Schwartz On Security: Advanced Threats Persist And Annoy

APTs are todays normal threat, and companies such as RSA must do better, even as the odds against them keep increasing.

It was the advanced persistent threat that done it. So said RSAs executive chairman, Art Coviello, describing the security breach that stole some yet-to-be-disclosed aspect of his companys SecurID two-factor authentication system.
Helpfully, in his
breach notification letter
to RSAs customers, Coviello offers to promulgate lessons learned once RSA figures out how it got nailed by an APT. As appropriate, we will share our experiences from these attacks with our customers, partners, and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat, he said.
Hows that for spin, especially from a company that has so far refused to detail which aspects of its SecurID system were breached, leaving customers to prepare for the
worst-case scenario
. Will RSA use itself as a case study for selling future, anti-APT products to its own customers?
As Gartner Group analyst John Pescatore titled a recent
blog post
: Sorry, The Computer Is Down and The Advanced Persistent Threat Stole Your Data -- But Your Business Is Important to Us!
Pescatore, among others, questions the usefulness of the APT term altogether. For reference, the Ponemon Institute has defined the
advanced persistent threat
as a methodology employed to evade an organizations present technical and process countermeasures, which relies on a variety of attack techniques, as opposed to one specific type.
If the definition of APT doesnt sound ultra-precise, youre correct: its a catch-all term for attacks designed to defeat existing security controls, oftentimes using long and slow techniques to help evade detection. But havent attacks designed to defeat existing defenses through unconventional means been around
for years
?
Companies, RSA included, need to do better if they want to stay in business. Of course, theyre facing difficult odds, given that botnets and spam networks -- for infecting targeted PCs -- are within reach of even the most common criminal.
That fact was highlighted by federal authorities announcing on Monday that theyd busted a penny stock
pump and dump scheme
backed by botnets. Thats to say, rather than running a telephone boiler room, the two men arrested allegedly contracted with hackers who rented or ran their own botnets and spamming operations. How difficult is it for criminals to send lots of spam, for example, to illegally manipulate stock prices? In an e-mail, Kaspersky researcher Dmitry Bestuzhev said that the price depends on the spam provider and the quality of the penetration but averages about $100 per 130,000 e-mails sent. Compare that to just one pump-and-dump scheme, operating for a month, which allegedly netted one promoter at least $150,000.
Hows that for affordable? In fact, thats the problem where APTs are concerned. According to remarks made by Bestuzhev at a recent press event, building a good botnet requires an initial investment of only about $5,000, at least for a do-it-yourself approach.
Heres how to build a botnet: First, spend $750 on average to buy a top-notch malware toolkit, such as
SpyEye
. Or upgrade to the Phoenix exploit kit 2.4 ($2,200) or BlakHole Exploit Pack ($1,550) for even more automated attacks. Next, spend $480 per year to subscribe to a site such as Virtest.com, which tests whether the malware youve built can be detected by current scanners. Also contract with a bullet-proof hosting service -- a really good one will set you back $3,600 per year -- for storing malicious code as well as purloined data. Finally, pick a good phishing pack -- these are free -- to ferry your malware via e-mail to unsuspecting victims.
What if you dont have time for DIY? Good news: Theres another service available called pay per install, said Bestuzhev. In this scenario, you contract with other criminals to install malware on PCs for you. Rates for 1,000 installations (zombies) vary by country, from an average of $20 in the Netherlands to $150 in the United States (thanks to its residents using more credit cards per capita). So, building a 30,000-bot, high-quality botnet can cost you $27,000, he said.
For hackers with coding chops, theres an even cheaper and more direct option: Knock off an existing botnet by taking control and locking out the current owners. Bestuzhev says this tactic isnt uncommon.
But the bigger issue is that criminals without computer savvy -- even penny stock price manipulators who previously relied on phone and fax boiler rooms -- have easy access to botnets, either directly or through intermediaries with affordable rates. As a result, anyone can launch millions of spam e-mails, mass infection campaigns, and spear-phishing attacks, using the latest malware plus APTs to bypass many defenses.
Accordingly, lets dub ATP the new normal in security attacks. Because as Bestuzhev describes the problem, using a popular Russian phrase: You have money? You dont need brain.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Schwartz On Security: Advanced Threats Persist And Annoy