Hiding in Plain Sight
If today’s advanced persistent threats (APTs) have not yet penetrated your systems and data, you can be certain they will.
Criminals design these modern, sophisticated hacking processes to gain unauthorized, undetected access to public and private networks. Sponsored by nation-states, organized crime, terror organizations and hacktivists, APT developers are well funded and patient, continuously evolving their hacking tactics, tools and techniques until they successfully penetrate their targeted systems and data.
by Nicholas Handy
To counter such threats, organizations need a multidisciplinary defense that delivers continuous intelligence and awareness, responds rapidly to disrupt APTs that already have penetrated their systems, and proactively anticipates and responds to these threats as they rapidly evolve.
An APT’s goal is to hide within normal network traffic to gain access to high-value information over an extended period. Once it gains a foothold, it can expand across an organization’s infrastructure and introduce further malware attacks. Successful attacks can cause embarrassing public breaches that tarnish an organization’s image, alienate customers because their personal information has been compromised, result in the theft of valuable data and intellectual property, or shut down global networks and supply chains.
Notable APT-caused breaches in 2015 include those announced by health insurance provider Anthem and the U.S. Office of Personnel Management. The costs resulting from successful APT breaches continue to grow. According to the Ponemon Institute’s 2015 Cost of Data Breach Study, which surveyed 350 companies in 11 countries, the average total cost of a data breach today is $3.79 million — up 23 percent in the past 2 years.
With highly sophisticated APTs entering systems and networks, the focus on cybersecurity has changed from solely protecting equipment, people and data. Today, organizations must broaden their approach to security and must counter APTs on a global scale to protect both traditional and cloud-based environments.
From perimeter defense to actionable intelligence
The cloud, social media, smart devices and other technology innovations give new opportunities to collaborate with customers and partners, expand into new markets and reduce costs. They also give today’s determined, well-funded adversaries new avenues for success.
In the past, it was possible to protect against these adversaries by locking down networks with perimeter defenses and signature-based tools, such as antivirus, firewall and intrusion prevention systems.
These still remain necessary to protect data from a variety of threats, but they are no match for today’s APTs — because APTs constantly morph to identify and exploit vulnerabilities. Skilled adversaries diligently work to develop techniques specifically designed to penetrate an individual organization.
For instance, an APT might identify a “zero-day” vulnerability — an unaddressed and previously unknown vulnerability. The APT would attempt to trick an employee into clicking on an infected Web link in a spear-phishing email that would introduce malware onto that employee’s computer. Since the malware is designed to exploit a specific zero-day flaw of the application, it could successfully evade antivirus detection and other traditional perimeter defenses. The APT adversary would then gain remote access to the network via the employee’s computer and spread across the enterprise to access servers containing highly sensitive data.
Organizations need 24x7 monitoring and analysis platforms that use analytical techniques, such as heuristics and behaviors, and internal and external sensors to detect the most nuanced anomalies. Successfully defending against APTs also requires that organizations develop a comprehensive detect-analyze-adapt-respond life cycle based on their unique risk profiles.
This type of monitoring and analysis extends dynamic protection across an environment where traditional antivirus software typically does not inspect for advanced threats. By attaining real-time visibility into all adversarial activity across every endpoint, organizations can dramatically shorten the time between an APT compromise and its detection.
Proactive defense To respond rapidly and aggressively also requires preparation. Having and executing a plan can make the difference between weathering an APT or watching it destroy consumer confidence, brand and share price, or negatively affect compliance with contracts, laws and regulations.
Organizations should perform internal and external vulnerability assessments, and perform analyses ranging from nonintrusive compliance scans to full-scale penetration tests. These assessments should also identify areas where organizations fall short of emerging regulatory compliance.
Once all the vulnerabilities are understood, organizations can develop comprehensive incident response plans, implement and test those plans, and prepare to respond to APTs with well-trained responders, investigators and forensic-data collectors.
As organizations produce actionable intelligence and respond to incidents, they also need to collect this information so they can understand the nature, motives and patterns of their adversaries. Who are they and what do they want? What organizational assets are they after?
APTs can be tracked by their behavior, methods and tactics. Some leave signatures. Some have well-established profiles that can be mined for information. As organizations gain knowledge about each APT’s operating style, they will improve their ability to predict, anticipate and disrupt future attacks.
Besides monitoring for APTs, organizations also need access to global threat intelligence. Security specialists create actionable intelligence by collecting, correlating, categorizing and attributing information from various sources. This type of intelligence helps organizations more easily spot and correlate anomalies, and gain visibility into breaking events that may have an impact on their industry, brand, infrastructure, users and customers.
By understanding the motives of evolving adversaries, organizations also can better anticipate their actions and prevent them from causing damage.
Conducting business with confidence
Cybersecurity has changed from being a mere compliance matter or the “cost of doing business.” It has become a primary business challenge that industries and governments must address.
To properly counter APTs, organizations need a next-generation approach that continually integrates threat intelligence-based security services to track threat actors and threat groups, and determines their tactics, techniques and procedures so the business can properly secure its infrastructure and sensitive data. When organizations incorporate an effective counter-APT approach into their cybersecurity program, they’ll be able to conduct business with confidence and assurance that their brand, shareholders and business are resistant to today’s rapidly evolving APTs.
NICHOLAS HANDY is global product manager for cybersecurity at CSC.