We often hear news about emerging cyber security threats and attacks impacting every industry. With advanced malwares, zero day exploits and persistent threats, cyber-attacks are now becoming very sophisticated in nature.
Targeted attacks are seen from highly motivated attackers, well organized and resourced groups and even from state sponsored actors. Among these, the biggest security challenge that global security leaders are facing is Advanced Persistent Threats (APT).
APT, with its sophisticated and mercurial way of achieving its focused objectives, represents a fundamental shift in the traditional cyber-attack models. The first step in the APT attack lifecycle is breaking into systems by exploiting an enterprise end point system vulnerability, establishing a foothold. In the next step they escalate their privileges to laterally move and locate the servers of their interest to exfiltrate data. The final step is to tactfully cover the tracks after achieving the desired objectives, which in this case is data breach.
The most crucial element in APT attacks is the ‘Persistence’ factor .The attacker can manage to stay in the network undetected for a longer period of time until they succeed in achieving the end goals. Well organized and highly focused APT attacks usually target the weakest links of an organization's defense chain in a stealthier manner. The target could be top-secret military or government documents, trade secrets, blueprints, intellectual properties, source codes or other highly confidential information.
No organization, irrespective of size or type, is immune to these attacks. As we read this, a vast majority of organizations are unaware of APT and its impacts. Some do not even realize they are already compromised. A few who have realized by now prefer to not reveal or admit it fearing reputational damage.
Organizations realize that there is no ‘silver bullet’ solution to stop APT. It is quite challenging to address the stealthy and persistent methods used by APT attackers that can easily evade traditional security measures like firewalls, anti-virus, spyware and intrusion detection systems. Only a ‘defense in depth’ approach with right blend of skilled resources, new age advanced and intelligent tools and an efficient security framework can address the APT and reduce its impact before it wreak the havoc in an organization.
An organization’s ability to react and defend an APT attack can largely limit the financial, reputational and operational impacts. Organizations are investing in advanced game changing technologies and processes that can protect them from APTs at every stage of its attack life cycle. Let’s have a look on some of the key steps that organizations can consider while creating a defense strategy against APT.
Key Steps to Combat an APT
Social Engineering Awareness
People are usually the most vulnerable link and hence social engineering is the most widely used method for initial compromise by attackers. In this age of social media revolution, it has become comparatively easier for an attacker to use social engineering and social networks to lure an unsuspected user to click on a link, and open a malicious attachment. APT attackers mostly use techniques like spear phishing over email using zero-day exploits and may also host malwares on websites which the victims are enticed for accessing. As normal users are now at the primary risk, organizations are giving more security awareness sessions and are at times making the employees part of awareness phishing exercises where they are given bogus phishing emails to make them aware of its implications.
Shared Threat Intelligence
Threat intelligence collectively includes the indicators of an attack, its implications, and actionable insights derived from analysis of a past or potential attack. Consolidating and sharing such threat intelligence will enable organizations to take proactive measures against known or unknown APT.
Global organizations have realized the importance of having a more collaborative and seamless threat intelligence sharing in order to counter the advanced threats. This shared intelligence will act as a sounding alarm which prompts the potentially vulnerable organizations to quickly get prepared and adopt a defensive strategy against APT.
Skilled Resources
People, processes and tools are the three critical pillars of any cyber security protection strategy including APT defense. Industry demands security professionals with core technical skills and awareness about the existing and next generation threats. The skillset of these resources needs to be maintained and kept up-to-date using internal and external trainings around security incident handling, forensic analysis, malware analysis, risk assessments and security controls.
Equally important is the awareness around existing infrastructure environment, network segmentations, critical assets, applications, network devices, servers etc. An organization must ensure its readiness to handle APT by preparing these skilled resources with mock and simulated attacks. In order to get prepared to face the worst, they must always be ready to expect the unexpected.
Malware Analysis
Over a period of time, malware evolved and has become more and more sophisticated. Attackers are now using advanced polymorphic malware capable of leveraging multiple zero- day flaws and other unpatched vulnerabilities. This advanced malware is capable of initiating multi-vector and multi-stage attacks, which create challenges to the traditional anti-virus tools in terms of detection and removal.
Only an advanced malware analysis tool which can perform static and dynamic forensic analysis can defend the organizations from emerging threats by promptly detecting malicious code and preventing it from spreading. Organizations are now investing in building a knowledge base on malware techniques, by reverse engineering on suspected malicious files to make themselves better prepared for the unknown threats. Actionable insights from malware analysis help in effectively identifying and mitigating the threats and initiating a targeted and effective initial response while combating an APT attack.
Next Generation Detection and Prevention Tools
It is very important to understand the security posture of an organization and to constantly evaluate whether the attack detection and prevention tools are capable of handling the current and future threats. For having a better defensive strategy against an APT attack, an organization must need to analyze its perimeter security and endpoint security. mplementing next generation firewalls, advanced malware detection tools and advanced email and web gateways will assist in maintaining a better perimeter defense strategy.
Equally important is the host based advanced threat protection. When flexible device policies like BYOD become prevalent and the normal convention of perimeter vanishes, it is critical to safeguard the end point devices like laptops, mobile, tablets etc. Anti-virus tools and host integrity checking tools must possess advanced features to identify, and alert on suspected malwares. These tools also must have the feature to contain the threat to the host and work in tandem with the malware analytic tools.
Implementation of SIEM (Security Information and Event Management) solutions can provide a holistic view of organization’s IT security. Such a tool can collect logs from multiple network security devices, servers, applications etc. and perform complex correlation and automated incident generation.
Behavioral Analytics
Most of the APT attacks use exploit packages that are unique and specifically crafted for some focused objectives. Hence the existing legacy tools in most organizations which rely on signature based detection, fail to detect and prevent such threats. Here is the relevance and benefit of behavioral analytics. This approach will help in simulating the behavior of a suspected file to identify whether it is malicious or not, as it can distinguish such behavior from a baseline normal behavior.
It also helps in analyzing network traffic to find anomalies like huge traffic generation from unused ports, storage size filling up, multiple login failures etc. Such tools enable to timely identify APT and derive useful threat intelligence and security insights.
A good security framework will look into all the aspects mentioned above and more and also it will be adaptable to the changing circumstances. It will also look into information security strategy in a comprehensive way and help in enforcing a sound process to better handle advanced threats (prepare, detect, contain, eradicate and lessons learnt).It should also focus on continuously measuring the risk appetite of the organization
Advanced Persistent Threats, as a cyber-security phenomenon, will thrive in the coming years also. As new, disruptive technologies like cloud, mobility, Big Data and IoT take the center stage, and yesterday’s signature based detections are not competent enough to deal with the hurricanes of current age's sophistical and targeted APT attacks, we have to get better prepared to face the worst.
It is not possible to completely stop an APT. However, with the right blend of the security framework, intelligent tools and skilled resource we can break the kill chain of APT attack. At least if we can ensure that the detection and reaction time is less than the actual attack time, we are on the right track in defending APT.