APTs: Are they really a concern for all businesses?

Many businesses make themselves vulnerable by failing to consider advanced persistent threats (APTs) in their information security strategy

Stuxnet, Duqu, Flame, and Gauss have nothing to do with businesses that are not involved in finance and critical national infrastructure or government and military contracts – right?

In line with this belief, many businesses are not taking these and other so-called advanced persistent threats (APTs) into consideration as part of their information security strategy, but is this wise?

No, is the answer, according to cyber threat specialists at the Online Threats Managed Services (OTMS) group of RSA, EMC’s security division.

“This attitude of ‘it won’t happen to me’ has got to be broken; all businesses and organisations must understand that it can and probably will happen to them,” said Daniel Cohen, head of business development and knowledge delivery at RSA’s OTMS.

RSA is seeing APT-style attacks on Fortune 500 companies and small to medium-sized businesses alike.

The value of data to cyber criminals

APTs are the latest wave of industrial espionage tools, often carried out by state organisations on behalf of domestic industries, Cohen told Computer Weekly.

In addition, cyber criminals will find a market for just about any data that an organisation holds, so anyone and everyone is a target, said Etay Maor, head of the malware research lab at RSA’s OTMS.

“I can’t think of any data that would not have value. If an organisation is creating and storing data, it must have a value,” Maor told Computer Weekly.

Holders of electronic data need to understand that the barriers to entry are falling all the time, said Maor. Sophisticated malware is now within the reach of just about any would-be cyber criminal.

Maor demonstrated that it does not require any real technical skill or knowledge to download and configure powerful data-stealing tools such as the SpyEye Trojan.

Attacks are also not necessarily tactical: “We are seeing many that have longer term goals and are aimed at stealing intellectual property such as manufacturing processes,” said Maor.

So prevalent are these kinds of attacks, Maor said he would be surprised to find any organisation that does not have some form of data-stealing Trojan lurking on its network.

Plan for cyber attacks

For this reason, said Cohen, all organisations should have a plan to follow in the event of a cyber attack and all employees should know the drill.

Security teams should also have a firm mitigation plan in place and be able to execute it with military precision, Cohen said, once a breach has been detected and extent of the breach has been determined.

Large corporate are waking up to the threat, but one of the biggest problems is that smaller companies struggle to understand return on investment in security until they get hit, he said.

Lack of security budget is a common challenge, but smaller companies have got to learn to start getting more out of their existing investments, said Cohen, such as activity logging systems.

“Smaller companies should be looking at their logs to see what is going on in their networks and be on the lookout for anomalous activity,” he said.

Cohen believes cloud-based systems could be of help in this regard as they have made log analysis capability more easily affordable for smaller organisations.  

Wherever possible, he said, organisations should look at implementing systems that can analyse behaviour on the network in real-time to identify anomalous activity and enable security teams to track back from points of infection to determine the exact extent of the breach.

Defence in depth against cyber attack

Another growing problem is the trend towards bring-your-own device schemes, which have the potential of introducing huge security risks, according to Maor.

“The basic assumption of any organisation should be that some parts of their network will be infected, which is why they need to take a defence-in-depth approach,” he said.

Maor said there is no silver bullet, but the best way of tackling the problem is to implement multiple layers of defence and backing that up with comprehensive end-user education around security.

“The weakest link is usually the users. No matter how good the defence technologies are, if a cyber criminal can trick a user into clicking on a malicious link, the damage can be huge,” Maor said.

And the company knows what it is talking about. After RSA was hit by an advanced persistent threat attack that breached data in March 2011 that used social engineering, the company has stepped up internal security awareness training.

Spear phishing, a highly targeted form of social engineering, is at the start of 99% of successful data breaches, said Cohen.

RSA advises other multinationals follow its example of setting up a global security group that spans all regions and is dedicated solely to ensuring information security.

Maor highlights company websites as another area that requires attention with regard to information security both for organisations and their customers.

Organisations can add another layer of security by ensuring their website is free from phishing activity and has a secure logon process with good authentication technology.

External users can be protected by guarding against malicious websites with similar names, while internal users can be protected by implementing web filtering technologies.

Never before has it been as important for organisations of all sizes to get the security basics right, which includes things like patch management and user access control, said Cohen.

Main defence layers

  • Perimeter: This includes things like anti-virus, firewalls and web filtering. While insufficient on their own, perimeter defences are still important and cannot be discarded;
  • Internal: This is system-based defences found on individual work stations as well as network-based defences such as traffic analysis systems;
  • Intelligence: This is about creating a capability to make security information actionable by correlating defence systems and learning what threats exist and how they work.

Comprehensive approach to APTs

All organisations have to put some work into focusing on advanced threats and make protecting against them part of their basic security strategy, he said.

Cohen emphasises the need for information security teams to have a plan of action to follow in the event of a breach. 

“It is important to understand what is happening and avoid knee-jerk responses that may create opportunities for cyber criminals to step up the attack and gain tactical advantage,” he said.

In summary, RSA’s OTMS group has seen evidence that no organisation can consider itself immune from advanced cyber attacks. All organisations should assume their networks are infected and have a well-tested plan in place to follow when systems are breached.

Read more on Hackers and cybercrime prevention