​The growing challenge of Advanced Persistent Threats

by David Higgins, Regional Director – ANZ, WatchGuard Technologies

In the medical world, there's a raging battle against microbes and bacteria that are evolving and becoming resistant to existing treatments and drugs. The same thing is happening in the world of technology.

When computing first emerged as a powerful business tool, protection from threats required little more than the installation of anti-virus software. These tools efficiently scanned for malicious code and kept systems safe from attack.

But, while antivirus is still vital, it's no longer enough. The threats facing IT infrastructures today are rapidly evolving and require more and more sophisticated responses. Just like the doctor's patients, if organisations fail to remain a step ahead of the threats, they risk falling victim to them.

The rise of Advanced Persistent Threats

The early viruses and worms that targeted IT systems have evolved into something altogether more powerful and problematic. Dubbed Advanced Persistent Threats (APTs), this malicious malware can evade many antivirus barriers and cause significant damage and disruption to IT infrastructures.

APTs use a range of techniques to avoid network and device defences. These include encrypted communication channels, kernel-level root kits and zero-day vulnerabilities.

As their name suggests, APTs are persistent, meaning they are designed to be stealthy and remain within a target system for an extended period. Some are able to clean up after themselves by deleting logs and use strong encryption to evade discovery by security tools.

The effect of these new and rapidly evolving threats has already been seen around the world. Organisations from small businesses to large multi-national companies have fallen victim with some suffering significant financial losses as a result.

For example, in 2013, retailer Target fell victim to an APT which stole large numbers of customer credit card details. According to business magazine Forbes, Target's sales declined by almost 50 per cent during the final quarter of that year and between 5 and 10 per cent of customers indicated they would never shop there again.

Other high-profile examples include bank JP Morgan Chase which lost account information on 76 million households and 7 million small businesses, and US health insurance firm Anthem which had the personal information of 80 million customers compromised during an attack in 2015.

In the same year, hackers also targeted the US Office of Personnel Management (OPM) and obtained sensitive information about employees who had had undergone background checks for security clearances. According to reports, more than 21 million records were compromised.

The bottom line is that antivirus tools, though still important, no longer provide sufficient protection against the rising tide of threats.

The sandbox approach

One approach being adopted by many organisations is the use of a sandbox. This involves running suspect code within a secure environment (the sandbox) to check whether or not it represents a threat before allowing it into the IT infrastructure.

However malware creators are countering this approach by adding additional capabilities to their code. They can design their malware to 'sleep' during sandbox checks to evade discovery or behave differently if it detects it is running within a virtual machine - something many IT departments use to host their sandboxes.

A smarter approach is therefore required, and this involves the use of an emulator. Emulator software simulates the functionality of another program or piece of hardware. When suspected malware is run within an emulator it can be tricked into thinking it's not in a sandbox but has, in fact, managed to infect a real system. It will then act normally and be detected by the security tools.

Unfortunately, malware writers continue to evolve their code and some have been able to evade even this emulation approach. Because operating system emulators cannot replicate every call in a real operating system, some malware can spot that things are missing and remain silent and undetectable.

The most effective approach is to undertake full system emulation where the emulator used also simulates physical hardware, including a computer's CPU and memory. This makes it particularly difficult for malware to detect the emulator and more likely that it will become active and be spotted.

Simple detection is not enough

However, while detection of malware is a vital step in ensuring system security, it is not the end of the process. IT teams need to receive clear, actionable information that will alert them to the presence of the problem before any damage occurs.

The teams need to be sent email alerts when harmful files are found and be given a clear indication of why the file is suspected to avoid the alert being dismissed as a false positive.

Such tailored alerts can ensure that remedial action can be undertaken quickly, rather than the threat being lost in a sea of notifications and log files.

Advanced Malware Detection is key

Hacking techniques will continue to evolve and the threats being faced by organisations will become ever more complex. Clearly the security approaches that have been used in the past are no longer sufficient.

The signature-based malware detection that has been widely used in the past is no longer able to cope with the increasingly sophisticated pieces of malware being produced. Antivirus and intrusion prevention systems, while still vital, must be supplemented with new Advanced Persistent Threat detection tools that have four key characteristics:

  • A sandbox capable of full system emulation and with the ability to analyse multiple file types

  • An ability to extend beyond the sandbox and detect different forms of advanced malware

  • Good visibility so IT teams receive clear, actionable alerts of all detected malware and explanations of why it has been identified

  • The capability to proactively take action and block malicious code when it is detected.

Just as is the case for the doctors and medical researchers battling bacteria and viruses, the battle to maintain strong security remains an ongoing challenge for all organisations.

By deploying sophisticated and powerful APT detection tools and effective visibility into their networks, organisations can give themselves the best possible chance of detecting malware before it has a chance to carry out its intensions within their IT infrastructure.

Join the CSO newsletter!

Error: Please check your email address.

Tags advanced persistent threats (APTs)APTsAPT attacksIT managementmalicious contentIT infrastructurescyber security

More about AdvancedAPTJP MorganMorgan

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Higgins

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place