Advanced persistent threats (APTs) are real and all companies should be taking them seriously, says telecommunications company AT&T.
In the past year, the company has set up an IT security team dedicated to researching APTs and making recommendations on how to defend against them.
The research has shown that typically, these attacks are stealthy and target core data.The team has concluded that defending against ATPs requires focused, ongoing action, said Joe Bentfield, executive director of security technology at AT&T.
“Information security professionals need to up their game as these attacks can bring companies to their knees,” he told attendees of the 2012 (ISC)2 Security Congress taking place in Philadelphia.
Business leaders need to understand that the effect of an APT can be game changing, he said, such as losing all competitive advantage when intellectual property is targeted.
“APTs are mission specific; they are targeted at your company, they use your weaknesses, they are persistent and deep-penetrating, and they evolve as you evolve your defences,” said Bentfield.
“This may sound as if APTs are something only big companies need to worry about, but this applies to all organisations,” he said.
Read more about APTs
- APTs: Are they really a concern for all businesses?
- Half of UK networks vulnerable to APTs
- Surviving cyberwar: Preparing for APTs, Stuxnet malware-style attacks
- Hardening the network against targeted APT attacks
AT&T’s research has shown that APTs typically target security controls to bypass then to access financial information, intellectual property, business strategy, and employee and customer information.
In building a defence strategy, Bentfield says his team has drawn up several scenarios that look what attacks may target, how they might attack, how those attacks could be prevented or mitigated, how those attacks could be detected, and how the company could respond to and recover from those attacks.
These attacks scenarios have enabled AT&T’s information security team to draw up a list of things that can be done to improve the security posture of the company. These include:
• Maintaining a list of systems and people at risk
• Creating an APT checklist for assets at risk
• Investing in APT detection and analysis tools
• Refining incident response for APTs
• Creating ready to use APT response tactics
• Preparing an APT forensic response plan
• Deploying good automated backup systems
• Encrypting all sensitive data
• Increasing use of external threat intelligence
• Focusing on APTs in security awareness training
Significantly, AT&T has implemented a policy of requiring least privilege and authentication for all intranet services because the security team believes trust-based access is a weakness that must be eliminated.
The company is also seeking to address APT risks in its supply chain by requiring all suppliers to report any security breaches that may affect its own business.
Bentfield said APTs typically exploit human vulnerabilities to penetrate organisations, and for that reason AT&T has deployed sandboxed web browsing and file viewing in an effort to remove any malware before it reaches any users.
The research team is also looking at the value of implementing hardware-based security measures using trusted platform modules (TPMs) found on the motherboards of most modern computing devices.
“Using TPMs could be helpful to prevent malware from getting into computer memory and preventing RAM scraping – used by attackers to find login credentials,” said Bentfield.
Other APT defence tactics deployed or under consideration by AT&T include:
• Virtualising remote access to avoid transfer of data
• Putting ATP recognition systems in the network
• Implementing last login review
Network traffic flow analysis is an important element of APT defence, according to Bentfield. Command and Control (C&C) is the one weakness of APTs, he said.
“At some point there has to be communication with C&C, especially when data is being exfiltrated, so it is important to monitor for any spikes in network traffic,” he said.
Similarly, organisations should be analysing DNS metadata to look for any unusual names, analysing email logs to see if there are any mismatches between the originating IP address and the sender the message appears to be from, and analysing HTTPS/SSL logs and data packets for any anomalies.
Bentfield also recommends community collaboration around APTs so that organisations can learn from each other about the attacks and detection methods in use.
“The very definition of APT implies success against you and your organisation; never before has detection and response been so important. Preparation is paramount,” he said.