Advanced Persistent Threat Perception and Reaction (Part 1)

by [Published on 9 July 2014 / Last Updated on 9 July 2014]

In part one of the series we concentrate on identifying APTs as well as the first steps to safeguarding against APTs attacks with insight into asset clarification and security posture assessment.

If you would like to be notified of when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

In this series of articles we will delve into Advanced Persistent Threat (APT), looking at ways to identify and safeguard against an APT attack. We will also contemplate an effective incident response strategy that should be in place if you ever need to react. Although the computing landscape continues to rapidly evolve, many of the APTs utilised remain founded on techniques that have been around for many years, exploiting those gaps in our networks, however social networking, mobile and cloud computing as well as the valued information we now process and hold are introducing additional avenues and motive for attack.

Introduction

Advanced Persistent Threat (APT) is a category of cybercrime techniques encompassing continuous attacks on a network to obtain information of high value. The individual components/intrusion techniques of the attack technology may be well known and unsophisticated and easily defended against but the combination of technologies, tools, social capabilities and the human component render this form of attack advanced. The attack is dedicated and remains concealed and is coordinated with precise goals.

The threat landscape is greatly varied with APTs designed for financial gain, theft, extortion, espionage, to gain competitive advantage, sabotage and even revenge.

APTs go beyond only a security concern, for businesses, threats of this nature can be catastrophic impacting finance as well as performance and reputation.

Businesses are more susceptible to APT attacks due to the changing business and IT environments. IT environments are now presenting more potential points for exploitation. The diverse IT environments of today expand the threat surface for attack and are more complex to monitor across the entirety. Extension of IT environments into the cloud as well as the requirement for mobile business flexibility through social media and mobile devices are introducing new areas for intrusion and attack.

The cloud is also being utilised by attackers for malicious purposes, so that APT attacks can also benefit from reduced cost, increased performance and scalability making this an even more rewarding attack practise.

APTs have proven successful and rewarding to attackers, businesses should function under the assumption that attacks of this nature are foreseeable and be prepared for early detection and safeguarding against such attacks. APT attacks cannot be easily prevented but procedures and defences should be put in place to reduce the risk of large scale damage.

Identifying APTs

Why are APTs challenging to detect?

  • APTs do not take direct control of the network components or applications
  • Difficult to correlate activities on time stamps as the attack is slow and is stretched out over an extended period of time
  • Attacks appear to come from a wide variety of sources (distributed botnets often used)
  • Unique behaviour patterns and attack signatures
  • Attack generated data traffic is obscured (compressed, hidden, encrypted), making it difficult to track the information

All APTs are different, however they share a number of similar characteristics. Most APTs share the following qualities:

  • They are developed with a purpose and target in mind (goal-oriented)
  • They maintain a low profile (remain hidden and even dormant for months) and slow to react (wait for the optimal conditions to strike)
  • Involve coordinated, organised and persistent attack
  • Comprise a human element (this makes this form of attack unpredictable, random, adaptive, effective and challenging to identify)
  • Have a means of communication with a command and control host
  • Well-funded
  • Utilises multiple attack vectors, technologies and methods

Safeguarding against APTs

The first step to defending against this form of attack is to know what it is that you are trying to protect so that emphasis on security can be boosted where it matters most. This is achieved through risk and impact analysis and comprehensive documentation.

An effective APT defence approach should include categories for distinguishing asset value, assessing your security posture, detection proficiency, an incident response plan, a recovery plan and security awareness and training.

Step One: Evaluate and distinguish assets of value

It’s important that you know what it is you need to protect and remain focused on securing the valuable assets. In consultation with the fortune 500 in London often it’s the case that I find my clients scrambling to protect the entire network and in most cases that’s too broad. Organisations need clarity on where the valuable information assets are located (remember to include all locations-cloud services, backup systems and mobile devices), when they are being accessed and by whom.

