You don't have to search very hard to find some Chicken Little fluff piece heralding sky-falling doom in the form of an advanced persistent threat (APT). If your experience is like mine, however, fewer than one in ten of the resources you find do more than tell you what an APT is, warn you that you are already a victim or a victim in waiting, or promise you that you'll be better protected if you buy *this* product.
Kudos to the folks at Public Safety Canada for compiling a concise report entitled Mitigation Techniques for Advanced Persistent Threats. They helpfully deconstruct APT by offering a practical, consumable interpretation of each term.
The context for Advanced, for example, is further broken down into sub-contexts. The Report explains that malicious software is not always advanced in the sense that it is "sophisticated" but that it is often readily available exploit code that is simply better leveraged than earlier attacks. Advanced applies more to the growing body of evidence that indicates that state actors and sponsors "select their targets and refine the attack such that selected individuals in targeted organizations become the conduit to the organization's information assets".
The context for Persistent is also broken into aspects. The reconaissance aspects is a panoply of P's: the attackers are patient, painstaking, precise, purposeful, and persevering. The execution aspect of a APTs is very "spy" oriented: clandestine and credibly socially engineered.
The threat is simple: exfiltration of information of a sensitive or secret nature that provides an APT sponsor with "a strategic, diplomatic, military, competitive, technological or economic advantage."
Most online resources I've found stop here (feel free to recommend any in a comment). This Report goes on to explain the chronology of an APT attack, describing each stage - reconaissance, social engineering, establishing backdoor and C&C, achieving the objective, and maintaining presence. This chronology is a great segue to the remainder of the Report because it gives context for the strategies Public Safety Canada recommends that potential target organizations should take, how to monitor for and detect potential APT activity, and mitigation measures.
The information Public Safety Canada shares in these sections is not radically new; in fact, there isn't a single monitoring, detection, mitigation or remediation measure that hasn't been recommended before. The value of these sections, however, is twofold: first, Public Safety Canada's taken the initiative to gather this information from reputable sources (Aus DSD, McAfee, RSA, GAIC...), consider the growing body of work, and then condense the information into a single reference. More importantly, by creating a single reference, it allows us to realize that defending against APTs is as much a matter of doing better what we do today, with existing instrumentation, as it is introducing new techniques or technology.
I'm always excited to share when I find a resource that is FUD free and full of useful information. This Report doesn't contain a silver bullet, but it will lend clarity to APT discussions and it may help you define a better strategy for defending against APTs than you have today.
You can follow this conversation by subscribing to the comment feed for this post.