Defenses for advanced persistent threats are limited, but tools and strategies – old and new – can help, reports David Cotriss.What distinguishes advanced persistent threats (APTs) from other cyber attacks? Most conventional security solutions are practically useless against them.
“APTs are immune to all defenses developed over the past eight years,” says Rick Doten, CISO at DMI, a Bethesda, Md.-based cyber security consulting and managed services firm that does work for the federal government. “All the compliance regulations and safeguards are irrelevant.”
Intrusion and anomaly detection, and malware and deep packet inspection technologies have been helpful, but do not protect against intrusions, Doten says. Perpetrators know what security is in place and can get around it.
“You can't rely on your security technology to identify advanced threats as they escalate,” he says. “Ninety percent of the attacks start with a spear phishing email.” However, a problem is that security programs look for abnormal behavior, and APTs appear normal. A perpetrator often is able to infiltrate the VPN and subsequently steal credentials, Doten says.
Phil Ferraro (right), CISO for DSR Defense Solutions, a Bethesda, Md.-based firm that provides communications and intelligence solutions, explains how an APT attack might work. He says adversaries set up multiple backdoors and probe for vulnerabilities in browsers and applications and when they find one, they develop a specific exploit to take advantage of the vulnerability. They target certain employees – particularly, C-level leaders, security executives, engineers and PR staff. Perpetrators go to social media sites and build a list of people who work for the organization. They create a valid Yahoo or Hotmail email account with that person's name. They then send out an email to a company employee with a subject line that is relevant to the organization and a URL in the body, hoping that the recipient will go to the compromised web page and download a file that dials back to the malicious website. The perpetrator can then connect to the computer through an encrypted file and send more malware.
What are the attackers after? They want to steal intellectual property (IP), trade secrets, manufacturing techniques and legal documents. These saboteurs – often because they are nation-states that have resources, sophisticated software and skilled personnel at their disposal – can conduct multiyear intrusions by defeating traditional network defense tools. The intent of APTs, say experts, is to obtain very specific information.
APTs target government agencies and large and small companies and small companies, especially those in the supply chain. Subcontractors to defense contractors are popular targets.