Advanced Persistent Threats (APTs) are a reality and cannot be dismissed as a myth or media hype, according to...
a panel of experts debating the top threats at Infosecurity Europe 2011 in London.
APTs are typically associated with state actors, but organisations should know that some cyber criminals have equally high levels of skills and expertise and are able to target organisations in this way, warns Mario Kempton, head of information security at the UK Serious Organised Crime Agency (SOCA).
All organisations need to be aware of this type of threat, and be cognisant of their IT environment and what they are protecting, to decide if they need to be investing to mitigate against APTs, says Ionut Ionescu, head of threat management at Betfair.
Since Titan Rain in 2005, there have been several examples of such attacks against commercial and government information assets in various countries, which prove that APTs cannot be classified as hype aimed at creating fear, uncertainty and doubt, says John Walker, member of the security advisory group of the London chapter of ISACA.
Although organisations need to be aware of APTs, it need not necessarily keep information security professionals awake at night if they understand the threat and have taken steps to mitigate against it, says SOCA's Kempton.
But this can be a costly exercise in an organisation where there is a huge diversity of systems and users, says Stephen Kerslake, group information security governance manager at Virgin Media.
"It is also a challenge to ensure you have covered all vulnerabilities well enough without disrupting business processes. It is about finding that balance," he said.
Understanding the IT environment
Not all organisations are paying enough attention to APTs, says Walker, because they rely too heavily on security dashboards, which do not necessarily reflect what is really going on within the IT infrastructure.
Another problem, says Betfair's Ionescu, is that many information security professionals are aiming more at compliance with various frameworks rather than ensuring that the information assets of their organisations are secure.
"It is important for information security professionals to have a deep and intimate understanding of their environment rather than relying on tools, because people, not tools, protect assets," he said.
Kempton adds that people are the main initial targets of APTs, which typically use spear-phishing e-mails to introduce malware to targeted networks to gain an initial foothold.
"User awareness is important. They need to understand that they may be targeted in this way, as was the case in the recent APT-style attack on EMC's security division RSA," he says.
Tackling APTs, says Walker, should always involve covering all the basics, including user awareness training. Many persistent attacks will try all common vulnerabilities as part of a series of attacks to find a way into a targeted network or system.
Ionescu points out that even though Stuxnet has been hailed as one of the most sophisticated pieces of malware known, several of its components were designed to exploit well-known vulnerabilities that could be easily patched.
Any budget remaining once the basics have been covered can be invested to mitigate against more sophisticated attacks, says Walker. But again he warns against over-reliance on tools, reiterating that understanding the environment is the best defence.