position

Advanced Persistent Threats (APTs) — a Synopsis

Ashwin Pal (CSO Online (Australia))
— 29 February, 2012 14:37

A lot has been written in the media recently about APTs, but there seems to be a level of confusion out there about what this phenomenon is and how this could affect us. Within this brief article, I shall try and shed some light on the phenomenon that is APTs!

So let’s start off with a definition – APTs are posed by entities that have a vested interest in breaking into your cyber defences usually not for financial gain, but to get access to other assets such as Intellectual Property, trade secrets, national secrets or other items of immense, ongoing value.

APTs are made up of three key components as described below:

Advanced
The entities engaged in these attacks have access to a vast array of resources to ply their trade. They are at the other end of the spectrum compared to script kiddies and will usually have access to a vast array of computer intrusion technologies and techniques.
Persistent
They are regarded as persistent because they usually will have a specific target in mind and go for it with everything. This is distinct to the traditional notion of hacking where intruders usually ‘smash and grab’ generally for financial gain. In the cases of APTs the idea is to gain access to a part of the network (usually using social engineering techniques such as a spear phishing attack – with the increase in social networking, getting information about potential targets is almost trivial these days) and then elevating privileges until you have access to the desired part of the infrastructure.
Once access has been gained, then the intruders will look for, and gather what they want. Two critical differences with this type of attack is going ‘low and slow’ to avoid detection by traditional means of security such as IPSs and to maintain remote access to the network via backdoors so that further attacks can be mounted later if desired. Some very large companies of late have fallen victim to APTs. Names that pop up include Sony and RSA overseas, and the likes of Rio Tinto, BHP locally.
Threats
Simply put, these guys are real and out to get you if they really want to. Vulnerabilities exist in every system and zero day vulnerabilities are particularly hard to defend against. However, on their own vulnerabilities are benign unless there is a threat agent out there willing and able to exploit the vulnerability. That is the threat posed by perpetrators of APTs.

So what does this all mean? To sum it up, the game has not changed, but the rules are a bit different. Using a rugby analogy, it’s almost like we had been playing against Georgia to date and all of a sudden we have come up against the All Blacks. The vulnerabilities and risks are relatively the same, but we now have to change the game plan and bolster our defences in order to counter the increased threat.

Having spoken about the threat and the risk it poses to us, let’s now turn our attention to what can be done about this. At a high level, the following things are particularly applicable in this case:

Layers of defence
Yes, nothing different or extraordinary here. Most networks tend to be ‘hard on the outside and soft and gooey on the inside’. Once the external layer of defence is broken it’s all open slather. The traditional model of perimeter based security is no longer applicable. With increased dealings with third parties, the perimeter is blurring fast. This is further complicated by Bring Your Own Technology (BYOT) whereby even your employee’s endpoints can no longer be trusted. Social engineering based attacks such as spear phishing exploit access already granted to a trusted insider. Both of these will occur within your network, and perimeter based defences will largely be useless against these.
The idea is to collapse the perimeter to just house your core systems and critical assets inside it and treat everything outside this as untrusted. The easiest way to visualise this is to see every system composed of a number of layers like an onion and each layer requiring protection. This is depicted below with an illustration of the possible protection that could be applied at each layer. I have defined each security measure in Appendix 1 and what defence is applied to the system will depend on its criticality. This is a good sag way into my next point.

Know your assets
Know what your IT assets are and what they mean to your organisation i.e. what is their criticality. We all have limited budgets so we need to apply just enough controls so as to protect the information within the system, but not spend so much on it that it becomes non cost effective. Know what your information assets are, classify them according to criticality and protect them appropriately.
Know that attacks will happen
Have the ability to detect these AND respond to these. I cannot overstress the ability to be able to respond. It is pointless knowing that something has gone astray and have no ability to respond to it. Plus this response capability needs to be 24x7. If you cannot, or do not want to run a 24x7 security shop then you might want to consider getting hired help and outsourcing this. After all, no one turns their network off when they go home at night. Please note that traditional forms of security are not completely useless. Learn to detect even the slighted change in network traffic patterns e.g. data going out of your network that you wouldn’t typically expect to see going out or going out at odd times. Remember, APTs employ a ‘low and slow’ approach and would typically harvest and extract data remotely over an elapsed period of time.
Realise that breaches will happen
Have effective and tested incident response procedures so that you can detect, stop, quarantine and recover from an attack.

Within this short article I have tried to explain what APTs are, their impact to businesses and how to protect against them. APTs represent a much tougher opposition, but the game is still the same. And just as the All Blacks aren’t invincible, neither are these bad guys, so long as we know what we are protecting and are prepared to protect it from multiple avenues.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: advanced persistent threats (APTs)

Comments

Post new comment

CSO Corporate Partners

Get exclusive access to CSO, invitation only events, reports & analysis.

Web Aplication Security

Safeguard your websites against cyber attacks and data loss.

Submit your training courses

Media Releases

More Media Releases »

Latest Jobs

FTiPhone App DeveloperNSW
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
FTASP.NET Developer (Digital)NSW
FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
FTiPhone App DeveloperNSW
FTChange Management ProfessionalsNSW
CCIT Project Co-ordinatorNSW
FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
FTSenior Citrix EngineerNSW
CCAvaya Engineer - ERS 8600 4.1NSW
CCSystem Engineer - Exchange - CONTRACTSWA
FTiPhone Developer DeveloperNSW
CCSystem Engineer - Lync and Exchange - CONTRACTSWA
FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
FTSenior Citrix EngineerNSW
FTTechnical Services Engineer - ShoreTel/MitelVIC
FTTechnical Consultant (VB.NET Developer)NSW

Solution Centers

Security Awareness Tip

Clearswift tips: Guidelines for introducing and policing an effective IT Policy

1. Make it clear that the policy is not about playing ‘Big Brother’ but to ensure the security of employees, company information and data and to safeguard the company’s reputation.
2. Invest time to get buy-in from managers and their teams.
3. Convey the message of flexibility – with regard to social media, it is not about blocking staff usage but working in everyone’s interests to ensure that threats are contained.
4. Introduce a regular company-wide training programme that everyone attends at regular intervals throughout the year, not merely as part of an induction programme.
5. Within the training programme make sure that there are specific examples to demonstrate each rule or regulation, and that there is a clear explanation of the dangers of casual or careless talk on social networking sites. Again use examples, employees need to understand the consequences of raising a throwaway comment that has negative connotations for the business, as much as they need to be aware of dangers of making a more direct but ill-considered attack on a competitor, regulator or even a fellow colleague. They need to be clearly advised on any impact on the company and/or legal action or inquires that may be raised as a result.
6. Alert employees to any changes in policy through regular clear communication.
7. Reinforce the operational policy guidelines regularly, cover everything from blogging to Facebook, LinkedIn and Twitter.
8. Ensure that the rules are fair and that they apply throughout the business.
9. Enforce the rules – if there is a deliberate or malicious contravening, disciplinary action needs to be taken. A policy isn’t worth having if it is seen to be lax and unenforced.
10. Review the policy regularly to ensure you keep up to date with new systems and technology.

Phil Vasic is Regional Director, APAC, at Clearswift, the software security company www.clearswift.com

Security ABC Guides

7 Ways to Protect Your Business Printers

Can a hacker burn down your business by remotely setting one of your printers on fire? Researchers at Columbia University have recently proposed such a scenario, although HP quickly denied that it's possible. However, even if your printers can't be used as remote firestarters, there are many risks involved in networking a printer.

Read More

Market Place