Page 2
Page 2 of 2

Even the treasure taken by APTs is different. The traditional attacker seeks immediate financial gain. They will try to steal identities, transfer money to foreign bank accounts, and more. APT attackers, on the other hand, almost always take only information and leave money untouched. Their targets are corporate and product secrets, whether it be F-18 guidance system information, contract pricing, or the specs on the latest green refrigerator.

APT often steals large amounts of information each week, collecting it at a centralized computer within the compromised network, before sending it all home in a single archive file (often a tar ball). Many networks run APT bots that collect every new folder, file, and email, then send it home. The victims have an online backup system that rivals what they could otherwise pay for with a legitimate company.

APT is usually hosted in countries that provide political and legal safety. I've never seen evidence of a country that directly hosted black-hat hackers, but there appears to be a well-known list of countries that tolerates such operations within their boundaries and are uncooperative in assisting victims with justice. China and Russia are often mentioned, but there are dozens more. Former White House security adviser Richard Clark calls them "cyber sanctuaries" and urges our cyber allies to ask for accountability.

Worse yet, APTs are usually so ingrained into an environment that even if you know where they are, they can be difficult or impossible to move. I have several clients who've decided it's easier to live with APT (or portions of it) than it is to tackle and try to eradicate it. They don't like the odds of successfully ridding themselves of the APT and are afraid the APT would dig further undercover if the extermination attempt goes awry. By allowing some of it to remain on their network, they know where it is, and they can more closely monitor it to learn what is being stolen. It sounds crazy, but living with APT is not an uncommon scenario.

APT has many characteristics that make it stand out from regular hacking attacks. Hopefully, your company won't have to learn firsthand why that's the case.

As an aside, I was the guest of the SecuraBit podcast two weeks ago. These guys discuss relevant computer security topics and throw in enough humor to make you forget that it's a computer security discussion. Check it out.

This story, "How advanced persistent threats bypass your network security," was originally published at Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
How to choose a SIEM solution: 11 key features and considerations