When a Fortune 500 company received an alert that its intellectual property was being siphoned from its network, IT security personnel were able to stop the theft of the important data within 21 minutes. Because the exfiltration was discovered in-process, they were also able to turn the tables on the perpetrator of the cyber crime and retrieve the stolen information from the hacker's FTP site. Fortunately for this organization, its network security solution provided the ability to discover and stop advanced persistent threats (APTs) throughout the threat lifecycle – in this case during the exfiltration phase. Without this ability, the company would have experienced an actual loss of data.
So, why is understanding the threat lifecycle so important? There is a perception that most threats are malware-based, and that having an anti-malware protection device in place at the “main” entry point to the network will adequately protect against APTs. In fact, only 28 percent of threats lodged against large companies are malware attacks, according to the "2012 Verizon Data Breach Investigations" report. If this were a baseball game and a fielder allowed 70 percent of all balls hit his way to get by him, he wouldn't be a Gold Glove candidate – he'd probably be on the bench.
In order to match wits with – and stop -- sophisticated and stealthy APTs, you need to look beyond the entry points, and monitor the entire threat lifecycle. There are many ways in which an APT can enter a network, and even more ways it might act once inside. The key is identifying the APT before it has exfiltrated valuable information.
It's also useful to think of an APT not as a “what” but as a “who” -- a person or group of people, often from a nation-state or a criminal organization, trying to steal something for financial gain. To better understand how to protect against these APTs throughout the entire threat lifecycle, we need look no further than our national pastime. As you're probably aware, a baseball game is comprised of two teams, each getting three outs an inning over the course of nine innings to outscore their opponent. Each team sends a batter to the plate, one at a time, who then attempt to safely reach base with the goal of rounding the base paths to score a run at home plate. Like an APT, the batter has one main purpose, to get on the base paths and wreak havoc with the end game of securing something of value.
An APT is similar in that it initially is focused on infiltrating the network, then it propagates throughout the network, and ultimately moves to exfiltrate the valuable target information – scoring the run.
Infiltration is the first phase of the advanced threat lifecycle and the initial penetration point of the enterprise network. This is the way that the APT gets into the network. There are many ways this can happen – it can be a server-side attack or it can be a client-side attack; it can be as sophisticated as a zero-day exploit or as simple as guessing somebody's password; it may be malware based or non-malware based; in rare cases (think Stuxnet), it may not even be network based. In each of these scenarios, the attacker gains access to and control of (“compromises”) an enterprise computing device (an “asset”) such as a desktop or laptop computer, a server, a tablet, or a smartphone.
In baseball, the batter assumes the role of infiltrator. It is his job to safely reach base. Just like threats can access the network in many ways, the batter can also access the base paths via a number of methods. He can reach base safely via a base hit, can receive a free pass via base on balls, can be hit by a pitch, or can reach base on a dropped third strike. Once on base, the batter has gained access to the other team's “network.”