Defenses for advanced persistent threats are limited, but tools and strategies – old and new – can help, reports David Cotriss.
What distinguishes advanced persistent threats (APTs) from other cyber attacks? Most conventional security solutions are practically useless against them.
“APTs are immune to all defenses developed over the past eight years,” says Rick Doten, CISO at DMI, a Bethesda, Md.-based cyber security consulting and managed services firm that does work for the federal government. “All the compliance regulations and safeguards are irrelevant.”
Intrusion and anomaly detection, and malware and deep packet inspection technologies have been helpful, but do not protect against intrusions, Doten says. Perpetrators know what security is in place and can get around it.
“You can’t rely on your security technology to identify advanced threats as they escalate,” he says. “Ninety percent of the attacks start with a spear phishing email.” However, a problem is that security programs look for abnormal behavior, and APTs appear normal. A perpetrator often is able to infiltrate the VPN and subsequently steal credentials, Doten says.
Phil Ferraro (right), CISO for DSR Defense Solutions, a Bethesda, Md.-based firm that provides communications and intelligence solutions, explains how an APT attack might work. He says adversaries set up multiple backdoors and probe for vulnerabilities in browsers and applications and when they find one, they develop a specific exploit to take advantage of the vulnerability. They target certain employees – particularly, C-level leaders, security executives, engineers and PR staff. Perpetrators go to social media sites and build a list of people who work for the organization. They create a valid Yahoo or Hotmail email account with that person’s name. They then send out an email to a company employee with a subject line that is relevant to the organization and a URL in the body, hoping that the recipient will go to the compromised web page and download a file that dials back to the malicious website. The perpetrator can then connect to the computer through an encrypted file and send more malware.
What are the attackers after? They want to steal intellectual property (IP), trade secrets, manufacturing techniques and legal documents. These saboteurs – often because they are nation-states that have resources, sophisticated software and skilled personnel at their disposal – can conduct multiyear intrusions by defeating traditional network defense tools. The intent of APTs, say experts, is to obtain very specific information.
APTs target government agencies and large and small companies and small companies, especially those in the supply chain. Subcontractors to defense contractors are popular targets.
“The goal is to take hold of an organization’s core assets, says Ian Amit (left), director of services at Seattle-based computer security services firm IOActive. “It’s not a snatch-and-grab effort.”
Most companies are not even on the lookout for APTs, says Joel Yonts, chief scientist at research firm Malicious Streams. He often finds such a wide range of network infections on his clients’ systems that he sometimes finds it is difficult to determine the source of the anomalous behavior.
Every company should have an incident response plan, no matter what its size, experts agree. Small companies can rely on consultants to conduct a risk assessment and design a plan to protect the company from APTs. The consultant should be kept on retainer for incident response. APTs are a business risk, not just an IT problem, and C-level executives have to be involved.
While IOActive’s Amit says a written incident response plan is important, companies must keep in mind that some of it will always be obsolete. Every asset and every attack is different.
Everyone on the team must be clear about their responsibilities. The main objective of the incident response plan is to protect the network. Companies should maintain a current list of contacts at remote sites to be able to pull a remote machine off the network quickly, says Malicious Streams’ Yonts.
It’s important to train employees so they know what to look for. “Keep your users paranoid,” says Doten. “Ask why a box is communicating when others aren’t. Why is it configured differently than other boxes?”
Also, companies should use penetration testing to simulate an attack on the network. “Done correctly, it can [ensure] that the risk management practice addresses the right assets and puts the right controls in place,” says Amit. Furthermore, it provides an opportunity to put these procedures and policies to the test. He recommends that most stakeholders should not know that the test is an exercise.
DSR’s Ferraro recommends using sandbox techniques to examine emails on the fly and to search for anomalous behaviors. A technology that is still developing is browser virtualization, which Ferraro says is quite promising. It puts browser sessions in a protective bubble, and as soon as a session closes — any malware is gone.
Too, employee education is important, but Ferraro says that simply providing annual training for all employees is inadequate. Vigilance has to be constant, especially regarding clicking on links in email. Executive leadership needs to be mindful of potential reputation damage to a company. This is especially important for defense contractors and subcontractors that might lose business as a result of intrusions.
Amit adds that companies should understand the trends in their industries regarding IP because attacks are usually coordinated across industries. He says companies should ask, from a business perspective, “Who are my adversaries? Who would benefit from stealing information from me?”
Consultants agree it’s important to allow a threat to exist in order to discover how far it has penetrated and to discover who is behind it. “The first impulse is to shut down the exposure, but that’s the worst thing you can do,” says Amit. “You lose so much information that way. You need to research where the threat came from.”
One company’s approach
Being a defense contractor exposes Lockheed Martin to a slew of APTs. Internal cyber analysts examine every persistent threat launched against the network using the company’s intelligence-driven cyber kill chain technique. The kill chain describes the structure of the intrusion and guides analysis to inform actionable security intelligence. It is set up to model the seven steps every attack has to go through to be successful. “If we stop them at any of the stages of the attack, we are successful,” says Chandra McMahon, Lockheed’s chief information security officer. “Our goal is to stop the attack as early in the cycle as possible. With the cyber kill chain methodology, as we analyze the attack we look at how far along they were able to progress. We model what would have happened if the delivery occurred.”
Lockheed groups the fingerprints of an attack because they have similar identifying information. The groups are then made into campaigns that represent APTs and are added to an intelligence repository. Lockheed also performs simulated penetration testing and plays out various threat scenarios.
While not every company can afford in-house forensic resources, a managed services approach based on best practices provides an affordable alternative, say experts.
APT: Best practices
While the danger from advanced persistent threats is only growing, experts say there are a number of strategies enterprises could, and should, put in place.