Advanced Persistent Threats (APTs) are sophisticated cyber attacks that have moved from the realm of the military to the mainstream.

Since we are now potentially all under attack, it’s imperative that we understand this phenomenon.

The book The Cuckoo’s Egg helps us understand APTs a bit better. It describes one of the first documented persistent attacks, in 1986/1987.

Although the techniques used by the attacker are not what we would now consider advanced, this book does give us valuable insight into the persistent part of the equation.

The Cuckoo’s Egg

The hero in The Cuckoo’s Egg is astronomer Clifford Stoll, then at the University of Berkeley. His project looses funding, but instead of being laid off, he’s moved to the computer department. As a newcomer, he’s given the interesting assignment to track down a $0.75 accounting error.

He checks the accounting software and discovers that one account’s computer time is not paid for.

It turns out that the owner of this account has moved away from Berkeley and isn’t using it anymore. The account is hijacked!

Instead of closing down the account, our hero decides to follow the intruder. He sets up an ever more elaborate system to track the attacker without giving away that he’s doing so.

When following every move of the intruder, our hero finds out that he abuses other systems as well. The attacker seems especially interested in military systems. Our hero contacts a bunch of organizations like the CIA, FBI, and NSA, but none of those seem able or willing to help him, so he keeps following the attacker himself.

As an astronomer, our hero has learned the value of documentation. He carefully logs everything in his log book, and over time that helps him see patterns as data accumulates.

In the end, we find out that the attacker is from Germany and gives information to the KGB. Our hero’s efforts help put this spy in prison.

Attacks

The title of the book refers to one of the two main techniques the attacker uses.

The first is simply guessing passwords. In the eighties, people were a lot less careful with their passwords than they are today. (Although even now there are still many problems with passwords.)

The other technique is an exploit for a simple vulnerability in GNU Emacs: this program could save mail files, but forgot to check permissions at the destination. Since it ran as root, you could copy files anywhere.

The attacker used this to install his own copy of the atrun utility. The Unix system executes this program every five minutes, and does so with full system privileges. So the Unix system was the nest that hatched the cuckoo’s egg, the attacker’s phony atrun program.

Once the attacker acquired system privileges, he copied the password file. He used that file to launch an dictionary attack to hijack yet more accounts.

Persistence

The attacks described are very simple compared to today’s landscape.

The value of the book is in showing us in detail the kind of persistence attackers display. It really drives home how much time and energy attackers are willing to spend to break into our systems.

To have any chance of withstanding these attacks, we’re going to need the same kind of persistence in our defenses.