The aptly named advanced persistent threat (APT) is a type of network attack in which an attacker selects a specific target, uses social engineering and advanced technologies to break into a network and then focuses on that target for weeks, months or years until the attack has successfully played out (or been thwarted). Once inside a network, the attacker's goal is to remain undetected while using some type of malware to capture confidential information, which is ultimately sent to a different location for analysis and then sold on the black market.
APTs are highly organized, sometimes with a complete staff, and have plenty of monetary and technological resources. Although APTs may use common hacker tools, they more often employ sophisticated, customized software that's less likely to be picked up by a security protection system. Types of APTs or delivery mechanisms include zero-day attacks, phishing, advanced malware and a variety of Web compromises.
This article looks at five ways to protect an organization's assets from APTs. All are important.
1. Implement defense in depth
Security experts emphasize the need for layered security (aka, defense in depth) as part of a regular network security strategy, and defense in depth is also one of the best approaches to stopping an APT before it infiltrates a network. This means controlling network entry and exit points, using next-generation firewalls, deploying intrusion detection/prevention systems and security information and event management (SIEM) systems, implementing a vulnerability management system, using strong authentication and identity management, keeping security patches up to date and implementing endpoint protection.
Because malware is often the source of APTs, you also need highly reliable solutions that address the risk of malware. Because APTs may rely on cutting-edge technologies, your security equipment needs to step up, too, which means selecting advanced behavior-based detection solutions whenever possible.
[Related: You’ve been hit with ransomware. Now what?]
Your goal is to make initial penetration of the network difficult, but should that layer be compromised, each additional layer of security must then pose a significant further hurdle, either stopping the attack from spreading or slowing it down long enough to be detected and handled. Because attackers continually update their tools and look for new vulnerabilities -- chinks in the armor -- your tools must be current as well.
Note: Over $1.9 billion was spent on APT prevention solutions in 2015, and such outlays are expected to surpass $6.7 billion by 2019 (The Radicati Group, 2015).
Not every security solution has to be a budget buster, either. For example, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a free Windows-based security tool that supplements existing security defenses to help detect and block vulnerability exploit techniques. InfoSec Institute's SecurityIQ is a service that lets you send mock phishing emails to staff to test their security awareness. And strong internal security policies and regular security and risk assessments are also vital to ensure that security controls are focused where they matter most.
2. Employ detection and monitoring techniques
Close monitoring of security controls helps you identify early warning signs of an APT, which often appear as log file and data traffic anomalies, and other out-of-profile activities. It's critically important to monitor all inbound and outbound network traffic, internal traffic, and all devices that access your network. Continuous monitoring not only helps you detect suspicious activity as early as possible, it also reduces the potential for privilege escalation or long-term intrusions. And the output from monitoring may serve as forensic evidence if an attack gets to that point.
3. Use a threat intelligence service
Several security vendors offer threat intelligence services in which raw data about emerging threats is gathered from several sources, and then analyzed and filtered to create usable, actionable information. That information is often in the form of data feeds for security control systems, as well as management reports aimed at IT managers and C-level executives to help them understand the threat landscape for their industry. The key to threat intelligence is the correlation of global intelligence with threats to an organization's own network, giving security personnel the ability to quickly identify and address high-risk threats in real time.
APTs may spread using different methods, and may focus on vulnerabilities not yet known to security companies, so it's essential to recognize indications of an APT as early as possible. Threat intelligence often provides the missing link that ties anomalies in network log data with a zero-day vulnerability, for example. Connecting the dots is what counts, however it plays out.
4. Perform security awareness training
Nearly every discussion of IT security mentions the necessity of security awareness training, for good reason. Getting employees to truly understand the dangers in clicking iffy links in emails and recognizing social engineering techniques -- and gaining the employees as partners in the fight against security threats -- helps protect networks and the data they hold.
[Related: Are IT executives blind to cybersecurity threats?]
Training of this sort needs to include a quick review of the organization's security policy, as well as the consequences to each employee should a security incident occur as a result of their actions. This may mean additional training, an HR write-up or immediate dismissal, depending on the circumstances. But keep in mind that a typical employee wants to do well in his or her job and does not want to be the reason for company losses stemming from an attack. Accentuating the positive during awareness training -- and offering incentives for being security-minded -- is the best approach.
5. Plan for incident response
Even with the best of efforts and high-dollar technologies in place, an organization's security will be breached at some point: most experts agree that it's not a matter of "if" but "when." Implementing a solid incident response plan can shut down an attack, minimize damage and stop further data leakage, all of which minimize the reputation or brand damage that can follow.
In addition to spelling out which job role is responsible for which actions, from identification through resolution, your incident response plan should include steps for preserving forensic evidence of the breach. Your organization may need that evidence to prosecute an attacker, if apprehended (which, unfortunately, is not likely).
Forensics also serve to help your security team identify security gaps to strengthen controls and prevent recurrences. It's also a good idea to review the Lockheed Martin Cyber Kill Chain, which is an attack model that addresses each sequence of a security event. Knowing how an attacker identifies a target and moves through the stages of an attack may help security personnel recognize an attack early in the process.
Every organization, regardless of size, is susceptible to APTs. Understanding how an APT operates, building the best defense within your reach and educating your staff to recognize something fishy can limit damage and, in some cases, prevent an attack from occurring in the first place.
This story, "5 tips for defending against advanced persistent threats" was originally published by CIO.