Advanced Persistent Threat (APT) is a new type of information security threat that uses multiple attack techniques and vectors and is conducted covertly to avoid detection so adversaries can retain control over systems unnoticed for long periods of time [18]. In order to prevent APT, attacks, organizations must develop a cyber-security capability; however, current industry certifications alone are insufficient to prepare information security professionals to detect and mitigate against APT attacks. A new paradigm is required to have a cyber-security workforce capable of detecting and defending against these attacks. This new training model must include software development skills, networking skills, and analytics training.
These attacks cost organizations a tremendous amount of money. According to the Ponemon Institute, the average annualized cost of a cyber-attack at US firms was $8.9 million, ranging from $1.4 million to $46 million [14]. They also note: Cyber attacks have become common occurrences. The companies in our study experienced 102 successful attacks per week and 1.8 successful attacks per company per week. This represents an increase of 42 percent from last year’s successful attack experience. Last year’s study reported 72 successful attacks on average per week [14].
While all of these attacks would not be considered APT-focused necessarily, it is estimated that APT attacks can cost an average of $300,000 each [20].
Challenge
Defending information systems from APT is challenging for even the most erudite organizations. Tankard says “Traditional defences [sic] aimed at keeping known threats out of the network are no longer sufficient against the exploits being used to conduct such attacks” [18]. It is made even more challenging as the definition of APT is not set. Messmer notes two industry luminaries who disagree. For example: Eddie Schwartz, Chief Security Officer of Netwitness defines APT as an attack that has permanence. The adversary doesn’t want to simply gain entry into a system, they want to stay in the system and create multiple vectors to do so. The APT target, he says, is a nation’s significant economic interests. Messmer also notes Gerry Egan’s, director of product management at Symantec, focuses not on national targets, but rather on any organization with intellectual property to defend [11]. Despite these varied definitions, APT is understood to be a computer system attack that is targeted at specific organizations or people, carried out by organized and technically adept groups of well-funded nation-state attackers with both sophisticated and unsophisticated technological attacks that common defenses do not.
The term, according to Messmer, came into the popular lexicon after Google disclosed it had been the victim of a long-term sophisticated attack in early 2010 [11]. The attacks affected other large information technology firms as well, Adobe and Microsoft among others [5]. The adversary in this attack sent a tailored attack via email to specific individuals, also known as spear phishing. The attack exploited a previously unknown vulnerability in Microsoft’s Internet Explorer web browser. The individuals selected most likely had access to valuable intellectual property the attackers wanted [9].
It is the lack of resources or scarcity of resources that is the real concern in detecting and mitigating APT, not a matter of will or desire. Just as in economics, scarcity defines a greater want than as available [17]. In the case of defending and mitigating APT the resource in question is a cadre of qualified cyber security specialists.
According to Locasto, et al, the demand for qualified cyber security specialists is increasing dramatically. They argue the demand is far outpacing the pipeline of candidates even for organizations such as the National Security Agency or the US Department of Defense, both known for recruiting highly technical talent [10]. While their main focus is the threat of good paying jobs being exported overseas due to a lack of available candidates here in the United States, the result of having qualified cyber professionals are the same. They argue that the right mix of education is the key to having the cyber security personnel available [10].
Others have reached similar conclusions concerning the dearth of available resources. VanDerwerken and Ubell quote SANS Institute Director Alan Paller as saying “more than 30,000 specialists are needed today”. However, he claims that “only about 1,000 to 2,000 have the necessary skills’ to combat the numerous real-life scenarios happening in today’s organizations” [19]. In the same article, global systems integrated SAIC’s Vice President for Cyber Programs Robert Giesler noted that finding qualified [cyber security] people is becoming increasingly harder and more expensive [19]. Booz Allen Hamilton noted the danger to our nation’s information systems in their 2009 report on improving cyber readiness in the federal employee pool: “Our federal government will be unable to combat these threats without a more coordinated, sustained effort to increase cybersecurity expertise in the federal workforce” [1]. In the interested of disclosure, I am an employee of Booz Allen Hamilton.
Problem
The critical skills that are possessed by an information security specialist and an information security specialist who can detect and mitigate APT are very different. Over the last decade the International Information System Security Certification Consortium (ISC2) has become the de facto arbiter of what defines an information or cyber security specialist through its Certified Information System Security Professional (CISSP) certification. The Department of Defense included it in their Information Assurance Workforce Improvement Program [3]. Additionally, the CISSP was designated an ISO/IEC Standard 17024 by the International Standards Organization [7].
The CISSP is based on ten domains, or its “Common Body of Knowledge.” Certification holders are expected to possess a solid understanding of each of these subjects. Each CISSP candidate must pass a test that covers material in each of these domains. The domains are [7]:
Access Control
Telecommunications and Network Security
Information Security Governance and Risk Management
Software Development Security
Cryptography
Security Architecture and Design
Operations Security
Business Continuity and Disaster Recovery Planning
Legal, Regulations, Investigations and Compliance
Physical (Environmental) Security
For a cyber-security specialist who focuses on APT, the requirements are considerably different. Referring back to the definition posited earlier, APT is defined as a computer system attack that is targeted at specific organizations or people, carried out by organized and technically adept groups of well-funded nation-state attackers with both sophisticated technological attacks that common defenses do not recognize and unsophisticated attacks. It is this specific definition that makes qualified personnel so hard to locate. APT mitigation requires the ability to see things that are not readily apparent. The CISSP was designed for technical managers, not APT hunters.
