Wednesday, August 20th, 2014
7 Recommendations to Help Defend your Business against Advanced Persistent Threats
Advanced Persistent Threats (APTs) are sophisticated, covert attacks designed to steal data from specifically targeted organisations. While recent headlines have focused on high profile and well organised attacks—Loyalty Build, Paddy Power, Adobe, Target, Google, RSA, Lockheed Martin & Neiman Marcus – thousands of undisclosed attacks have quietly plagued government agencies and companies of all sizes around the globe.
The security threat landscape is much more serious due to the increase in Advanced Persistent Threats over the last 12 months. These persistent threats typically target key users within the organisations to gain access to any valuable information on the network. And no one—from large enterprises, government agencies or start up’s are immune from this threat.
Gartner uses a simple definition of APTs.
‘Advanced’ means it gets through your existing defences.‘Persistent’ means it succeeds in hiding from your existing level of detection. ‘Threat’ means it causes you harm.”
While I believe there is no silver bullet for protection against Advanced Persistent Threats I do believe there is some very prudent steps that an organisation can take to significantly improve their security posture. From my experience in working with people & organisations to protect against Advanced Persistent Threats I have compiled a list of recommendations to help improve your security and defend your business against these stealthier more complex threats.
1. Understand what an APT is :
An APT requires more attention than standard opportunistic attacks. Typically opportunistic attacks are less frequent and easier to prevent than targeted attacks. The frequency of targeted attacks has rapidly increased in the past 12 months and in most cases the attack commences with a malware infection. Remember an APT will always require a discovery phase where the malware propagates across a network identifying the assets and determining what data to exfiltrate. The Advanced Persistent Threats operate covertly and are difficult to detect, months can pass with no visible compromises to the organisation quietly under attack. If an organisation can identify an APT during this discovery phase the damage will be significantly reduced.
2. More expertise is needed to handle the risk posed by Java and Adobe Readers :
Major commercial applications have been the source of zero day exploits over the past year. Java and Adobe are widely regarded as the most difficult applications to ensure all security patches have been fully implemented in a timely fashion. However, companies are slow to patch vulnerabilities; this is mainly because the companies could not afford the cost of downtime while waiting for the patch to be implemented or do not have the professional staff available for implementation. If a Zero Day exploit has hit the headlines then this vulnerability will be exposed by the masses. Managing these patches and categorising the risk is crucial.
3. Make the business case for investing in technologies that address APTs:
Despite the threat, the majority of companies do not currently have the necessary security technologies to effectively address the threat of APTs. Adequate resources are generally not available to prevent, detect and contain APTs, and most non-IT executives in organisations don’t fully understand the risk posed by APTs, a major hurdle to overcome in order to secure the necessary resources to defend the organisation.
4. Cyber Awareness Training:
Advanced Persistent Threats target specific system vulnerabilities and, more importantly, specific people. For entry, generally APTs use spear-phishing techniques. The attackers try to persuade the user to click on seemingly harmless links. These links will then result in silent download of the malware which is the initial stage of the APT breach. These attacks against users are not static, they are very dynamic, and your security awareness training should evolve as the threat changes. The user can be treated as a line of defence against spearphising attacks if they are properly armed with the information to potentially recognise an attack. Helping your users to understand just how important they are to the security of your company could be the single most important step to better protecting your network. The cost of education is likely the best money spent in effectively arming your users with the information they require to stop these types of attacks from succeeding. Remember, it only takes one.
5. Fixing Vulnerabilities on your network :
The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them.The major advance in new threats has been the level of tailoring and targeting—these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches.
6. Audit Network Log for Abnormal Connections:
For Advanced Persistent Threats to work effectively they will generally need to establish a connection with a C&C server. Consistently auditing the network monitoring logs is critical as it can help identify anomalies in the connections within the network. It is only through having awareness of the network’s “normal” activities can possible anomalies be identified. For example, network activity found happening within what should be idle hours can be a sign of an attack. Warning sophisticated APT software will have the ability to to circumvent traditional log solutions.
7. Forensics:
APTs are like cancers. Recognising the problem is only the first step and remediating only a subset of the infected systems will likely lead to recurring exposure.
It is critical to gather as much data as possible, and construct a strategic response and remediation plan. The key is to ensure that all evidence is preserved and the process is documented. Post-mortem analysis of the incident’s root cause and recommendations of changes in the process are crucial. Without them, the same mistakes are likely to be repeated the next time an incident occurs.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.