美国时间2011年8月2日,RSA发起的SBIC发布了一份最新的报告——《When Advanced Persistent Threats Go Mainstream》。NetworkWorld也对该报告的发布进行了深入分析报道。
该报告指出原来一般认为是针对政府的APT攻击正在变得普遍,而成为一种主流的攻击手段,各类企业都应该对APT予以重视,因为现在的APT now targeting a broad range of private sector organizations to nab valuable intellectual property, trade secrets, corporate plans, access to operations and other proprietary data.事实上,我认为原来狭义的APT定义(什么有国家背景,针对敌对国家、攻击美国军方之类的)已经过时,现在APT已经成为一种常见的攻击手法。
报告提及了现在组织和企业中现有的安全防护体系存在一些缺陷,导致很难识别APT攻击。现有的防护体系包括FW,AV,IDS/IPS,SIEM/SOC,以及CERT和组织结构,工作流程等等。都存在不足。报告写道:
Adding to the problem is that many security teams are not able to detect sophisticated attack patterns. Their conventional antivirus, firewall, and intrusion detection system (IDS) tools do not form a complete picture of an attack. The tools might identify an unauthorized access, a virus, phishing email, or piece of malware but do not associate these events. Also, signature-based detection methods don’t work well against APTs as the exploits are not well-known. Since log analysis was often implemented in response to regulatory demands, it has typically been tuned for compliance rather than threat mitigation.
Another limitation is organizational structure. Often the various groups responsible for security are too siloed and there is limited coordination among them. For example, those who are watching for events—the Computer Incident Response Team (CIRT) or Security Operations Center (SOC)—may not have complete information on the organization’s most important digital assets. Moreover, advanced persistent threats attack from multiple directions. They are not only IT-based but combine technical tactics with social engineering and/or physical access to a facility. Security teams cannot rely on silos of activity to accurately interpret multi-modal attacks.
报告指出,应对APT需要采取一种与以往不同的信息安全策略:
这种策略被称作“高级方法”,他与传统的方法相比,更加注重对核心资产的保护(多了也保护不过来),技术手段上更加注重检测技术(正如NIST SP 800-137提出的持续监控的概念一样,美国政府的爱因斯坦计划精髓也在于此),以数据为中心(尤其是出去的数据),分析日志(例如借助SIEM/LM)更多是为了检测威胁,注重攻击模式的发现和描述,从情报分析的高度来分析威胁。必须指出的是,从技术层面来说,SIEM技术,以及NBA技术,还有NAV工具都是十分有用的技术手段。
在后半部分,报告以该委员会的名义给出了7条建议:
- Up-level intelligence gathering and analysis – Make intelligence the cornerstone of your strategy.
- Activate smart monitoring – Know what to look for and set up your security and network monitoring to look for it.
- Reclaim access control – Rein-in privileged user access.
- Get serious about effective user training – Train your user population to recognize social engineering and compel them to take individual responsibility for organizational security.
- Manage expectations of executive leadership – Ensure the C-level realizes the nature of combating APTs is fighting a digital arms race.
- Rearchitect IT – Move from flat to segregated networks so it's harder for attackers to roam the network and find the crown jewels.
- Participate in intelligence exchange – Leverage knowledge from other organizations by sharing threat intelligence.
这7条建议已经被国内翻译了过来,参见这个文章,如下(我修改了一下):
1、进行高级情报收集与分析 – 让情报成为战略的基石。
2、建立智能监测机制 – 知道要寻找什么,并建立信息安全与网络监控机制,以寻找所要寻找之物。
3、重新分配访问控制权 – 控制特权用户的访问。
4、认真开展有实效的用户培训 – 培训用户以识别社会工程攻击,并迫使用户承担保证企业信息安全的个人责任。
5、管理高管预期 – 确保最高管理层认识到,抗击高级持续性攻击的本质是与数字军备竞赛战斗。
6、重新设计IT架构 – 从扁平式网络转变为分隔式网络,使攻击者难以在网络中四处游荡,从而难以发现最宝贵的信息。
7、参与情报交换 – 分享信息安全威胁情报,利用其他企业积累的知识。
报告还说到:The definition of successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage.' Assume that your organization might already be compromised and go from there.【假设你的组织已经遭受攻击】
在应对APT的道路上,防御者们还有很长的路要走,正如NetworkWorld所列举的那样,从 Google(极光攻击), EMC下面的RSA(SecurID破解,进而导致Lockheed Martin,L-3,Northrop Grumman的信息泄露), Epsilon, Citigroup(或者参见这里), The Washington Post到美国能源部、国防部外包商,哪个没有建立高强度的安全防御体系,却不都被攻破了。
总结一下报告的建议,其中可以看出“情报分析”十分重要。企业和组织如何收集这些情报?自己梳理比较难,可以去购买商业厂商提供的情报,或者如果你是政府机构,可以分享政府出面分析出来的情报。什么情报?最简单的一类情报诸如恶意网站库,钓鱼网站库,僵尸网络CC库,等等。这些情报对于防范黑客渗透是有帮助的,至少比signature库(对于0day就是睁眼瞎)更有用。
在防范渗透的时候,对于企业和组织雇员/领导的安全意识培训很重要,要提高他们的防范意识。现在的社交工程是很厉害的,在网络空间中,大部分人就跟那些现实世界里经常被骗钱的大妈们一个水平级。多给他们讲讲活生生的案例。
另外,内部监控也很重要,这种监控主要是对“合法”行为的监视与分析,因为黑客一旦进来,就会披上合法的外衣,所有攻击检测的工具都护失效。内部监控除了实时网络监测,还有一点很重要的就是基线审查,包括对设备配置的基线审查,以及对所有特权帐号的基线审查和操作审查。
再往后,对于传出企业的数据要进行特别的监视。持续攻击的一个特性就是不断地向外传递重要的信息,所有外出的文件/数据都要进行仔细的审查,看看都外传了什么内容的数据?外传的目的地址是否有可疑?
Anyway, It's still long way to go.