For example, a frequent technique in an APT attack is to load a piece of malware in a subdirectory in Microsoft Windows with a common-sounding name such as SYS.DLL. With this name most administrators and even security personnel will not pay it much attention. To the APT practitioner, this file however needs to be uncovered and reverse engineered for the misbehaving piece of code it is. Maybe it shouldn’t be in that directory to begin with. In this regard APT hunters look for anomalous behavior. Ordinary malware and other cyber detritus picked up in course of cruising the Internet’s highways and byways is better left to the generalists of the trade. APT hunters are a mix of software developments, network engineers, intelligence specialists (trolling the “off-the-beaten-paths” of the Internet’s dark recesses), and salesmen extolling the virtues of not having organizational assets walking unimpeded out the door.
With the vast array of security certifications available to the practitioner, is it as easy as sending a staff to a “boot camp” for a week or two to learn the material and then take the test? No. Each of the major certification regimens has its own unique limitations. The CISSP has been discussed previously. Another certification in vogue currently is the Certified Ethical Hacker, or C|EH from the EC-Council. According to the EC-Council’s website, their program
…will immerse the students into a hands-on environment where they will be shown how to conduct ethical hacking. They will be exposed to an entirely different way of achieving optimal information security posture in their organization; by hacking it! They will scan, test, hack and secure their own systems [4].
While not disparaging this certification, this is not the methodology of the APT adversary. The attacker in an APT scenario is stealthy. The C|EH is designed around the premise that the certification holder will be testing their own network (or a clients) using the new skills they’ve acquired; not conducting long-term data exfiltration against a target. Other certifications present issues as well.
For example, the SANS Institute is a well-known organization in the information security market for providing highly technical certifications. According to their website, they have granted over 46,000 certifications in such disciplines as firewall management, wireless penetration testing, legal issues surrounding cyber-security, and security leadership [16]. While very good, one would have to take a plethora of certification tests to get the required skills to be effective at APT detection. For most organizations, this is cost-prohibitive based on current course pricing [16].
The last major certification worth examining is the Defensive Cyberspace Operations Engineer (CSFI-DCOE) from the Cyber Security Forum Initiative. This recent certification program focuses on cyber warfare and does have some tracks on malware analysis; however, its primary focus is on broad overviews of cyberspace operations [2]. APT detection and mitigation is more narrowly focused than this certification’s goal.
I have been a CISSP since June 1999; held the SANS certification for incident handling (the GIAC Certified Incident Handler (GCIH)); and have contributed content to the curriculum of the CSFI-DCOE. All three certifications (along with the other industry certifications available) are excellent sources of knowledge and skills. In no way should anything in this paper be construed to reflect negatively on them. However, they are not sufficient for preparing an information professional for the job of APT detection and mitigation on their own. They were not designed with APT combat in mind.
Proposal
Organizations need a new training regimen to be able to detect and mitigate APT. This regimen needs to be both diverse in its curricula and robust in its maturity. Focusing on the latter first, the National Initiative on Cybersecurity Education (NICE) has developed a Cybersecurity Capability Maturity Model (CMM). While still in draft form, the document offers three maturity levels for a security program: limited, progressing and optimizing. These levels apply to specific segments: process and analytics, integrated governance, and skilled practitioners and enabling technology [12].
With the ability to measure the robustness now available, what are the skills to be measured? For the APT hunter, there should be a baseline level of knowledge. Hoffman, et al, call it a holistic approach, “developing the cybersecurity workforce considers the many disciplines that produce cybersecurity professionals—technical and nontechnical alike” [6]. These disciplines should include:
Software Development fundamentals
Networking fundamentals
Analytical fundamentals
Operating System fundamentals
Practical experience
Personal skills
While the first four skills can be taught via the certification programs mentioned earlier or at two or four-year colleges (or even high schools), the last two skills are harder to impart. Practical experience, while seemingly a Catch-22, can be garnered through realistic training. One such program is run by a contractor for the US Air Force. According to O’Harrow, just as the military has used mock cities to conduct urban warfare training drills or Red Team/Blue Team scenarios at the National Combat Training Center in California, this organization runs a town that exists only on computers. Everything is simulated: communications and operations, e-mail, HVAC, transportation systems and even social media [13]. It is just this sort of environment that is necessary for the APT detection and mitigation specialist to succeed.
The Department of Defense has a separate government-run “cyber range” to provide sandboxed scenarios. This collection of resources: [P]rovides an operationally realistic simulation of the Global Information Grid, its network services and information assurance/network defense capabilities in a closed environment. It also serves as a virtual training ground for DOD cyber personnel and a testing and evaluation space for new information assurance and network defense technologies, tactics and policies [8]. Other organizations, both commercial and government, should have access to similar training capabilities to enhance their own defensive proficiency.
