As employees and IT professionals return from the holidays, many are doing so with 2014 New Year’s resolutions in mind. For IT pros, we hope that one of your resolutions is to bolster your organization’s security and defenses in 2014. One of the rising threats that many IT professionals should be concerned about defending against in the new year is advanced persistent threats (APTs). According to the 2014 State of the Endpoint Report, conducted by the Ponemon Institute and sponsored by Lumension, 40 percent of organizations experienced an APT attack in the last 12 months. Paul Zimski of Lumension provides an overview of many of the key terms and themes associated with APTs to prevent you from becoming one of them.
Click through for an overview of many of the key terms and themes associated with APTs to help your organization defend against such attacks, as identified by Paul Zimski, vice president solution marketing at Lumension.
These threats are known as advanced persistent threats for a reason. While many believe it refers to the quality of the attack, in fact many attacks are successful using common and relatively basic exploitation techniques. Advanced instead refers to the attacker. They have extreme focus, organization and resources at their disposal, making them more dangerous than common cyber criminals.
The types of attackers that execute APTs against companies typically fall into three categories: nation-states, organized crime groups and hacktivists. Nation-stations are the most difficult to defend against and are typically interested in intellectual property and private communications. Organized crime groups are often focused on financial gain, through identity theft, credit fraud and exploitation. Activists attack to cause financial harm to companies they see as an impediment to their cause or as something likely to garner them headlines.
Because targeted threats are typically long-lasting, attackers have time to completely and thoroughly compromise the network. They often have the time to completely map the IT resources of their target, gain nearly every logon credential, including those with elevated privileges, and gain access to the most valuable assets.
It is difficult, but not impossible to defend against APTs. In a recent survey conducted by the Ponemon Institute and sponsored by Lumension, 40 percent of organizations reported being a victim of an APT attack. Of those who had experienced an APT, 45 percent reported that a spear-phishing email sent to an employee was the starting point of the attack. Users are often the first access point for attackers, so user education can be a strong defense. It’s also important to rely on more than one system (patching, anti-malware, whitelisting, etc.) in order to give the attackers more layers they will need to get through before gaining access.
The 2014 State of the Endpoint survey revealed that spear-phishing incidents are the origin of 45 percent of APTs. Often the easiest way for attackers to gain access is directly through an organization’s end users. Using social engineering, they will determine the best way to contact a user in a way that appears legitimate, and use that user as a launching pad for the rest of the attack until the whole system is under their control.
Unlike common viruses, APTs are not aimed at multiple companies at once. An APT attack is often being executed by a team focused solely on one organization. Once that organization has been compromised, the group will continue to work against them for a long period of time until all useful information has been gleaned and the damage has been done. Only then will they move onto another target.
Most APT victims are compromised by an attacker outside their country. China is the most common perpetrator, according to many reports, but certainly not the only one. This can significantly complicate taking legal action against the attacker, as some countries do not have laws against the actions of the attacker or will not prosecute crimes crossing global borders.
“Normal” cyber crime activity is often comparable to a hit-and-run or a bank robbery: Get in, get the goods, erase the evidence, and get out. APTs, on the other hand, tend to stay hidden for long periods of time and will linger in the system, looking for and evaluating what is of value. They will monitor communications by the IT department, to be alerted when the company notices unusual activities and take steps to obfuscate discovery.
Intellectual property can be one of the most valuable possessions of a company. It can also be the most difficult to detect if it’s gone missing, until a rival company shows up with similar products or processes. Because of the complicated nature of global copyright laws, it can also be difficult to prevent companies in other countries from utilizing another company’s intellectual property once it’s been stolen.
Because of the often global nature of APT attacks, taking legal action can often be difficult. In many cases, the legal authorities who receive the report of the attack do not have the jurisdiction to pursue the attackers, even with enough evidence.
Know your enemy
In the defense against APTs, it’s important to think of the attacker as a person, rather than an attack methodology. Security is traditionally thought of in an if-this-then-that format: if virus, apply antivirus. However, the people behind APTs are determined and will continue to attack until they achieve access, which is what makes them difficult to defend against. By thinking of the attack in terms of the person behind it, it can become easier to thwart.
