Editor's note
Editor's note
Editor's note
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Persistent<br />
Within Information Security Community, and mainly<br />
amongst hacking techniques experts, there is a belief<br />
that no matter how many protective measures you<br />
implement, targets will always be potentially vulnerable<br />
if there is enough time and motivation. Unfortunately<br />
this has proven to be true in most cases.<br />
In fact, when we say that these attacks are persistent<br />
we mean that they focus in a given target, using different<br />
techniques until reaching their goal.<br />
Usually when computer attacks are addressed from a<br />
business standpoint, it is very common to say that it has<br />
to do with a large scale businesses; in other words that<br />
the ultimate goal is to launch a massive threat that will<br />
only hit on a restricted number of victims, though this is<br />
more than enough to have a return on investment and<br />
profit.<br />
Threat<br />
Use of different techniques and coordination of multiple<br />
resources to achieve a goal, tell us about a very strong<br />
motivation: APT attacks share a feature in common;<br />
all individuals involved in the attack are determined to<br />
accomplish their objective.<br />
A threat is the possibility of materializing a risk; if we<br />
think about a group of organized people, with resources<br />
at hand, the necessary skills to use those resources and<br />
the determination to insist on the attack, it is clear that<br />
the hacking maxim mentioned before gains a renewed<br />
meaning!<br />
What Is Hidden In The Name: If All The Aforesaid<br />
Had Not Worried You …<br />
It’s important to bear in mind that this kind of attacks are<br />
also based on unknown techniques, i.e. vulnerabilities<br />
or exploits non massively diffused or announced, since<br />
perpetrators of these attacks have the necessary time<br />
and skills to develop them.<br />
This is a key reason why these kinds of attacks<br />
are different from the rest. While traditional attacks<br />
pursue simple targets (based on a cost-effective ratio<br />
between their efforts to vulnerate and the financial<br />
gain), APT attackers are willing to do everything just<br />
for accomplishing their goal, even if it implies the<br />
development of some new kind of threat.<br />
Use of unknown threats and new kinds of attacks<br />
bring value added for APTs, something attackers are<br />
really looking for; this makes their early detection more<br />
difficult! Like we said, these attacks are characterized<br />
by their sneakiness; the purpose here is to keep threat<br />
inactive or acting undetectably, steeling information. For<br />
example, by enhancing effectiveness time; the longer<br />
these techniques (used to permeate information and<br />
starterkit 02/2011(2)<br />
SOCIAL FRAUD<br />
make use of the threat) remain anonymous, the better<br />
for attackers.<br />
Digital Identity And Brand… Weren’t They<br />
“Intangible”?<br />
If there is something Advanced Performance Threats<br />
have made possible, is the fact that they have turned<br />
some kind of assets usually referred to as intangibles<br />
into something concrete. Of course, the Marketing<br />
& Finance Areas have always known quite well the<br />
(monetary) value of a brand (both for a company and<br />
for a line of specific products). Nonetheless many IT<br />
Departments have not handled the same business<br />
parameters to value and protect these assets.<br />
However, from the attack that infringed security of<br />
a renowned consumers good brand and modified the<br />
contents of a recipe where those those products were<br />
used, up to more complex issues where very expensive<br />
Intellectual Property infringements took place, the<br />
threats referred to in this whitepaper show the high<br />
exposure degree to which a company’s most significant<br />
assets are exposed (in fact many authors agree that<br />
brand is the most valuable asset).<br />
Technology and Security Areas Managers should pay<br />
much attention on this issue. If their objective is to add<br />
value to the business and become strategic business<br />
areas for the organization, the fact of the company<br />
investing lots of money in advertising and social<br />
action campaigns to raise the value of a brand, and<br />
then having this value affected because of computer<br />
attacks, would not only jeopardize the organization’s<br />
confidence on these areas, it might as well be seen as<br />
a weakness.<br />
Conclusion<br />
We shall review next some key items at the time of<br />
evaluating our protection against APT attacks; once<br />
again do not consider this as a thorough list, since<br />
we may find many other information sources with<br />
different and highly useful recommendations. Though<br />
I do strongly recommend considering all these<br />
aspects and analyzing how each one applies to the<br />
organization.<br />
Risk Analysis: Imminent Realization!<br />
In general, the best way to understand what proactive<br />
measures are required to reduce exposure degree,<br />
and therefore threatening risks for organizations is to<br />
perform a risk analysis.<br />
However, please <strong>note</strong> that I am referring to<br />
quantitative risk analyses, made in a wide awake<br />
and thorough manner, including all organization’s<br />
information assets, i.e. the kind of interdisciplinary<br />
Page 32 http://pentestmag.com