APTs: The bad guys have us in their sights

Perpetrators of advanced persistent threats, or APTs, operate under the radar. They may steal information from your computer long before you realize it, so be vigilant. Image: FreeDigitalPhotos.net

You have probably seen recent stories in the news about organized cyberspace attacks on U.S. financial and government institutions. The perpetrators of these attacks are often known as advanced persistent threats, or APTs: advanced, because they make use of sophisticated hacking toolkits; persistent, because they conduct their attacks over extended periods of time, including separate phases for reconnaissance, infiltration and data exfiltration; and threats, because they are up to no good.

DOE laboratories, including Fermilab, are frequent targets of such threats because of DOE’s connection with weapons programs and other classified data. The attackers, often from foreign countries, may not appreciate the differences between an open science lab like Fermilab and other DOE facilities. Or they may think that Fermilab has special trusted connections to labs that have more sensitive information. They could also just want to take advantage of our very high-bandwidth network connections for further attacks. Whatever the reasons, we are a target.

Unlike the more traditional kinds of attackers that we have dealt with in the past, the APTs don’t do flashy things that attract attention. They do not deface websites or start up robot programs on your PC that exhibit extreme and unusual network behavior. Rather, they try to fly under the radar for as long as possible until they have collected massive amounts of data and are ready to ship that data off site.

They may use the same mechanisms—malicious attachments to e-mail, phishing for passwords or other sensitive information, or Trojan payloads downloaded from websites—to obtain initial access to our computing systems. But after their initial penetration, they will lay low as they install backdoors and slowly try to hack their way onto more systems. Meanwhile they will be looking for whatever data files might be of interest. Often they are not detected until they have collected as much as they can and their delivery of data off-site sets off network alarms.

There are no silver bullets to protect against these threats. We must all continue the same vigilance in all uses of computing systems, lab- or personally owned, that are connected to the laboratory networks. Keep any sensitive data, such as private information, export controlled information or vendor proprietary data, in appropriately secured systems, and if possible make sure this data is encrypted. Our intrusion detection, Web proxies and virus scans may catch some of these attempts, but protecting ourselves against these threats requires effort from us all.

Irwin Gaines