Risk assessment for APTs

The prevalence and continued success of so-called advanced persistent threats (APTs) often represents a failure of risk management calculations

Since 2010, the UK’s National Security Strategy has rated cyber attacks as a 'tier one' threat to national and economic security, and computer emergency response teams (CERTs) in most other industrialised countries have made similar assessments.

Cyber attacks take many forms, from simple denial of service attacks through to sophisticated information theft. However, one class of attack stands out as the most effective and damaging.

These attacks are “advanced” in their ability to evade detection and are “persistent” in their ability to move laterally within networks and remain resident in order to gather information over extended periods of time

The prevalence and continued success of so-called advanced persistent threats (APTs) often represents a failure of risk management calculations.

The assertion is not that risk management processes are fundamentally broken, or that the professionals implementing them are deficient. After all, these processes usually work well for us in every other area. It is simply that the inputs to this particular calculation have become distorted through a specific set of factors:

1. Most malware is not targeted

Web and email vectors account for almost all malware, and most of it is pretty indiscriminate. A mid-sized organisation will be exposed to thousands of malware attacks a month. This creates a lot of background noise against which APTs do not stand out.

2. The impact of most malware is trivial

The most visible malware payloads are fake anti-virus suites, SMTP mass mailers and aggressive adware. Even the ubiquitous Zeus Trojan can be perceived to have low business impact when it targets personal bank accounts. When impact calculations are made using the aggregated impact of all (or all observed) malware, the result will be low.

3. The effectiveness of existing controls is over-estimated

Some organisations take comfort in the fact they have deployed anti-malware technology to treat this risk. This comfort often lies in the assumption that a good antivirus suite will stop almost all malware. Unfortunately, antivirus was designed for (and still works best with) threats that change infrequently and have a very wide distribution – the polar opposite of an APT.

More on malware

Others place faith in desktop controls such as limited account privileges and application whitelisting. However, today even the most basic malware has the capability to escalate privileges and hijack or masquerade as legitimate system processes.

Furthermore, conventional methodologies to measure the effectiveness of these controls must keep up with the rapid evolution of cyber threats. This can allow inadequate controls to escape scrutiny.

The effect on risk management calculations

The probability of APT occurrence is underestimated due to general malware noise. The impact of occurrence is also underestimated, this time because the aggregated impact of all observed malware is trivial. As a result, the standard, if simplified method of calculating risk (threat x probability x impact) becomes distorted. Moreover, the false sense of security offered by under-performing controls reduces the perception of residual risk.

This problem occurs when we conflate all malware as a single threat for risk assessment purposes. A better approach is to split malware out into different classes of threat and assess them separately. When we do this for APTs in isolation, the calculation is no longer distorted and the elevated risk is clear.

The search for better malware controls

So, we have established that the impact of APTs is much higher than we previously calculated, and that our current controls are less effective than we thought. We should now consider if better or additional controls are available to help us.

1. Signature-less controls

Reliance on signatures, databases, lists or any other form of prior knowledge cannot help us counter the APT threat. New controls must be signature-less.

2. Exploit detection

Detecting and understanding the exploit is critical. All subsequent phases of an attack can be obfuscated or encrypted, rendering existing controls against executables and callbacks useless. If you miss the exploit, you miss the attack. Controls must detect APT exploits even when they are zero-day or heavily obfuscated, and at a minimum they must cover the two main exploit vectors (browsed web pages and emailed documents).

3. Actionable intelligence without noise

New controls must add actionable intelligence without increasing the overhead on already overstretched security teams. They must also assist with root cause analysis so that the frequency of malware infections can be reduced over time.

Jan Coulson is a systems engineer at security firm FireEye

Read more on Hackers and cybercrime prevention