An in-depth evaluation will give you insight into the regular activity, will highlight areas of the infrastructure that may need attention and with this clarity it will be easier to detect any behaviour that may be out of the ordinary.

It’s essential to separate data according to value so that it can be secured accordingly, this is called classification and does not have to be difficult-just start with the ten most important systems in your company and work from there. When it comes to mitigating risk from APTs it’s important to apply proper security to assets that have the most value.

Step Two: Assess your security posture

An assessment of your business’ security posture is vital at this stage. Any vulnerabilities open to exploitation can be addressed through continual assessment of the security posture. The assessment should cover the following criteria:

  • Staff, vendors and partners should be properly vetted.
  • Roles should be monitored and access to valued assets by employees and outside entities properly controlled.
  • Access control and management should always ensure that only trusted authorised individuals are capable of gaining access so that threat in minimised.
  • Map people, processes and machines with access to valuable data so that you know where to focus when it matters.
  • Detect and evaluate vulnerabilities present by undertaking a vulnerability assessment and ordering the results according to how critical they are to your business.
  • Identify the security practices and procedures already employed and tools and technologies utilised and evaluate how effective they are likely to be against APTs.
  • Determine whether your practices and technologies are current or if an upgrade is necessary to achieve a better security infrastructure.
  • Determine whether any gaps are present in your security infrastructure or where improvements can be made.
  • Ensure that you have the basic security best practices techniques in place. Through just achieving the basics correctly you can significantly reduce opportunistic attacks or accidental compromise.
  • Evaluate your password and authentication policies, patch management procedures, firewalls and logs. These basic practices should be routine and undertaken correctly.

Step Three: Detection Proficiency

Organisations need to be vigilant and have the tools, technologies and procedures in place to detect abnormal behaviours on the networks and be aware when attacks are taking place. Use a multilayer approach to defend against APTs.

You need to consider your business in its entirety (internal/external/cloud) to be able to effectively monitor, evaluate and detect events that are out of the ordinary and be able to detect any APT damage or attempted damage.

To detect an APT you need to be flexible in your approach and be able to adapt. APTs are not known threats and thus security practices focused on detecting known threats through rules and signatures will not suffice.

A centralised analysis approach with collaboration between IT and security operations will help achieve an entire picture of the situation and align efforts across all platforms. Automation is essential in achieving a simplified security operation. An automated centralised approach will assist in quicker detection, remediation and reduce risk.

It’s important to be able to recognise an attack, even if it’s unavoidable the evidence collected is essential in establishing its purpose and source. If the attack is successful the evidence collected through your technologies in place will be instrumental in understanding what data was compromised, how the attack occurred, can assist in remediation and be useful in continuing to improve your security posture.

The multiple layer security method could utilise a combination of security technologies and procedures across conventional IT environments and cloud, but should include:

  • The basics (firewalls, antivirus, SIEM, gateways)
  • Use an antivirus with HIPS detection, this will spot exploits before triggered and block any malware implants related to those exploits
  • Use IPS+IDS
  • Turn on Advanced Threat Protection features in your gateway solution
  • Security monitoring and management software (event logging, patch management)
  • Automation is essential for quick detection and remediation
  • Sandboxing tools for traffic analysis (analysis of suspicious files without compromising the network or its performance)
  • Application whitelisting (software monitoring)
  • Network forensics analysis tools (monitor and record network activity)

Conclusion

APTs are unpreventable and are extremely challenging to detect. Organisations need to be attentive and work from the theory that APTs are present. In the first part to the article series we have started to look at the APT defence approach, covering distinguishing asset value, assessing your security posture and detection proficiency. We will focus on the remaining areas, an incident response plan, a recovery plan and security awareness and training in the next article in this series.

If you would like to be notified of when Ricky & Monique Magalhaes release the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

The Author — Ricky M. & Monique L. Magalhaes

Ricky M. & Monique L. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.

Latest Contributions

Featured Links