Schneier on Security

Clive Robinson • January 3, 2019 2:59 PM

@ Faustus,

She claims that Advanced Persistent Threats are nation state actors.

As with many other definitions things change with time and perspective. You only have to look at “hacker” to see that.

The current “journalism view” incorrect as it is to “technologists” is APT is the SigInt agencies or their “arms length contractors” who give “plausable deniability”.

Incorrect though this very limited view is historically and practically that’s what the MSM and some “techno journos” think it means.

With regards,

I’ve always understood them to be stealthy rootkit based malware that is designed to compromise a target and remain there for a long time by being hard to find and resistant to cleaning efforts.

That is a technical view point and is a muddle up of different things.

APT is any “long term use malware that is covert in operation”. It does not have to be either hard to find or hard to remove. The key differentiator is “long term use” at the time the phrase was coined it was to do with Chinese malware which was being used to gather information over months and years but not for direct monetary gain which ment it was generally covert. This distinguished it from criminal attacks where the monetary value of the data tended to be inversly related to time, which encorraged “smash and grab” type tactics that tended not to be covert in any way.

They APT Malware does not have to be a rootkit at all, in fact the world has kind of moved on from them in terms of being covert. OS Rootkits are relatively easy to find these days and signed code loaders mean that there are otherways that are easier for most attackers. For instance any hardware that can get at memory after the code is loaded can do it’s stuff in relative safety. There are mechanisms from decades back where driver code can be loaded before the OS Bootloader that enable it to be persistant without it needing to be signed that can then pull in malware that can be loaded without the OS load mechanism seeing it. If you want a tipping point for this happened it was shortly after BadBIOS which made the idea of simple persistant device driver loading from a computers Flash ROM well known, which Lenovo was later caught using to do persistant malware on it’s consumer grade laptops.

Persistence of APT Malware again is not a requirment and is caused by a misunderstanding of how an APT payload is deployed. An attacker in general first gets a toe hold of some kind and then secondly builds in other openings like a RAT. Once the RAT is in place they use it to turn the toe hold into something much more solid that will get them in at a later date should the toe hold get patched or the RAT discovered. Sophisticated attackers will dive in at a very low level such that replacing the hard drive or other I/O cards will not effect it. We know this from the behaviour of “Tweedle dee and Tweedle dum” who came down on a shoping trip to London from GCHQ Cheltenham and then on to the Guardian Newspaper Offices half a decade ago over the Ed Snowden document trove. Have a look at what was done to the motherboards in the laptops concerned you can learn a fair amount from the photos the Guardian published. Only once re-access has been assured will the actual APT Malware be downloaded. Because re-access has been asured the actuall APT Malware can be made without having the requirment to be either hard to remove or hard to find. In fact sufficiently sophisticated attackers will use other peoples APT Malware that has already been found and attributed to some other entity (we know this from US IC “false flag” code that turned up one day 😉

But realy sophisticated APT Operators will be even sneakear and it’s something people realy need to get their heads around. For years now the general security principle most frequently employed has been that of “perimiter defence”. That is FireWalls and AV software checking on inbound data.

There are two basic methods of APT attack, inside the perimeter which is observable by the target and the first point upstream of the target which generally can not be observed. For various reasons the Five-Eyes are “assumed” to do the latter and others the former. What is more likely is a mixture of both.

When you are inside a targets perimiter attacks are generally easier for various reasons. That is organisations tend not to lock down user devices as hard as they should because this tends to get in the way of productivity also patching etc tends to take time on some users devices, if at all…

Thus a sophisticated attacker will make their deep down persistence only on one or two machines which they will not put the APT Malware payload on. They will then sparingly put the APT Malware on the machines of interest. This way they reduce the likely hood not only of the APT Malware being detected they can lay down false tracks as to how it got on those machines. It also reduces the chance that their deep re-access malware will be detected.

The definition of APT is going to change again in the near future because of “Contractors”. Intelligence Organisations are neither omnipresent or omnipotent. As many know the normal operation is “case officers” in the IntOrg handle “spys” in the target nations organisations. Less well known is that “black bag jobs” are often carried out by Contractors who have specialist skills that the IntOrg lacks, this is things like getting around sophisticated alarm systems and accessing secured areas and containers (vaults and safes etc). This has advantages in that the contractor probably neither knows or cares who has actually engaged them, and likewise care not to know why they are engaged to do what they are doing. This gives both sides deniability.

Well in the modern world “every one is suspect of something” is the prevailing Political, IC and LEO view. What makes life easy for those with appropriate skills is much of the world uses mobile communications, especially second and third world countries where it might be the only communications option for ordinary people.

However such countries generally do not have people with the skills required working in their Political, IC or LEO organisations, in part due to “authoritarian follower” issues in guard labour, also in part because they would not trust such people any way.

Russia, China and even the US are known to have originally used “criminals” to do such work for a number of reasons. However larger countries with sufficient excess resources and education systems are now bringing things in house even though the skill levels are known to be lower in most cases.

This option is not generally available to second and third world nations. But such nations can usually find several million dollars to by tools, but not the skills to operate them.

This means there is a buyers market out there, which means there will be suppliers building a market to accept money in return for the skills in some form or another.

Which means we will see “contractors” appearing in greater numbers to forfill the market.

But the one thing about such a market is it will grow out of “government” espionage circles, into corporate espionage circles and down to your high end “gum shoe” operators given a little time.

Thus the usage definition of APT will change again in the minds of journalists thus others outside what will be the “profession”…

Clive Robinson • January 7, 2019 8:43 PM

@ gordo,

I read over the blog thread you link to from back in Nov 2011.

Back then it was clear there was confusion with “actor -v- method” as the meaning for APT.

Thus from my point of view I think I will use “APT attacker(s)” and APT method(s)”… In fact I think hyphenating might be even better to show the coupling.

But also my comment from back then about the ambiguity of “advanced” and “persistent” is still as true today.

Mind you Brandrich Conner, was right about “marketing term” / “excuse” it’s still the same seven years on as is “China APT” for the war-hawks.

I guess some things don’t change, but “APT” sure will as it thrashes back and forth like a grabed hag fish eventually tying it’s self in knots to escape the mess it’s made and left behind.