Advanced persistent threats - are businesses prepared?
Businesses usually attain adequate levels of IT defences at the point that it becomes more cost effective for cyber criminals to target someone else.
Businesses usually attain adequate levels of IT defences at the point that it becomes more cost effective for cyber criminals to target someone else.
But a problem arises when organisations fail to recognise that they are being targeted by advanced persistent threats (APTs) which are designed to get around most defences.
While a set of defences may be adequate to protect data against general cyber criminal attacks, that is not the case with APTs.
By their very definition, they are persistent, which means they are usually highly targeted, not bound by the budget constraints of general attacks, and above all, that attackers do not give up until they succeed in finding a way into a targeted network.
Although organisations that control or operate parts of a country's critical national infrastructure and contractors who work for government or military organisations are common targets, these are not the only organisations that need to be wary of APTs.
Who is at risk?
Almost any large organisation could be targeted by APTs, says Amichai Shulman, chief technology officer at security firm Imperva, especially if they are the focus of cyber espionage operations backed by nation states that want to gain commercial advantage for local businesses.
"Such campaigns need not necessarily be backed by enemy states, but may include friendly nations that compete in the global market, and want to promote home-grown enterprises," he says.
All these organisations are typically targeted by APTs, and although the goal and effort of the attacks may differ, they are never opportunistic and attackers will attempt multiple attack methods until they succeed.
Traditional defences will not deter such attacks because the potential gains for the attackers are so high that they will invest a lot of resources in crafting sophisticated, multi-stage technical attacks, says Shulman.
While industrial hackers typically choose one attack method to go after several targets, APTs use one type of attack after another against a single target until they find a weakness in its defences.
"The reality is that most organisations balance security requirements with the need to keep the business running, and often the balance is in favour of business continuity," says Shulman.
Consequently, he says, there is almost always a way to craft attacks that will bypass standard security settings, which is what usually happens with APTs.
How can you spot attacks?
If almost any large organisation is liable to be targeted by APTs, what are the tell-tale signs?
A series of attacks that touch on different places in a system or infrastructure is the first thing to look for, says Shulman.
Industrialised cyber attacks tend to focus on a single location, but APTs usually move from application to application sequentially trying to find a way in.
Organisations cannot rely on Security Information and Event Management (SIEM) systems to pick up these kinds of attacks, says Shulman, because they look at events taking place across the network at the same time, but do not tie up sequential events.
Most APTs start at the application level, he says, and try to poke a hole in web applications, which is the most obvious attack surface in modern organisations.
Another common method is to infect PCs on a targeted network with malware that will create a back door to give attackers access.
Using insiders is also an increasingly popular approach, says Shulman. "It is often easier and cheaper to pay off someone in an organisation to steal information than to spend money on developers to craft customised malware."
How can you defend against such attaks?
What should organisations be doing to defend against APTs?
First, says Shulman, carry out an analysis to see whether an organisation is at risk of such threats.
A risk analysis will not only tell an organisation if it needs to spend time and resources on mitigating APTs, he says, but will enable it to spend security budgets more cost effectively, by matching security investments to level of risk.
Where organisations believe they are at risk of APTs because of the kind of information they hold on their networks, they should immediately establish a process for reviewing all security alerts and attacks, even those that have been blocked.
"Most organisations discard this information. They are happy that their firewalls and anti-malware solutions are blocking threats, and do not look at what their systems are picking up to identify any surges or trends that might be part of an APT campaign," says Shulman.
Where there is a threat of APTs, he says organisations cannot simply mitigate attacks, but need to keep track of what is happening and monitor and analyse what is being blocked to help refine controls around what they think will be targeted next.
"If organisations can identify ongoing efforts to break into their network, then they should alert law enforcement agencies and allocate extra resources to protect the information being targeted by attackers," says Shulman.
An important element of defending against APTs, he says, is maintaining a balance between all areas of security rather than investing most resources in the latest threats.
"IT security professionals must ensure that while they are adding mitigations for new threats, they do not neglect old attack methods, because attackers never do," says Shulman.
Finally, organisations at risk of APTs, as well as all other organisations, should try to pinpoint areas of their IT system and data that are at risk, then isolate them as much as possible and put effort around those, rather than try to create the same high level of protection across the network, which is usually not practical, as demonstrated by the recent publication of thousands of "sensitive" US government documents, says Shulman.
"Organisations need to define what is core information and enable true control over it, because if they attempt to watch thousands of documents that have been incorrectly classified as 'sensitive,' they are bound to fail" he says.