The other necessary skill an APT specialist needs falls under the rubric of “soft skills.” Robles distinguishes these from “hard skills” in stark terms. Hard skills are the technical knowledge required for a position e.g. the first three items in the bulleted list above. Soft skills, in contrast, are more interpersonal in nature. They are also known as people skills [15]. These are important in any position. In the cyber-security professional in general and the APT hunting field specifically, it may fall on that person to inform senior organizational leadership there is a potentially large problem with the information system. In these scenarios, the ability to couch the language appropriately is critical. Figure 1 graphically represents this proposed training program.
Conclusion
Today organizations are faced with an increasing threat to their information systems in the form of APT, or advanced persistent threat, attacks. Current cyber-security training for detecting and mitigating against APT is insufficient. Major certifications such as the CISSP, those offered by the SANS Institute, or CSFI are not designed for this new emerging threat. While they are outstanding certifications in that they offer great training, APT is a different breed of threat. A new approach is required in order to have a cyber-security workforce capable of detecting and defending against these attacks. This new training model needs to include software development skills, networking skills, and analytics training. These technical skills are crucial. But the new approach must also include safe places to regularly practice, improve, and teach interpersonal skills. These added functions are increasingly important in a fast-paced globally networked environment. Without such a capability, organizations will continue to lose significant amounts of intellectual property and money.
References
[1] Booz Allen Hamilton, Inc. (2009). Cyber In-security: Strengthing the Federal Cybersecurity Workforce. Washington, DC: Partnership for Public Service.
[2] Cyber Security Forum Initiative. (2012). CSFI - Cyber Security Forum Initiative. Retrieved from Cyber Security Forum Initiative: http://csfi.us/?page=training
[3] Department of Defense. (2005). Information Assurance Workforce Improvement Program (DOD 8570.01-M). Washington, DC: Defense Technical Information Center.
[4] EC-Council. (2012). Certified Ethical Hacker. Retrieved from EC-Council: http://www.eccouncil.org/courses/certified_ethical_hacker.aspx
[5] Higgins, K. J. (2010, February 10). 'Aurora' Attacks Still Under Way, Investigators Closing In On Malware Creators. Retrieved from Dark Reading: http://www.darkreading.com/security/news/222700786
[6] Hoffman, L. J., Burley, D. L., & Toregas, C. (2012). Holistically Building a Cybersecurity Workforce. IEEE Security and Privacy, 33-39.
[7] ISC2. (2012). CISSP - Certified Information System Security Professional | (ISC)2. Retrieved from (ISC)2 - Security Transcends Technology: https://www.isc2.org/cissp/Default.aspx
[8] Kenyon, H. (2010, December 02). New DOD test range serves as cyber training ground. Defense Systems.
[9] Kurtz, G. (2010, January 14). Operation "Aurora" Hit Google, Others. Retrieved from McAfee Blog Central: http://blogs.mcafee.com/archive/operation-aurora-hit-google-others
[10] Locasto, M. E., Ghosh, A. K., Jajodia, S., & Stavrou, A. (2011). The Ephemeral Legion: Producing an Expert Cyber-Security Workforce from Thin Air. Communications of the ACM, 54(1), 129-131. doi:10.1145/1866739.1866764
[11] Messmer, E. (2011, February 7). What is an 'Advanced Persistent Threat,' anyway? Network World , p. 15.
[12] National Initiative for Cybersecurity Education. (2012). Cybersecurity Capability Maturity Model (Draft). Washington, DC: Government Printing Office. [
13] O'Harrow, R. (2012, November 26). CyberCity allows government hackers to train for attacks. Washington Post. Retrieved from http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story.html
[14] Ponemon Institute. (2012). 2012 Cost of Cyber Crime Study: United States. Traverse City: Ponemon Institute.
[15] Robles, M. M. (2012). Executive Perceptions of the Top 10 Soft Skills Needed in Today's Workplace. Business Communication Quarterly, 75(4), pp. 453-465.
[16] SANS Institute. (2012). GIAC Forensics, Management, Information, IT Security Certifications. Retrieved from Global Incident Analysis Center (GIAC): www.giac.org
[17] Schenk, R. (1997). Scarity and Choice. Retrieved from Ingrimayne: http://ingrimayne.com/econ/Introduction/ScarcityNChoice.html
[18] Tankard, C. (2011, August). Advanced Persistent threats and how to monitor and deter them. Network World, 2011(8), pp. 16-19. doi:http://www.sciencedirect.com/science/article/pii/S1353485811700861
[19] VanDerwerken, J., & Ubell, R. (2011). Training on the Cyber Security Frontlines. T+D, 46-50.
[20] Walder, B. (2012). The Targeted Persistent Attack (TPA). NSS Labs. Austin: NSS Labs.
Acknowledgements
I would like to thank Professor Gwyn Robson of the University of Maryland University College and Steven Ruzila of Booz Allen Hamilton for their invaluable advice on this paper
Copyright 2010 Respective Author at Infosec Island