The term Advanced Persistent Threat (APT) is today used to describe everything from single spear phishing attempts to major, coordinated, state-sponsored cyberattacks. But what exactly is an APT and how should enterprises protect themselves from it? We talked to Alex Lei, Director of Security Solutions, Asia South Region and Korea, Symantec, to find out more.
Q: How different are APTs from other forms of cyberattacks?
Alex Lei: APTs are far more sophisticated and insidious than traditional cyberattacks. They zero-in on a particular individual or organisation.
Most threateningly, APTs stay below the radar and can evade detection for long periods, which make them especially effective and dangerous. Unlike the get-quick-money schemes typical of common attacks, APTs have loftier goals such as economic espionage or political sabotage.
Key differences of APTs from the usual cyberattacks are:
- Customised attacks:APTs often use highly customised tools and intrusion techniques such as zero-day vulnerability exploits, viruses, worms, and rootkits.
- Low and slow approach:APT attacks occur over long periods of time with continuous monitoring and interaction by attackers until they achieve their goals.
- Specific targets: While any large organisation with intellectual property can be a target, each APT is aimed at a much smaller range of targets (often just one in the entire world) to accomplish a specific purpose. In addition, APTs may attack vendor or partner organisations that do business with their primary targets.
- Highly damaging:The attackers generally know what the most valuable assets are. They will repeatedly try different techniques to reach all the assets to ultimately steal or destroy them, depending on their motive. These types of attacks will severely damage the competitive advantage and the financial well-being of the victim firms.
How prevalent are APTs in Asia?
While an APT is a type of targeted attack, not every targeted attack is an APT. However, targeted attacks are now an established part of the threat landscape-according to
Symantec's Internet Security Threat Report Volume 19, the number of targeted attacks rose by 91 percent from 2012 to 2013. Attackers have shifted from the common "spray and pray" approach to more stealthy attack campaigns. These average attack campaigns also lasted three times longer, contributing to the overall efficiency of the attacks.
If you consider the threat pattern of having specific targets and a slow approach, the outlook for cyberattacks points towards more sophisticated attacks or APTs. With the attraction of Asia as an engine of growth, the prevalence of APTs in this region's threat landscape will definitely be par for the course.
Should APTs be a top security priority for all organisations in Asia?
Although APT attacks are highly focused on specific targets, partner companies which act as a conduit to the main organisation also run the risk of being attacked. Thus, APTs should remain high on the security horizon as organisations with a better understanding of APTs can take effective steps to defend against APTs as well as targeted attacks of any type.
How should organisations in this region prevent themselves from falling prey to APTs?
The advent of APTs means that companies need to review their security framework with a fresh set of eyes and potentially overhaul the framework. Thus, the best way forward for any organisation to defend against APTs is to ensure that they are well defended against all targeted attacks.
To that end, they should undertake risk assessment in four key areas that can help uncover potential risks from targeted attacks:
- Malicious Activity: Uncover and analyse malicious activities in an environment.
- Targeted Attacks: Look for evidence of infection specific to your organisation.
- Data Loss: Find data spills that could be targets for hackers.
- Vulnerability: Analyse web applications, databases, servers, and network devices for vulnerabilities.
Once they have completed risk assessments, they can proceed to address key security areas to strengthen. This can be done through a combination of holistic solutions such as Endpoint Security, Data Centre Security, Managed Security Services and a Security Awareness Program for Employees.
What skills should security professionals today possess to enable them to better prevent and deal with APTs?
With the increasing complexity of the threat landscape, security professionals need to adopt a holistic approach for security, supported by both technical means, and critical analysis skills.
The sophistication of APTs signals the need for security professionals to change their mindset-they need to evolve from planning a strategy purely around attack prevention to additionally adopting a detection and mitigation strategy that will limit the volume and severity of the breaches, and help alleviate and mend the damages. This shift in mindset is critical to get professionals to consider a holistic approach that involves not just endpoint and data centre protection, but also on the intangible elements such as employee education on security best practices.
Critical analysis skills will also come in handy when dealing with APTs, particularly in the detection of APTs when they are in the "low and slow" phase of the attack. They will be required to spot nuanced signs in the company's networks that may reveal the existence of a Trojan Horse lying low within, or detect subtle changes in activity on their networks to uncover malware.