One hot topic in IT and information security today is the Advanced Persistent Threat, usually abbreviated to APT. However, the P in APT might as well stand for People. And therein lies a clue as to how APTs differ from other targeted attacks, something about which there has been a some confusion.
A standard targeted attack, while often requiring a significant investment of time, does not have dedicated personnel over a long period. If the assets that they are targeting are harder to reach than expected, or pwned asset is removed or patched, then that will often end the attack and another victim selected. Some targeted attacks are even highly automated. In an APT, however, there is someone continually guiding the attack, making adjustments to counter when the victim tries to stop it. It’s very much a person-to-person, or people-to-people, battle. The attacker will vary his methods to circumvent countermeasures taken by the victim, leveraging specialists when required. Their aim, of course, is to go undetected, and in many cases they do for long periods of time. However, to remain undetected you must move slowly and be prepared to back up from blind alleys and try new ones. At any time infrastructure may be changed, new policies implemented or compromised software automatically patched. While APTs might employ any of the same techniques as a standard targeted attack, such as social engineering, SQL injection or phishing, they are far more persistent – hence the name. A prime example of an APT is Stuxnet, which carefully worked its way through the network until it found its target, industrial gas centrifuges, and executed an attack that slowly disabled them.
We are already seeing more evidence of APTs making the headlines, such as Nitro. In order to effectively guard against these threats, organizations are struggling to find the balance between the current drive to reduce costs, including personnel, and the need for increased security. There are, however, some basic security measures any company can take to raise its awareness and improve its security profile. We recommend the following five steps to improve the security of your sensitive information.
- Formalize and implement security policies that will make it easy to identify and remediate threats. This includes standard practices such as patching, password policies and controlling administrator accounts. These are usually monitored by point-in-time controls such as audits, but those audits need to become more frequent. There also need to implement more event-based, real-time controls such detecting repeated login attempts on a server that would alert IT to the issue before a hacker could gain access. Once policies are in place, it’s equally important to enforce them, and that means maintaining them and ensuring your users understand them.
- The second step is to protect the data. In order to do this, you first need to know where the data is, and understand what data is sensitive and what is not. We often find that data that should be secure has managed to leak to a secondary location where it has little or no protection. This data spillage is one of the most common enablers of data theft. Once you have decided what data is worth protecting, you can leverage techniques like encryption.
- Next, you must take care of identities on your network. The security of your information is based on who can access it. You need to implement an effective authentication system that sufficiently restricts access, and you also need to regularly update user access. Even the best authentication is useless if a disgruntled ex-employee still has access to sensitive information.
- You also need to take care of systems. This of course includes desktops and servers, which for years have been the focus of security measures. Now, however, endpoints are quickly proliferating and include tablets, smartphones and even virtual machines. Too many businesses leave corporate information intact on discarded smartphones, left in desk drawers rather than being completely wiped and recycled. Virtual assets also need to be managed throughout their lifecycle in the same way that physical ones are, including patching and decommissioning. All of these assets need to be managed throughout their entire lifecycle from provisioning through to eventual disposal.
- Finally, the infrastructure as a whole needs constant protection. This includes well-established measures such as antivirus software, firewalls, and other tools. Good infrastructure protection will make it harder for an attacker to gain an initial foothold, and slow their progress as they traverse your network, but they will also create sensors allowing you to collect more real-time information that enables you to get the visibility you need.
As a specific kind of targeted attack, APTs are a very legitimate and a real threat, but they are not as common as non-persistent targeted attacks, which are growing rapidly. Good security is about preparation, having the policies, technologies, processes and people in place enabling you to make informed decisions about your risk posture, and both reducing the chances of a successful attack and enabling you to respond more quickly to the threats your organization faces.
For more information on targeted attacks and APTs, visit http://bit.ly/rDM89u.