NIST on APT Protection

I noticed in a NIST FAQ on Special Publication 800-37 (continuous monitoring) that guidance has been given to address Advanced Persistent Threats:

Finally, to enable cyber preparedness against the advanced persistent cyber threat, organizations must enhance risk management and information security governance in several areas. These include, but are not limited to: (i) development of an organizational risk management and information security strategy; (ii) integration of information security requirements into the organization’s core missions and business processes, enterprise architecture, and system development life cycle processes; (iii) allocation of management, operational, and technical security controls to organizational information systems and environments of operation based on an enterprise security architecture; (iv) implementation of a robust continuous monitoring program to understand the ongoing security state of organizational information systems; and (v) development of a strategy and capability for the organization to operate while under attack, conducting critical missions and operations, if necessary, in a degraded or limited mode.

There is nothing unusual in the text. I see no mention of protection against advanced attacks or persistent attacks. It would read the same whether or not APT was the attack vector.

What NIST really could have said was that continuous monitoring gives the upper hand against APT.

The fourth (iv) area is the most important. Persistent threats evolve over time so data sets must be maintained for longer periods and reviewed with a wider scope against a baseline (activity trends over three months, six months, etc.). Therefore continuous monitoring of controls plays directly into defending against APT by generating a larger and longer information feed, reducing the effectiveness of the attack vector. The tough part is making use of the data.

I spoke a about this in my recent presentation at RSA Europe. The Pope and the Magna Carta both tried to outlaw the crossbow. Why? It was thought to be unfair in battle. Anyone could pick one up and be quickly trained to kill, unlike a sword that took a lifetime of training. This meant the economics of battle shifted and defenders looked for ways to respond to the new attack. An expensive trained soldier was no longer effective against inexpensive mercenaries (peasants hired to kill).

Why did the Pope or King John’s detractors care about this? I suspect it had to do with who had access to what resources at the time. More money meant favor to the crossbow. King John, for example, could bring loads of troops from France carrying crossbows and fight the barons. Less money, more training, meant favor to the law against crossbows. The balance was shifted again when defenders found ways to exploit time required to reload the crossbow. Defenders only needed to make the attacker miss once while exposed and then a counter-attack by any means was highly effective. Then the crossbow men devised special shields to hide behind while reloading…and so on.

One weakness in the APT attack is found within its long intelligence gathering phase. Information collected over time may show changes from a baseline. This could not only be a way to detect incoming attacks but also potentially show awareness to the attacker and thus prevent them — attackers often move to a target with lower risk.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.