A lot has been written in the media recently about APTs, but there seems to be a level of confusion out there about what this phenomenon is and how this could affect us. Within this brief article, I shall try and shed some light on the phenomenon that is APTs!
So let’s start off with a definition – APTs are posed by entities that have a vested interest in breaking into your cyber defences usually not for financial gain, but to get access to other assets such as Intellectual Property, trade secrets, national secrets or other items of immense, ongoing value.
APTs are made up of three key components as described below:
The entities engaged in these attacks have access to a vast array of resources to ply their trade. They are at the other end of the spectrum compared to script kiddies and will usually have access to a vast array of computer intrusion technologies and techniques.
They are regarded as persistent because they usually will have a specific target in mind and go for it with everything. This is distinct to the traditional notion of hacking where intruders usually ‘smash and grab’ generally for financial gain. In the cases of APTs the idea is to gain access to a part of the network (usually using social engineering techniques such as a spear phishing attack – with the increase in social networking, getting information about potential targets is almost trivial these days) and then elevating privileges until you have access to the desired part of the infrastructure.
Once access has been gained, then the intruders will look for, and gather what they want. Two critical differences with this type of attack is going ‘low and slow’ to avoid detection by traditional means of security such as IPSs and to maintain remote access to the network via backdoors so that further attacks can be mounted later if desired. Some very large companies of late have fallen victim to APTs. Names that pop up include Sony and RSA overseas, and the likes of Rio Tinto, BHP locally.
Simply put, these guys are real and out to get you if they really want to. Vulnerabilities exist in every system and zero day vulnerabilities are particularly hard to defend against. However, on their own vulnerabilities are benign unless there is a threat agent out there willing and able to exploit the vulnerability. That is the threat posed by perpetrators of APTs.
So what does this all mean? To sum it up, the game has not changed, but the rules are a bit different. Using a rugby analogy, it’s almost like we had been playing against Georgia to date and all of a sudden we have come up against the All Blacks. The vulnerabilities and risks are relatively the same, but we now have to change the game plan and bolster our defences in order to counter the increased threat.
Having spoken about the threat and the risk it poses to us, let’s now turn our attention to what can be done about this. At a high level, the following things are particularly applicable in this case:
- Layers of defence
Yes, nothing different or extraordinary here. Most networks tend to be ‘hard on the outside and soft and gooey on the inside’. Once the external layer of defence is broken it’s all open slather. The traditional model of perimeter based security is no longer applicable. With increased dealings with third parties, the perimeter is blurring fast. This is further complicated by Bring Your Own Technology (BYOT) whereby even your employee’s endpoints can no longer be trusted. Social engineering based attacks such as spear phishing exploit access already granted to a trusted insider. Both of these will occur within your network, and perimeter based defences will largely be useless against these.
The idea is to collapse the perimeter to just house your core systems and critical assets inside it and treat everything outside this as untrusted. The easiest way to visualise this is to see every system composed of a number of layers like an onion and each layer requiring protection. This is depicted below with an illustration of the possible protection that could be applied at each layer. I have defined each security measure in Appendix 1 and what defence is applied to the system will depend on its criticality. This is a good sag way into my next point.
- Know your assets
Know what your IT assets are and what they mean to your organisation i.e. what is their criticality. We all have limited budgets so we need to apply just enough controls so as to protect the information within the system, but not spend so much on it that it becomes non cost effective. Know what your information assets are, classify them according to criticality and protect them appropriately.
- Know that attacks will happen
Have the ability to detect these AND respond to these. I cannot overstress the ability to be able to respond. It is pointless knowing that something has gone astray and have no ability to respond to it. Plus this response capability needs to be 24x7. If you cannot, or do not want to run a 24x7 security shop then you might want to consider getting hired help and outsourcing this. After all, no one turns their network off when they go home at night. Please note that traditional forms of security are not completely useless. Learn to detect even the slighted change in network traffic patterns e.g. data going out of your network that you wouldn’t typically expect to see going out or going out at odd times. Remember, APTs employ a ‘low and slow’ approach and would typically harvest and extract data remotely over an elapsed period of time.
- Realise that breaches will happen
Have effective and tested incident response procedures so that you can detect, stop, quarantine and recover from an attack.
Within this short article I have tried to explain what APTs are, their impact to businesses and how to protect against them. APTs represent a much tougher opposition, but the game is still the same. And just as the All Blacks aren’t invincible, neither are these bad guys, so long as we know what we are protecting and are prepared to protect it from multiple avenues.