Thinking about APTs and the RSA Hack

The recent RSA hack has once again (after Google and Aurora made a big splash a little over a year ago) brought to the surface this notion of an “advanced persistent threat.” There is great emotion on all sides of the debate about what it is and whether it matters. As I listened to Uri Rivner of RSA describe the nature of the attack on Friday, for some reason I couldn’t stop thinking about The Cuckoo’s Egg, which was a fascinating account by Clifford Stoll of how he tracked down an industrial espionage ring. Back in the early-mid 80′s. Over 25 years ago.

Of course, the attackers didn’t use spear-phishing then, but the idea of the “APT”  as an adversary was alive and well (and I am sure there are others that could reasonably trace the adversarial aspect back before computers). Through the years, we’ve heard about (and seen evidence of) things like “blended threats” and the “low and slow attacks” that occur over time. TJ Maxx, Heartland, and many of the other most public attacks can be considered APT in a general sense (though presumably the threat actor doesn’t quite match up). And certainly Google/Aurora was the most prominently identified APT incident that matches up pretty consistently with the RSA attack.

Even the advocates of the APT idea agree that the individual elements of the APT are not particularly new. That begs the question of why do we need a new label to discuss things that are not so new? And the answer is obvious – because those folks that are advocating APT do not believe enough is being done to prevent these types attacks. That is, they think the risk is greater than the effort to mitigate them.

It is not uncommon in the security space for people to latch onto a term and make it mean everything, and therefore nothing. It isn’t necessarily malicious; sometimes it is a result of a weakly defined term or poor choice of words. Sometimes it is a way to shake out some economic doldrums in a time of flat spending even while the market remains competitive.

But the question remains: are we spending less than we should? There is ample evidence in the broader risk management community for two pieces of this puzzle that go hand-in-hand. First, humans are likely to pay less attention to the low frequency, high consequences events. And second, that fear of the unwanted outcome causes people to overestimate the likelihood of an event. So when people use the term “APT” in a manner that some would call FUD, it may actually offset the lower attention and work out in the end.

Ultimately, I think advocates of APT are going to have a hard time convincing others that the risk is higher than we think. Truthfully, it is not clear to me that they are even performing some sort of risk analysis because they themselves are caught up in the “dread” cycle that causes them to overestimate the risk. It would be great for proponents to put together some numbers that assist in measuring frequency and consequences for all those involved so we can better determine our infosec strategy.

Two other observations from the RSA hack that I thought were noteworthy: 1) RSA highlighted that their recommendations were “Security 101″ which I agree with, but that doesn’t fare well when also trying to promote the notion of the APT. We should at least be in Security 102 (second semester ;-) ) for APTs, right? Also, 2) I am concerned that we are going to lose sight of what it means to stop an attack “in progress.” AFAIK, RSA has not publicly stated what the duration of the attack was, from the time of initial attack (the spear-phish) to the time of identification and response. The whole notion of catching something “in progress” AFTER data is lost seems somewhat specious to me without a better explanation.