One of the DoD's biggest cybersecurity concerns is advanced persistent threats (APTs), attacks in which an unauthorized entity gains access to a network and remains there undetected for a long period of time. An APT attack's goal is to steal data rather than to cause outright damage to the network or organization.

Like most cyberthreats, APT attacks tend to arrive at different levels of magnitude.

"At the very least, APTs can be used by adversaries to gather tremendous amounts of information," said retired Col. Cedric Leighton, a former deputy director of training for the National Security Agency (NSA). "Much of that information can be operationally sensitive, and once it's properly analyzed and correlated it can be used to mount a network attack on a critical network or it can just sit there undetected and provide the military's playbook directly to an adversary," he explained. "APTs can do the work of a thousand spies and they can do it far more efficiently than human agents can."

In a fresh effort to prevent and detect APT attacks, DARPA this fall awarded a $1.8 million contract to mathematical research specialist Galois and security firm Guardtime Federal. The initiative aims to advance the state of formal verification tools and blockchain-based integrity monitoring systems for the purposes of detecting APT attacks and ensuring a system's ongoing security.

"The DoD, along with the Department of Homeland Security and the intelligence community, are working hard to protect all U.S. government networks from APTs," Leighton said. "Keyless integrity monitoring systems and sanitization technologies are among the solutions being looked at."

A growing threat
APT attacks are occurring more frequently. "There have been more than a dozen major attacks that have been publicly dubbed APTs by experts and the media," Leighton said.

The DoD is concerned that the growing number of attacks has the potential to become highly disruptive to a wide range of critical operations.

"Simply put, APTs can undermine and potentially disrupt the ability of war fighters to successfully execute their mission," said Army Col. Daniel J.W. King, a spokesman for U.S. Cyber Command. 

Giorgio Bertoli, chief scientist of the Intelligence and Information Warfare Directorate at the Army's Communications-Electronics Research, Development and Engineering Center (CERDEC), noted that nation-state actors launch the bulk of APT attacks.

"Nation-states most often use such capabilities for espionage — industrial and state — purposes," he said "They are interested in any type of information that can provide them a national strategic or political advantage."

Since they're designed to maintain access by appearing to be authorized network entities, APT attacks tend to be difficult to detect and counter. Once an APT obtains access to a network, its behavior becomes an important key is identifying the attack's source. Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) is the operational headquarters under United States Cyber Command assigned the responsibility to secure, operate and defend the DODIN.

"The department has an extensive defense in depth architecture made up of security appliances and sensors that support its ability to detect and deter threats," King said. "Additionally, the Department’s cybersecurity service providers and cyber protection forces monitor the networks, hunt for, and respond to threats."

Looking for clues

According to King, APT protection requires around-the-clock awareness of network activities. Defensive Cyberspace Operations (DCO) works continuously to protect the DODIN, he noted.

"There are passive and active cyberspace defense operations to preserve capabilities and protect data, networks, net-centric capabilities and other designated systems," King said.

According to King, DCO responds to unauthorized activity or alerts/threat information against the DODIN, leveraging intelligence, counterintelligence and other military capabilities as required.

"There are two primary actions taken to defend the network: internal defensive measures and response actions," King said. Internal defensive measures are cyberspace operations that are conducted within the DODIN. "They include actively hunting for advanced internal threats as well as the internal responses to these threats," King said. "Response actions are deliberate, authorized defensive actions which are taken external to the DODIN to defeat ongoing or imminent threats to defend DOD cyberspace capabilities or other designated systems."

Despite the DoD's strong commitment to security technologies and practices, APT attacks often go undetected.

"Most breaches are not discovered for months, said David Hamilton, Guardtime Federal's president. "We believe we can cut that time by enhancing the integrity of data storage, logging and other aspects of network operations."

David Archer, Galois' research lead for cryptography and multiparty computation, is also skeptical about the DoD's current ability to detect and root out APTs.

"Today, I would say the detection of APTs is largely sort of accidental," he said.

Hamilton said that his company's products are aimed at enhancing a digital architecture's integrity.

"We can mark files in a way that immutable authenticity can be assured," he said. "That means once a file is signed with Keyless Signature Infrastructure (KSI), one can forever verify that a file is in its original form and has not been altered." Guardtime's KSI capabilities also allow the continuous monitoring of loaded instructions and data. If unusual changes occur, the system's operators are immediately alerted.

Archer said that his firm is focusing on performing fundamental research in APT detection.

"We're not actively involved in defending the military network from APTs, but rather we’re working in coordination with the Department of Defense, typically DARPA, on finding ways to effectively detect APTs and essentially amplify the attention of the defenders so that they can root them out and squash them."

Archer observed that many APTs attempt to hide themselves by erasing log file entries, a tactic that can actually be used to detect an attack. "If an APT does something, let's say to a database, or to something else in the system, it will try to cover its tracks in whatever the appropriate log files are by erasing pieces of them," he said. "If there was a way that you could notice that, notice that a log file changed and it shouldn’t have, then that would be promising."

Hamilton noted that the DoD, like other APT-vulnerable organizations, uses firewalls and other network security technologies to present a hardened wall to adversaries.

"We are not competing with those other techniques," he said. "We are assuming an adversary has already breached those [safeguards] and we provide a way to detect the presence of an intruder by, for example, looking for altered, non-authentic states, verifying proper unaltered configuration files and verifying the authenticity of stored data.

Multiple mechanisms

Bharat Doshi, a senior research scientist in CERDEC's Space and Terrestrial Communications Directorate, said that the growing sophistication of APT attacks leads him to believe that no detection approach will ever solve the problem by itself.

"A number of well-coordinated sensors and detection mechanisms are needed for rapid detection, with low false positives and false negatives," he said. "These mechanisms should be based on deep knowledge of our own networks and their vulnerabilities, information stored, value to various adversaries and the consequences of successful exfiltration, denial of service or data corruption."

According to Doshi, a successful APT detection mechanism could involve the fusion of information from firewalls, host-based intrusion detection mechanisms, network traffic analysis systems, sandboxing, file integrity monitoring, kernel integrity monitoring and other tools.

"The fusion mechanism and detection parameters could be governed by the knowledge of vulnerabilities and consequences of exploitation — what’s the adversary’s motivation?" Finally, he noted, intelligence from external sources could add to the accuracy and speed of APT detection.

A pessimistic Leighton believes that the DoD and the rest of the federal government still have a lot of catching up to do, since they are "about a dozen steps behind the world’s most sophisticated hackers."  The problem, Leighton said, is that agencies are still operating under an Industrial Age mindset.

"It will require the adoption of new technologies — and that process is definitely beginning — plus a drastic change in our leaders’  and bureaucrats’ mindsets to get the federal government into the Cyber Age."

Share:
More In Cyber