Wednesday, January 13, 2010

Web-based systems vs. Advanced Persistent Threat

Everyone is giving their $0.02 on the Google v. China situation, and while I normally shy away from blogging about late breaking news, a term Richard Bejtlich used really resonated with me. "Advanced Persistent Threat" (APT). Doesn’t that just capture the essence of the type of attacker we’re up against perfectly? An attacker utilizing 0-day vulnerabilites, spear phishing tactics, one-off malware, and with little time, money, or legal constraints. Now, not all people or organizations using web-based systems are going to be the targets of APTs, but clearly some will be.

Lets broaden out our thinking beyond Google, as the problem is larger than they are, to include other “free” web-based services such as Facebook, Yahoo, Twitter, Microsoft, etc. I believe there is no way the average user can be considered reasonably safe from an APT on these systems. To be fair, these providers make no such claim as they are only built to withstand the lowest-common-denominator of attacker -- not APTs. Since all potential victims are equidistant, practically speaking all it really takes is a username/password or a bit of malware for any online account to be compromised. A very low bar and clearly no amount of SSL, firewalls, Anti-Virus, or CAPTCHA technology is going to raise it.

Secondly, an APTs target is unlikely to have any idea when/if their online accounts are being attacked. The infrastructure is not theirs to monitor. Web-based systems have no real notion of intrusion detection (or even a delete key) unless you include those emails when your account is locked out or password is changed without your knowledge. Even more troubling, victims will not have any idea when/if the threat succeeded in their mission. Next, as if there was any question, these web-based system not legally or fiscally accountable for breaches -- whether it was their fault of not. And finally, APTs will not stop no matter who lays down the ultimatum.

When everything is taken into consideration, any user who believes they are going to be a target of an APT should not be using these systems for anything they can’t afford to lose control over. The fact that the U.S. government is moving their system in this direction really concerns me. Perhaps there is a silver lining. These events could be the stimulus required for a new breed of web-based services to rise up and differentiate based upon security and maybe willing to take on some liability.


Jack Mannino said...

Good post, the ideas you presented as well as Richard's echo a lot of the things I've tried to drive home to various groups. The timing couldn't be better actually, as I'm giving a talk next month raising a lot of the same issues.

The scariest part that I think many fail to realize is that the "sophisticated" and cool stuff isn't always required. If one application in an SSO environment allows for you to reset a user's password through a poorly implemented "Forgot Password" function, its pretty much game over if your sole motivation is harvesting sensitive data.

Jeremiah Grossman said...

@Thanks Jack. To me, the "sophisticated" and cool stuff is what will be used against us in the future when all the easy stuff today is exhausted. A primary reason why I track it via the top ten web hacking list effort. I like to be a little ahead of the curve. :)

Russell Thomas said...

Great post, J. I'm also reminded of Brian Snow's 2005 paper: "We Need Assurance" . He gave a very compelling explanation of the difference between an opportunistic attacker who trolls for weakest link and the targeted, determined attacker.

As I usually do, I'm thinking about this problem from the perspective of risk management. Shifting to "web-based systems" (web service provider) only makes risk management more important, but also harder. If all your IT services are in-house, then you can focus on the possible threat agents who might go after your business. But if you are using web-based services, then you have to think through all the threat agents who might have something to gain by attacking each of your web service providers. Thus, a small business that uses Google Docs, Gmail, etc. now has to *actively* consider the nation-state threat agents that might attack Google, as in this case. (Or, more precisely, both state and non-state APTs)

Spinning this around, what responsibility should Google and the other web service business have in disclosing their threat models, to allow their customers to do rational risk analysis? It may be that the only way this will happen is either via regulatory mandate or some sort of risk pooling or shared liability for both web service provider and also their customers.

Jim Manico said...


Good post. Now, keep in mind - this isn't just any ol' APT, this is most likely the Chinese government (CAPT). We are talking nearly unlimited resources and offense-based talent. When facing this kind of adversary, there does not seem to be any way to win (defend) with today's current state of defensive technologies.

Jeremiah Grossman said...

@Russell thank you. Re: "what responsibility should Google and the other web service business have in disclosing their threat models"

For myself, this appears to be a market opportunity that providers may capitalize on. This opens door to differentiate based-upon security. If threat models are important to a customer, they can ask for it, and might even get it.

@Jim, If properly motivated to do so, I believe we have the ability to reasonable fend off APTs. Is it worth the security investment worth it free web-based services, eh.. not so much.

Jim Manico said...

Fair enough Jeremiah. But I do think one of the main reasons that Google is considering pulling out of China is because they cannot cost-effectively defend against this adversary.

Unknown said...

"The fact that the U.S. government is moving their system in this direction really concerns me."

Sure, if the government is moving towards using standard consumer "gmail" its concerning. On the other hand, if they are using an air-gaped google hosted gmail instance that is only available via encrypted VPN sessions originating from approved government networks with appropriate encryption for "data at rest" - I'd tend to be less concerned.

@Jim - There are any number of simple ways to attack Google or any other company from anywhere in the world and appear to come from where ever you would like (even if you went to the extreme of blocking all of the China net-blocks as some have suggested on the mailing lists).

Requiring the use of proxies or tunnels doesn't protect you from what we are calling "APT's" (although it might provide some small risk reduction (spammers, malware, script kiddies and the like) at the cost of annoying 1/6 of the world's population).

I suspect that this attack merely provides Google with a convenient excuse to do what they wanted to do anyway.