Advanced persistent threat. The term started sneaking into infosec nomenclature about ten years ago and reached its peak during 2010-2013, instigated by Stuxnet and trending steadily upward through the release of Mandiant’s APT1 report. Since then, security SMEs have debated the concept of advanced persistent threats (APTs), noting that often the skill required to perpetrate such an attack, nation state or otherwise, is far from advanced. Yet “APT” has held on, popping up in the FUD-based media headlines over the years. Just this month APTs have appeared in big, bold font on ForbesSophos, and ZDNet, to name a few.

The media aren’t the only ones touting the dangers of APTs. ISACA’s 2015 Advanced Persistent Threat Awareness study surveyed 661 individuals involved in their company’s internal controls, internal incidents, policy adherence, and management and support of information security. What ISACA learned was that 94% of these globally dispersed professionals are at least “somewhat familiar” with APTs, and nearly three quarters of respondents think they’re likely to be a target of an APT attack. Only 1% of the surveyed population responded that they are “not at all likely” to be a target of an APT.

Put, put, put it up

IT and security practitioners are concerned with APTs, and one can read about APTs (though somewhat less than in previous years) from myriad online sources, but the important question is: Are advanced persistent threats a real or imminent threat to enterprises?   

The cause of reported and disclosed incidents and breaches from the last several years points to “no.” Right now phishing and stolen credentials are the biggest culprits in facilitating attacks. Phishing, while it takes creativity to write realistic-looking emails, and even persistence to fool enough users into opening an email and clicking a link or opening an attachment, there’s little “advanced” about the method.

Credential stealing or brute force password attacks are in the same simplistic boat. As long as “123456” and “password” remain the most popular passwords, there’s no reason for adversaries to employ advanced techniques in their quests for others’ information or secrets.

Rounding out the top not-so-sneaky methods of infiltration are CVEs, Common Vulnerabilities and Exposures. In a session entitled “Amateur Hour – Why APTs are the least of your worries,” presented by Ed Bellis at InfoSec World 2016, Bellis shared data provided by his firm, Kenna Security, which shows that old CVEs provide ample opportunity for exploit. While new vulnerabilities appear and are exploited almost every day, old vulnerabilities known to security professionals and researchers for years still haven’t been patched. Kenna found entirely too many CVEs exploited in 2015 that have been viable since the 1990s!

2016 Verizon Data Breach Investigations Report

“Hackers use what works, and what works doesn’t seem to change all that often,” said Bellis during his talk (also written in the 2016 DBIR). Because these CVEs aren’t patched readily, if ever, adversaries can automate attacks against them, sending the attacks out rapid-fire to see when they have an ace in the hole. On average, Bellis continued, “It takes companies 100-120 days to remediate vulnerabilities” (when they’re aware of them), but the criminals move much more quickly. The sweet spot for exploitation is 30 days after a vulnerability is published. About half of all exploits occur between 10 and 100 days. This latency in patching makes CVEs a very easy target for exploit. It’s not uncommon to find exploit instructions on the deep or dark web; how difficult can it be to perpetrate an attack when step-by-step instructions are spelled out online?

 

 

 

2016 Verizon Data Breach Investigations Report

 

I said, it goes like this

CVEs, phishing, and stolen or cracked credentials are the low hanging fruit sought by attackers. Rather than giving into the FUD, security practitioners can look at their policies and processes to make sure basic blocking and tackling is in place. We won’t stop the headlines, but perhaps a few incidents can be mitigated with good, old content filtering, anti-virus, patching, IDS/IPS, firewall management, and tightening up admin accounts.