Monday, October 25, 2010

Web-based systems vs. Advanced Persistent Threat


Everyone is giving their $0.02 on the Google v. China situation, and while I normally shy away from blogging about late breaking news, a term Richard Bejtlich used really resonated with me. "Advanced Persistent Threat" (APT). Doesn’t that just capture the essence of the type of attacker we’re up against perfectly? An attacker utilizing 0-day vulnerabilites, spear phishing tactics, one-off malware, and with little time, money, or legal constraints. Now, not all people or organizations using web-based systems are going to be the targets of APTs, but clearly some will be.

Lets broaden out our thinking beyond Google, as the problem is larger than they are, to include other “free” web-based services such as Facebook, Yahoo, Twitter, Microsoft, etc. I believe there is no way the average user can be considered reasonably safe from an APT on these systems. To be fair, these providers make no such claim as they are only built to withstand the lowest-common-denominator of attacker -- not APTs. Since all potential victims are equidistant, practically speaking all it really takes is a username/password or a bit of malware for any online account to be compromised. A very low bar and clearly no amount of SSL, firewalls, Anti-Virus, or CAPTCHA technology is going to raise it.

Secondly, an APTs target is unlikely to have any idea when/if their online accounts are being attacked. The infrastructure is not theirs to monitor. Web-based systems have no real notion of intrusion detection (or even a delete key) unless you include those emails when your account is locked out or password is changed without your knowledge. Even more troubling, victims will not have any idea when/if the threat succeeded in their mission. Next, as if there was any question, these web-based system not legally or fiscally accountable for breaches -- whether it was their fault of not. And finally, APTs will not stop no matter who lays down the ultimatum.

When everything is taken into consideration, any user who believes they are going to be a target of an APT should not be using these systems for anything they can’t afford to lose control over. The fact that the U.S. government is moving their system in this direction really concerns me. Perhaps there is a silver lining. These events could be the stimulus required for a new breed of web-based services to rise up and differentiate based upon security and maybe willing to take on some liability.

No comments: