Security Think Tank: What should businesses do to ensure their IT defences resist APTs?

Security threat reports are increasing, identifying targeted and advanced, persistent threats (APTs) as top priorities for all organisations of all sizes and sectors. The reality of APTs has recently been demonstrated by the successful theft of information from security firm, RSA. In the light of these advisories and the RSA data breach, what should businesses be doing to ensure their IT defences can resist targeted, advanced, persistent (APT) attacks?

Security threat reports are increasing, identifying targeted and advanced, persistent threats (APTs) as top priorities for all organisations of all sizes and sectors.

The reality of APTs has recently been demonstrated by the successful theft of information from security firm, RSA.

In the light of these advisories and the RSA data breach, what should businesses be doing to ensure their IT defences can resist targeted, advanced, persistent (APT) attacks?

Mike Westmacott

Chair, BCS Young Professional's Information Security Group

Security Consultant, Information Risk Management plc

The presence of APTs in the Infosec landscape is neither surprising nor particularly new. What is changing now is the number of well-organised threat agents and the type of target that is being attacked. The acronym should also be used with care when categorising threats, as the persistent clearly indicates the ongoing nature of the attack. By categorising an attack as an APT, it is usually because there have been a series of similar attacks, with one or more attributes staying constant, such as the origin or the attack method. It is rarer to have a single attack that lasts for an extended period of time, but not unknown. Various companies involved in mining have been suffering DDoS attacks since 2009. Here, the common APT attributes are that the attack type is DDoS, the targets are involved in mining and the origin is primarily Chinese ISPs. Here the exact reasons for the attack are unknown, unlike the attacks against TJX and a string of other retail chains between 2005 and 2008 by a single group which netted over 90 million credit card numbers.

The primary defence against attacks is to ensure the organisation understands why it may be attacked. In the case of TJX this is simple, clearly less so with the mining company attack. It may help an organisation to bring in an external consultancy to work through this process as they won't be blinkered by the day-to-day activities of the organisation, and will bring with them a wealth of experience in understanding threat agents and attacks. The aim is to be able to draw up a risk register that will allow the allocation of funds and resources to protect the assets which are most valuable to the organisation - which may include business processes as well as information such as financial and banking information.

Applying a defence-in-depth strategy to implementing a security programme is essential, together with regular testing of the areas of the organisation that have been deemed have the highest risk ratings. Of increasing importance is the ability to know when an attack is underway, and how to gather evidence to be able understand the purpose and origin of the attack. Network forensics systems and tools can be installed onto a network to continuously monitor and record all network activity. In the event that an attacker has been able to compromise a network, and has been cleaning his or her tracks by removing evidence from servers, then a standalone network traffic recorder can provide information on how the breach occurred and what information may have been compromised. By bringing together in-house capabilities with third-party expertise in the form of a network forensics capture and analysis service, an organisation can reach an acceptable level of risk with regards to APTs and blended threats. Such an approach will also prove invaluable in the event that an attack (successful or not) does take place as it will help the company to continuously improve its security posture.

Avivah Litan

vice-president and distinguished analyst, Gartner

No single layer of fraud prevention or authentication is enough to stop determined fraudsters. Multiple layers must be employed to defend against today's attacks and those that have yet to appear:

1. Endpoint-centric layer. This involves technologies deployed in the context of the user and the endpoint they use such as secure browsing applications or hardware, and transaction signing devices. Transaction signing devices can be dedicated tokens, telephones, PCs and more. Out-of-band or dedicated hardware-based transaction verification affords stronger security and a higher level of assurance than in-band processes do. The technologies in this layer can be typically deployed faster than those in subsequent layers, and go a long way towards stopping malware-based attacks.

2. Navigation-centric layer. This monitors and analyses session navigation behaviour and compares it to patterns that are expected on that site, or to rules that identify abnormal and suspect navigation patterns. It's useful for spotting individual suspect transactions as well as fraud rings.

3. User- and account-centric layer for a specific channel (e.g. online sales). This monitors and analyses user or account behaviour and associated transactions and identifies anomalous behaviour using rules or statistical models. It may also use continuously updated profiles of users and accounts, as well as peer groups for comparing transactions and identifying the suspect ones.

4. Layer that is user- and account-centric across multiple channels and products (e.g. online and in-store sales). As with layer 3, it looks for suspect user or account behaviour but also correlates alerts and activities for each user, account or entity across channels and products.

5. Entity link analysis layer. This enables the analysis of relationships among internal and/or external entities and their attributes (e.g. users, accounts, account attributes, machines, machine attributes), to detect organised or collusive criminal activities or misuse.

A layered fraud prevention approach provides defence in depth and is the best policy for preventing and containing losses. Organisations should define a framework that they can build to, and that provides the rationalisation needed to implement different moving parts. Start by deploying lower levels of the layered stack to help stave off immediate threats, with the assurance that these layers are part of an overall strategy that relies on basic fraud prevention principles, such as user and account profiling that have generally stood the test of time.

Adrian Davis

Information Security Forum (ISF)

principal research analyst

Wikipedia states that APT usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity to gain information. It's currently the vogue to label all information security attacks or incidents an APT, but that would be misleading. An APT is not just malware, and not all organisations will be the victims of APT.

An APT will probably use a "low and slow" profile, and a number of methods to breach defences, including malware, social engineering and infected devices such as USB sticks. Typically, any malware used in the attack will have been tested for its ability to remain undetected by commercial AV products - or will be downloaded via an infected URL. Social engineering or placing someone 'on the inside' may form part of the attack to gain access and bypass perimeter or similar defences. The combination of threats multiplies the target's defensive difficulties.

To defend against APT, organisations should do the basics - patch management, awareness, access control and regular review and audit of logs, systems and networks for example - as these provide a level of security that will reduce the likelihood of opportunistic hacking or accidental compromise. Additionally, there are three key activities that should be adopted. First is adopting an incident management process specifically to deal with APT and rehearsing it. The second is good network management and security, as this will assist in identifying unusual traffic patterns associated with APT and may allow the organisation to disrupt the APT. Last is awareness: getting staff to report unusual happenings on their PC, odd or strange phone calls or the loss or theft of IT equipment stolen can help to alert an organisation to APT.

Ionut Ionescu

(ISC)2 European Advisory Board

APTs are not a misnomer or a 'rebadging' of older threats. They are a class of new, composite and multiple malignant threats that are akin to a multi-headed nuclear cruise missile. APTs cannot be defended against with the old approach, which has been to throw more tools at the problem. What we need is more patience in understanding our technology domain and more skilled security professionals applying judgement to detecting and responding to these.

If one looks at well-publicised APTs, like Stuxnet, it is very quickly apparent that they used not only attack vectors specific to sometimes obscure equipment, but also attack vectors against well-known, publicised and patchable vulnerabilities. This means that, by doing a lot of the bread-and-butter good practice security things - such as having a vulnerability management programme in place, patching, continuously testing the security posture of our infrastructure - we should be able to detect some of these APTs.

Another factor in dealing with APTs is to challenge our existing assumptions about what is secure and what is not. Relying on outdated conceptions - such as the ones that assumed that programmable logic controller (PLCs) are not really exposed to attack, or that SCADA networks are air-gap isolated from the internet - is not enough.

We also need to move from a perimeter-based mentality to one where every component is "taught karate", meaning that security controls need to be asset-specific and live with the asset, akin to, say, host-based IDS (HIDS), rather than relying on another device upstream or downstream protecting that particular asset.

Thirdly, we need correlation and a new breed or disaster recovery planning. As APTs may exploit known or unknown vulnerabilities, and they may propagate using a number of different ways, we need to increase our ability to correlate signalling from our domain, for example, getting intelligence reports about a new flaw in a typical office application, linked with attempts by unidentified callers to obtain the email addresses of certain personnel, coupled with a mistake in a firewall configuration, coupled with another device not responding to polling, or seeing increased traffic. We need to be able to piece these together and look for the next APT targeting us.

In summary, defending against APTs is like solving a puzzle, a game of thinking, lateral thinking, patience and imagination.

John Walker

London Chapter ISACA Security Advisory Group and

Director of Communications Common Assurance Maturity Model

Cyber threats targeting today's organisations impose significant operational pressures, on both financial and human resource, supporting the mission of securing the enterprise. However, with the now-recognised advent of advanced persistent threats (APT), and advanced evasion techniques (AET), all rolled up into zero-day exploits, the incumbent task of provisions real-time, and robust security has raised the game to another level.

The security industry and its solutions can be very much on the back-foot, with the challenge of new exploits, and vulnerabilities, being closely followed (hopefully) with some form of technological mitigation, or workaround. However such a Modus Operandi by inference can, and does, manifest in a window of opportunity which hosts a surface of attack for exploitation!

Another noteworthy challenge faced by the security technologists, is the imposition of advanced persistent technology (APT). APT is the necessary evil of circumstance, in which the provisioning business solutions, applications, and developments exists, feeding the business objectives for satisfying leading, and at times bleeding edge solutions - presenting yet another security challenge.

When it comes to defending against the opportunities of unwanted incursions, or compromise of malicious proportions, unfortunately there is no one-stop-shop solution close at hand. Thus a little imagination needs to kick in to assure a level of ground-up, pragmatic security is accommodated.

Of course the first port of call is to assure that perimeter defences are deployed in the form of anti-malware, firewalls, IDS, and IPS, but don't, for one moment consider these to be the providers of maximised security. The problem here is, this external set of applications, and configurations have a lot to contend with, with complex rules, connections, and of course, anticipation of that new Zero-Day exploit. So as strange as it may seem, even after they have been fully patched, and are up to date, consider them susceptible to failure!

They say knowledge is power, and so the second line of defence is that of situational awareness (SA). Derived from interfacing with both vendor and third party alerting systems, SA can be successfully leveraged in support of proactive notification of newly discovered exploits and vectors of attack, to provision the ability to see a little further beyond the cyber horizon.

Line of defence number three arrives aligned to the most valuable asset any business has - its personnel. Notwithstanding they may be providing secretarial support, are developers, or are the chief executives, ensure that they are provided with an adequate level of security awareness and education training to enable an appreciation of any encountered suspicious conditions. In such circumstances, the personnel of the organisation can represent the human IDS, who just may generate the early warning of attack.

The final frontier is after all else has failed, and is focused on the resilience of Secure Builds, and Patch Levels of the internal systems. Granted, they may still be open to impact of a zero-day, but research has demonstrated that even after high profile security notification were issued re old exploits, such as the Sasser virus, even today systems are still encountered deep inside organisations infrastructures. And of course, don't forget those in-house developed applications - consider using a security approach such as OWASP.

At the end of the day, good security management is about understanding, and staying on top of risk, with the accommodation of the processes and procedures which may be invoked if it all else fails - no one-stop-shop is available as yet, so it must come down to pragmatism and imagination.

Peter Wood

London Chapter ISACA Security Advisory Group and

CEO of First Base Technologies

Recent advanced persistent attacks on enterprises have shown that the attackers' first foothold into the organisation often involved a spear phishing attack utilising a zero-day exploit. Conventional security software cannot detect a zero-day attack, nor can it prevent someone opening an email attachment if they are determined to do so. Yet we persist in looking for "silver bullet" solutions to protect our businesses. There must be a clever combination of hardware and software that will defend against these attacks, right?

Defending against targeted attacks is not a simple matter. APT attacks typically combine a number of vectors, including social engineering, for which there are few, if any, viable technical countermeasures.

This leads to a clear conclusion: we must explain the threats - and the consequences - to everyone in the organisation, so that they can become part of a human firewall. It is no longer viable or appropriate to treat employees as something to be controlled, blocked or locked down. Consumerisation and social networking have changed the security landscape irrevocably and the attackers know how to exploit this. Our network perimeters have been eroded and undermined by advances in technology and changes in working practices. Unless we consider our employees and colleagues as intelligent people who will understand the threat to their employer - and hence their salaries and livelihood - these types of attack will continue to prevail.

If we treat our staff as children, or even potential criminals, then that is how some of them will respond. Let's stop talking down to people, let's treat them as adults and explain the real risks and the potential consequences of a successful attack. Let's provide guidance on protecting their personal information as well as the organisation's data and everyone will win - except the criminals.

Vladimir Jirasek

Director of Communications, CSA UK & Ireland and Project lead CAMM

APT stands for advanced persistent threats, an old military term which referred to activities sponsored by certain countries or actors. Today, the term is used when advanced hacking activities occurs that require multiple steps and knowledge of the target. That knowledge makes it very difficult to defend completely against APT, as actors in the APT attack will use whatever technique works in that specific case.

However, not all hope is lost. There exist good old techniques that help APT attacks slow down, detect or even deter.

Let's start with assets. Knowing what you need to protect is the most important task. Without that, the security controls will concentrate on the easy picks, rather than where it actually matters. Good documentation, impact assessments and risk assessments are rather important here.

Next, limit the access to the crown jewels from as few places as possible. And this does not just apply to direct connections but rather to indirect ones, as hopping between intermediate servers can lead to the target one. If a connection between 'crown jewel' servers and users is needed, use an intelligent proxy that can understand the access requests and enforce the access policy.

The concept of 'least privilege' will help as well. For example: domain administrators not running their Windows PC under their admin accounts. Or everyone's favourite: "grant all to app_user on customers.*;" , should definitely be avoided.

Let's continue with users security awareness which is repeatedly neglected. That means your users do not know how to act when something goes wrong. Also policy consistency is the key. If the policy says 'Do no click on links in e-mails!' then do not send company e-mails that have links in them!

Lastly, detection is king. Many APTs will be successful but if the detection is in place the window of opportunity for attackers will be very small. Behavioural analysis of activities on the network, in your applications, and data stores is needed. Is your application account, used for the web ordering service, just running 'select * from customers;' query against the database? Would you like to know why?

Gerry O'Neill

Director, Inforisca Services, and

vice-president, Cloud Security Alliance, UK & Ireland

Firstly, let's deal with the definitional challenge. Advanced persistent threat is a recently coined term which has been variously applied to some high-profile hacks and data compromises, including the Stuxnet attack on Iran, the RSA SecurID compromise, and most recently the Sony Playstation network breach. But what is it that characterises the advanced and persistent nature of these attacks, in a way which sets them apart from 'regular security breaches', and more importantly what do organisations need to do differently in order to defend against them?

The term APT has been applied in circumstances where an organised activist group or a nation-state sponsored team are suspected of having undertaken a process of targeted infiltration and data capture or manipulation, usually over a long term, and with a very low detection profile. The objective of most such attacks appears to have been one of national or commercial espionage, moreso than damage-based attacks such as denial-of-service, although the degree of infiltration also makes DOS a real possibility.

Some industry pundits and detractors dismiss the reference to APTs as a marketing gimmick and accuse organisations of seizing the concept in order to excuse their unwillingness or inability to deal with threats which are both advanced (too difficult or complex to deal with adequately) or persistent (difficult to shake off or close down without great expense).

The truth is that there is a different profile of threat operating here - and one which organisations cannot afford to ignore. The attackers have advanced techniques, usually in the form of blended attacks across a number of approach channels, giving them multiple targeting and intelligence gathering capabilities through which to compromise and eavesdrop on target systems. Once there, the persistence strategy is one of 'low and slow' to allow continued monitoring and data extraction, while avoiding detection. And if access is closed down, they can usually successfully reconnect.

The approach to defending against such attacks needs to take four phases:

1. In-depth defence: This will engage aspects such as staff and contractor vetting, effective access management, defined 'compartmentalisation' of key information assets, and monitoring controls. This approach should also involve liaison with other relevant functions across the organisation, such as Physical Security, HR, Fraud and Operational Response teams, and should also involve sector-led intelligence reports and alerts, where available.

2. Detection: This needs to be of a higher order capability than traditional log reviews, and should involve logging and monitoring capabilities to detect out-of-profile activity or anomalous data traffic (such as those used for fraud detection), with follow-up investigation processes.

3. APT Incident Response: When you have a confirmed APT-type incident, this will need a defined approach to determine how to close-down attack or eavesdropping activity while preserving forensic evidence. Senior Executives and the Corporate Communications function should be engaged to ensure that PR messages are crafted and released so as to minimise brand damage.

4. Recovery: Post-event analysis is essential to confirm lessons learnt from the events, including how the attack was introduced and carried out, as well as strengthening the in-depth controls, both technological and procedural, which should prevent recurrence.

In conclusion, APTs are a real and continuing threat to businesses and governments, and require a heightened threat awareness and defence capability. This includes a reassessment of the organisation's data-at-risk and a re-evaluation of the layers of control needed to prevent 'low-profile' compromise.

Read more on IT risk management