Imagine a situation where you are the wearer of a pacemaker. A scary thought in itself. Now imagine a situation where someone can remotely control a pace maker without your knowledge. This is the situation that many companies face with advanced persistent threats (also known as APT). As a security professional on the ground, it is your job to protect the company against these attacks.
Advanced persistent threats are a class of attack that involves attackers using a focused approach, as distinguished from random attackers or script kiddies. These attackers are skilled programmers who want to break into a specific firm. The break-ins usually don’t show up on logs, which makes it difficult to put suitable APT security measures.
Defense against APTs
It may seem impossible to defend against APTs, especially since some users will insist on running administrator accounts. However, there is much you can do to mitigate the threat of APTs, as we shall see shortly.
1. Build a growing security team
You need to build a strong security team that is able to keep pace with the evolving threat landscape. If you outsource this function to a third party, ensure that suitable agreements are in place to obtain all relevant data about your network and attacks. It’s crucial not to get mired in processes if you want to improve security levels on the APT front.
Keep the keys of the network with you. For example, you don’t want to delegate the domain controller password to the third party. If you inherit a situation where a third party is managing the network, ensure that you get access to the logs and the servers whenever you want.
2. Cross functional integration
Security is not an isolated function; it spans both line and support functions. The security team needs to interface with the entire organization. The team should report to the CEO or the board of directors, as opposed to a function or line manager.
Many companies may not have formal mechanisms to facilitate this structure. You will need to establish informal networks. Make good use of the lunch break for such causes. People enjoy talking about what they do, and are willing to share — as long as you don’t spread fear, doubt and uncertainty.
3. Network knowledge
You should always have updated network diagrams. This will allow you to track the devices present on the network and help incident response. If the network is undocumented, then your first task is to create a network diagram to track network connection points.
4. Centralized logs
At a minimum, all logs should be aggregated at a central secure location. This helps you detect and trace attacks. There are a number of options you can use if you experience significant budget constraints. Look at open source logging agents such as Snare. Products such as Splunk can analyze logs, but their non-commercial offerings have limitations.
5. Develop comprehensive incident response plans
You need to develop and implement incident response plans, and codify them as procedures. These need to be rehearsed via live simulations.
Table top simulations are insufficient. They may meet compliance requirements since you will maintain similar documentation. In an emergency, people will not know what to do and leave the burden of command on you.
6. Information asset handling
Maintain a log of the company’s information assets. Conduct a risk assessment for these assets, and ensure that the asset life cycle is accounted for while implementing controls. Automate as much of the asset management process as possible. Try and capitalize on existing document management systems, if any. For instance, you can deploy standardized document templates that enforce the application of data classification labels.
To wrap up
APTs are evolving rapidly, and it’s becoming easier for attackers to construct them. Building an APT is like assembling a complex Lego structure. There are inexpensive commercial tools that allow programmers to automate some of the construction.
The days when you could get away with a two or three member security team are over. Skilled individuals who handle information security are critical in the fight against APTs. The second crucial component is integration. You need to get out of your box and develop a company-wide view.
Everyone has a role to play; it can be the security guard at the door who detects an unauthorized USB drive. Or it may be the CEO who does not respond to a spear phishing message.
About the author: Pranav Lal is a consultant - information security at Mahindra SSG.