RSA, Google, Iran's nuclear facilities and more recently Sony and possibly even Lockheed Martin have all been hit by security breaches using advanced persistent threats (APTs). While there is reason to believe that most businesses will be targeted by APTs, simple defence strategies will go a long way to preparing businesses...
for APTs and reducing the risk, according to IT security professionals.
Although some APTs, like Stuxnet, target zero-day vulnerabilities and most are highly targeted, what usually makes these threats "advanced" is that they combine a raft of infiltration techniques. But taken individually, these techniques are typically well-known and easy to defend against.
Doing the basics properly will provide a level of security that will reduce the likelihood of opportunistic hacking or accidental compromise.
Ionut Ionescu, head of threat management at Betfair, recommends following good practice techniques such as having a vulnerability management system in place, keeping security patches up to date, and continually testing the security posture of the IT infrastructure. Such best practice techniques should enable businesses to detect a fair number of APTs.
Knowing what you need to protect is the most important task. Vladimir Jirasek, director of communications at the Cloud Security Alliance UK & Ireland, said: "Without that, the security controls will concentrate on the easy picks, rather than where it actually matters. Good documentation, impact assessments and risk assessments are rather important here."
Security experts say any effective approach to defending against APTs must include defence in depth, a detection capability, an APT incident response plan, a recovery plan, and security awareness and training.
As part of the re-assessment process, an organisation must ensure it understands why it may be attacked. "Every organisation should draw up a risk register that will allow the allocation of funds and resources to protect the assets that are most valuable to the organisation, which may include business processes as well as information," says Mike Westmacott, security consultant at Information Risk Management.
Security experts believe defence in depth can help organisations protect themselves effectively against APTs. Defence in depth covers aspects such as staff and contractor vetting, effective access management, defined compartmentalisation of key information assets and monitoring controls,
Gerry O'Neill, vice-president of the Cloud Security Alliance, UK & Ireland, recommends security heads should involve other relevant functions across the organisation, such as physical security, HR, fraud and operational response teams. Gerry O'Neill says defence in depth should also involve sector-led intelligence reports and alerts, where available.
However, no single layer of fraud prevention or authentication is enough to stop determined fraudsters. Multiple layers must be employed to defend against today's attacks and those that have yet to appear.
Avivah Litan vice-president and distinguished analyst at Gartner, advocates deploying defences at the endpoint, such as secure browsing applications or hardware and transaction signing devices; at the navigation layer, to monitor session navigation behaviour and compare it with normal patterns; and at the linking layer, to analyse the relationships between internal and external entities to detect collusive criminal activities or misuse.
As APTs may exploit known or unknown vulnerabilities and may propagate using a number of different methods, Ionut Ionescu urges businesses to improve and enhance their ability to correlate various signals that may combine into an APT.
"For example, we need to link intelligence reports about a new flaw in a common business application with attempts by unidentified callers to obtain the e-mail addresses of key personnel, with a mistake in a firewall, with a device seeing increased traffic, and piece these together to find the next APT that may be targeting the organisation," Ionescu said.
As part of their defence-in-depth, Ionescu advises businesses to move from a perimeter-based mentality to one where "every component is taught karate", with security controls asset-specific and live with that asset, rather than relying on another device upstream or downstream to protect that particular asset.
For the Cloud Security Alliance's O'Neill, detection needs to be of a higher order capability than traditional log reviews. For instance, he says it should involve logging and monitoring capabilities to detect out-of-profile activity or anomalous data traffic - such as those used for fraud detection - with follow-up investigation processes.
It is essential to regularly test areas of the organisation identified as having the highest risk ratings. "It is important to know when an attack is underway, and how to gather evidence to be able to understand the purpose and origin of the attack," says Information Risk Management's Mike Westmacott.
So network forensics systems and tools should be installed onto a network to continuously monitor and record all network activity. If an attacker has been able to compromise a network, and has been cleaning his or her tracks by removing evidence from servers, a standalone network traffic recorder can provide information on how the breach occurred and what information may have been compromised.
"By bringing together in-house capabilities with third-party expertise in the form of a network forensics capture and analysis service, an organisation can reach an acceptable level of risk with regards to APTs and blended threats. Such an approach will also prove invaluable if an attack takes place, as it will help the company to continuously improve its security posture," Westmacott said.
If an organisation has experienced an APT incident, it should define an approach to determine how to close down an attack or eavesdropping activity while preserving forensic evidence. "Senior executives and the corporate communications function should be engaged to ensure that PR messages are crafted and released so as to minimise brand damage," says O'Neill.
Post-event analysis is essential to confirm lessons learnt from the events, including how the attack was introduced and carried out, as well as strengthening the in-depth controls, both technological and procedural, which should prevent recurrence.
The final line of defence is the people in the organisation, the most valuable asset a business has.
John Walker, member of the security advisory group of the London chapter of ISACA, advocates a thorough security awareness training and education programme.
"Whatever an individual's role is within the business, from chief executives to secretaries, businesses must ensure that everyone is provided with an adequate level of security awareness training so they will be able to identify anything suspicious," John Walker said.
With the right level of training, employees of an organisation can function as human intrusion detection systems in every part of the business, says Walker.
This is particularly relevant as APTs typically combine a number of vectors, including social engineering - for which there are few, if any, viable technical countermeasures
Staff should, in fact, act as a human firewall, says Paul Wood, chief executive of First Base Technologies. "It is no longer viable or appropriate to treat employees as something to be controlled, blocked or locked down," he says.
"Our network perimeters have been eroded and undermined by advances in technology and changes in working practices. Unless we consider our employees and colleagues as intelligent people who will understand the threat to their employer - and hence their salaries and livelihood - these types of attack will continue to prevail," Paul Wood said.
"Let's stop talking down to people, let's treat them as adults and explain the real risks and the potential consequences of a successful attack. Let's provide guidance on protecting their personal information as well as the organisation's data and everyone will win - except the criminals," Wood said.
Attackers have advanced techniques, lending them multiple targeting and intelligence gathering capabilities. Hackers use these capabilities to compromise and eavesdrop on target systems. Once the hacker is on the system, the persistence strategy is one of "low and slow" to allow continued monitoring and data extraction, while avoiding detection.
What makes APTs persistent is that hackers will cycle through an arsenal of techniques until they find a way in.
Some industry pundits dismiss the reference to APTs as a marketing gimmick. Organisations stand accused of seizing on the APT concept to excuse their unwillingness or inability to deal with threats too difficult or complex to deal with adequately, or difficult to shake off or close down without great expense, says Gerry O'Neill, vice-president of the Cloud Security Alliance, UK & Ireland. "But the truth is that there is a different profile of threat operating here - and one which organisations cannot afford to ignore."
APTs are a real and continuing threat to businesses and governments, O'Neill says, and require a heightened threat awareness and defence capability. This must include a re-assessment of the organisation's data at risk and a re-evaluation of the layers of control needed to prevent "low-profile" compromise.
If all the common entry points are blocked, and additional security takes care of the zero-day threats, most organisations should be able to put up a reasonable defence.