I was recently at the CU Information Security Conference andheard many a fine presentation concerning APTs. For those of younot familiar with the term, an APT (or Advanced Persistent Threats)is defined by the Wikipedia community thusly: “Advanced persistentthreat (APT) usually refers to a group, such as a foreigngovernment, with both the capability and the intent to persistentlyand effectively target a specific entity.

“The term is commonly used to refer to cyber threats, inparticular that of Internet-enabled espionage using a variety ofintelligence gathering techniques to access sensitive information,but applies equally to other threats such as that of traditionalespionage or attack. Other recognized attack vectors includeinfected media, supply chain compromise and social engineering.

“Individuals, such as an individual hacker, are not usuallyreferred to as an APT as they rarely have the resources to be bothadvanced and persistent even if they are intent on gaining accessto, or attacking, a specific target.”

Many of the speakers in the Las Vegas conference talked aboutcombatting APTs with a layered security approach: network security,host security, endpoint security, NIDS, HIDS, IPS, and evenbaseball bats (maybe that was for the raccoons: see the henhouseanalogy later.)

What I did not hear people mentioning was PPM (PrivilegedPassword Management). They should have. Why PPM? The reasonis simple: APTs are primarily targeting one thing- privilegedpasswords.

PPM is the management of privileged account passwords. Itinvolves securely storing, releasing, checking and changing thepasswords for your privileged accounts. What are privilegedaccounts? A privileged account is the root account for your coresystem, your AD Enterprise Admin account, the local administratoraccount for your HR server – any account that either has elevatedaccess, is shared, or requires individual accountability.

PPM can be done through a variety of ways manually or usingtechnology-based solutions (whether a product or a service). Themain issue is to ensure that these privileged accounts are beingchanged on a regular basis.

So how does PPM relate to APTs? Bruce Smalley had a niceanalogy that he presented during his presentation. It related tohis efforts to protect chickens from predators using a henhouse.I'll leave out some of the more graphic details, and sum it up tosay that defense of chickens is like the defense of your network;if an adversary is determined to breach your environment, it allcomes down to a question of time and money.

I personally like the analogy of a safe—no safemanufacturer claims its safe is impregnable – it rates the safebased on the tools and time required to breach. If you take thesame perspective on your network, then you can assume that at somepoint your network will be breached.

With this in mind, what are APTs trying to gather? TheAPTs are actively trying to install keyloggers and other malware inorder to capture privileged passwords. The reason a spearphishing attack is targeting a network admin isn't to get theirpersonal account, it is to get the keylogger on that person'smachine to wait for them to log in with Enterprise Admin andcapture the valuable password.

The question then becomes the following: 'how long will thatpassword that has just been capture be valid on the DC?'

This is the relationship between APTs and PPM. PPM will not stopAPTs, but it can have a huge impact on the value of the informationcaptured by an APT. If the Enterprise Admin account mentionedabove is changed every 45 days, then the APT has a nice, longwindow to communicate that password back to the owner. If however,the password is automatically changed after use (let's say twohours later as an example), the window of the value of the capturedpassword is significantly different.

To relate this to the henhouse analogy, PPM would be theequivalent of mounting the henhouse on a flatbed truck and drivingit to a new location every two hours, without changing any of thesecurity constructs around the henhouse (and making sure no addedpassengers are on board). Now predators need to find, breach,and exploit within two hours – instead of weeks or months. I thinkyou'll end up with a lot more eggs.

This correlation is the reason that the Fortune 1000 hassignificantly stepped up PPM adoption in areas outside of thetraditional financial services vertical. Other large companies thathave very valuable intellectual property (whether trade secrets,information contacts, or other crown jewels) are looking tominimize the effects of APTs by using PPM. Many of the mostnotable breaches in the past two years have related to privilegedaccounts, and most directly related to APTs capturing thesepasswords.

If your credit union is not changing your privileged passwords,then the best henhouse in the world is not going to protect youforever. It is also interesting to note that PPM will typicallycost less than NIDS, HIDS or almost any other control. So beforeinvesting in more chicken wire, maybe you should look into somewheels.

Kris Zupan, CISSP, is CTO atRallypoint Solutions LLC in Wilmington,Del.