Advanced Persistent Threat (APT), What's Malware Got To Do With It?

Ugh, here we go again. As awareness continues to rise about the likelihood of a targeted attack succeeding in an enterprise (a good thing - the awareness, not the likelihood of an attack), security vendor marketing machines mull over the facts in search of a "message" - something to frame their product or service to make it relevant to their customers' most pressing needs.

We lived through the APT Marketocalypse of 2010,where you couldn't swing a dead cat without hitting a vendor telling you how they could stop "APTs." The voice in my head still rages every time I see "APTs" - it's The APT. And it's a WHO, not a WHAT. Sigh.

Now I see it happening again. The latest marketing distortion field is telling you to beware of The Malware Problem (insert dramatic music score here). "If you just buy more stuff that finds malware, you'll be fine, trust me.Really. No, really. REALLY. Really."

Really? If that were true wouldn't antivirus vendors be making a bigger dent in The Malware Problem that is allegedly driving the rampant wave of compromise that continues to sweep through corporations and organizations worldwide? Couldn't existing protections be utilized effectively to prevent these attacks? If malware is the core of the problem you would think something that you have already bought and deployed would be able to keep your company out of the headlines.

Malware's only been around for, oh, TWENTY YEARS (for over thirty if you count academic tomfoolery on ARPANET in the early 70's). It's not new. The malware techniques in use today are not all that different from what we saw a decade ago. Oh, sure, occasionally someone astounds me with their particular style of kung-fu (Stuxnet is one example...though it's probably not fair to compare that to your garden variety porn spam botnet), but malware isn't what's owning companies left and right.

The hard reality is malware is just a tool. At the end of the day a human adversary is using the tool, exploiting your vulnerabilities (human and otherwise), smacking you in the face and running rings around your defensive measures. And malware is not the only tool in the arsenal. Legitimate software, including capabilities baked into operating systems, contain everything an adversary needs to access your infrastructure and steal data, dollars, or both. All they need is a set of legitimate user credentials - and we all know how hard it is to get those, right?

If the malware landscape really hasn't changed that much, what has? The fact of the matter is we're facing an Adversary Problem. If I get out my dead cat again and start swinging, it won't take me long to hit one or two of them. Where money goes, crime follows. Where information goes, spies follow. It's cheaper, faster, and less risky to conduct intelligence operations and criminal endeavors over a network than it is to conduct them over a physical border. Adversaries think. They adapt. They're agile. They are not malware.

So what does all this mean? It means the challenges we face in the security industry today do not boil down nicely to trite marketing messages about The Malware Problem. It means that defenders have to pit their human intelligence against that of the adversary. Do you need technologies that find more malware or prevent more infections? Yes, you probably do. Do you also need to arm yourself with information about your adversaries and a means to match their offensive agility with defensive agility? You should, but meh - keeping your information secret is so 90's. Maybe it all just wants to be free.

If you have a few minutes, check-out Mandiant's M-unition podcast where I rant discuss this topic in-depth.

M-Unition Podcast: Dave Merkel, CTO at Mandiant Talks APT

[ca_audio url="" width="500" height="27" css_class="codeart-google-mp3-player"]