I went to bed last night right after reading the New York Times article spotlighting Mandiant’s expose of APT1. My last thought before drifting off to sleep was, “how much money could ‘one’ make tomorrow if they could collect a nickel for every time the acronym ‘APT’ was used?” Based on my Twitter feed this morning, the answer is in that triangulated area of wealth between Bill Gates, Warren Buffett and Carlos Slim (admission: I had to rely on Google to get me the last name, surprisingly the most wealthy of the three by a 50+% margin!).
The point of this post is that I’m going to throw out an idea, a hypothesis: the APT is not that advanced. Well-resourced? Yes. Given clear targets and ample time to operate? Yes. But advanced? Not necessarily.
If you watched the Mandiant video, you’ll see an operator performing some spearphishing using a Gmail account, leveraging the access gained to perform Command & Control (C2) functions using several Remote Access Trojans (RATs) and then *rar’ing up file and exfiltrating the files via FTP. Each of the functions could be performed by someone with minimal training. In fact, I’ve seen new hires at my company perform essentially these procedures (minus the malicious use of RATs) on their first project out of school.
I’m sure Mandiant had extensive video to choose from and wanted to use clips that would have the broadest appeal. That said, I’ve been involved in a number of projects with direct attribution to the APT and the video is very consistent with my experiences. They are not stringing together zero-day exploits and identifying creative new ways to break systems. They find the path of least resistance, have a toolset at their disposal to remain persistent and then work away.
I do want to make a distinction here and that is this threat actor’s *capabilities* may in fact be advanced, but their *techniques* are not. The reason why their techniques are not advanced is because they don’t need to be. Our nation’s security culture is firmly established around SOX, HIPAA, PCI, etc. which afford companies a floor of control, but don’t provide real protection against a motivated attacker, regardless of the attackers skill level.
The reason why I’m writing this post is not to call out the skill level of the APT; rather, it’s to illustrate that companies can be successful against this threat actor and others through a sound defense-in-depth strategy and good security discipline/hygiene. I’ve written about the controls I believe to be most effective to combat social engineering as well as the importance of whitelisting, controls over privileged accounts, etc. In addition, there are a number of other techniques that I’ll discuss in the days/weeks/months ahead (e.g., egress point consolidation, effective use of SIEM, netflow analysis) that can further increase your level of confidence in the protection in place within your company. Coupling a number of these complicating controls along with a (relative) over-investment in an appropriately staffed and skilled detection and response capability will provide reasonable protection against an attacker demonstrating the tools, techniques and protocols shown by this threat actor.