APT attackers don’t want to get in, grab one piece of information and get out. They want to get as much information from their victim as they can and will often remain in the system for long periods of time, sometimes even years, to get as many different pieces of information as possible.
Malicious and sophisticated
While APTs often start with a simple attack vector, such as spear phishing, the attackers are often quite sophisticated in other methodologies. In order to remain undetected in the system for long periods of time, they must understand the company’s IT resources and databases better than the victim itself. Complicated steps may be taken in order to obfuscate the attacker’s presence.
China has been much accused of executing APTs against American companies, but is far from the only nation-state involved. Iran, Russia, and others have also been implicated. Nation-states often represent the toughest threats, backed by almost unlimited resources and talented attackers. They are most often interested in intellectual property and private communications, to advance competition from that country or compete more aggressively in business deals.
Organized by professionals
APT attackers aren’t bored teenagers looking for some entertainment. They are organized professionals, often looking like regular companies, with project teams, leaders, skill-specific employees and even things like HR and R&D departments.
The scary part about APTs is their persistence. Once a company has been targeted, attackers will often keep on coming until they get in. For this reason, it is important to have many different layers of defense against attack. One or two different technologies are no longer enough. A full security suite of protection, with user education and aggressive monitoring, is needed to keep the new brand of attackers out.
Because APTs must avoid detection, they are often not flashy attacks. Instead, they are quiet, designed to slip into the system without notice and go on being unnoticed for as long as possible. For this reason, they often begin with socially engineered spear phishing, which might not ever raise a red flag without a user’s understanding of what’s occurred.
Report suspicious activity
It’s important that users understand what an attack might look like and how to report it. Users will likely be the first to witness any odd occurrences on their machine or will be first point of contact for an attack via spear-phishing activity. If they understand how to recognize and report this activity, it can help stop an attack before it starts.
Large organizations are not the only ones who should be concerned with APTs. Even small and medium organizations have information that may be of value to an attacker. They may even have access to a larger company, which puts them clearly in the line of fire. SMBs, as well as large organizations, should consider what data or access they might have that’s of value and how they can protect against attackers.
APT attacks are not random. Victim companies are targeted by their attacker and relentlessly pursued. Unfortunately, there is no way to know which companies are targeted, so all companies who have confidential data or access to it should consider implementing protective strategies.
Because users are often the first point of attack for APTs, it’s important to have an ongoing user education program in place. This should start with the on-boarding process and should not end until an employee terminates their employment. It should include all levels of employees, including the C-suite.
Known vulnerabilities have been the sources of a breach in the past. It’s important to keep up with vulnerabilities and issued patches, both by large companies like Microsoft and Adobe, but also the third-party applications that end users frequently use. The 2014 State of the Endpoint report lists third-party applications as one of the top sources of risk, according to 66 percent of IT professionals.
Whitelisting can be a very successful technology to defend against APTs. Unlike antivirus, which relies on blacklisting technology and can only defend against known threats, whitelisting technologies only allow the “known good” to be executed, protecting against many types of unknown threats. While it can be complicated to the unfamiliar, it is also extremely effective and worth the time to set up.
eXamine organizational defenses
IT professionals who have a thorough understanding of their own systems’ strengths and weaknesses have an advantage over those who don’t. Not only are they more cognizant of their organization’s own strengths and weaknesses, they may also be able to detect an attack much sooner by constantly examining the system.
Remember, your defenses are the only thing you can control in an APT attack scenario. Utilize multiple different technologies to defend the network, known as defense-in-depth. This makes it more difficult for an attacker, even a persistent one, to gain access. It gives them more layers of technology that they have to defeat and compromise before they can get in.
Zero-day attacks can be particularly damaging and can be an origin source for an APT attack. Ensure that systems are not vulnerable to zero-day attacks by patching aggressively and implementing whitelisting technology, which can help prevent a zero day from being executed by only allowing the “known good” to operate.