One of the biggest threats today is the stealthy online infiltration by attackers to steal valuable proprietary information. Ghostnet (a botnet deployed in various offices and embassies to monitor the Dalai Lama agenda), Shady RAT (much like Ghostnet but with government and global corporate targets), Operation Aurora (monitoring of Chinese dissidents' Gmail accounts in 2009) and Stuxnet (an attempt to disrupt Iran's uranium enrichment program) in 2010 are just a few high profile examples.
In recent months, these so-called "Advanced Persistent Threats" (APTs) have become so rampant and unrelenting that they are forcing enterprises to question the current security paradigm.
An APT (News - Alert) is a highly targeted attack and takes a muted and often slow and prolonged approach to penetrating an organization, with the aim of gathering intelligence rather than making immediate financial gain. Precise definitions of APT vary but one can get a good idea of its characteristics through its component terms:
Infrastructure Weaknesses Aggravate APT Breaches
APTs breach enterprise networks through a wide variety of vectors, including Internet-based malware infection, physical malware infection and external exploitation. APT perpetuators don't necessarily need to breach external network perimeters − they can, and often do, leverage insiders and “trusted connection” vectors to access targeted systems.Once the APT attackers get in, certain infrastructure deficiencies in the organization may facilitate their ability to obtain the desired information:
Protecting Organizations from APTs
The so-called holy trinity of security will help enterprises thwart APTs:
Users are generally considered the weakest link of the chain by attackers and are often the target of initial infection. Enterprises need to educate them on APT infection vectors and social engineering techniques. And, as that won't guarantee that employees will never open an infected document − for instance, Ghostnet got seeded by sending well-crafted and legitimate looking but infected PDF documents to staff of the Dalai Lama's office – IT managers should make sure each user only has the access rights that he/she needs and no more. For instance, the office accountant shouldn't have access to the source code repositories.
The latest security patches must be applied. IT-wide signature maintenance, typically obtained through a security services provider, includes making the zero-day window as short as possible to reduce vulnerability and operational risk.
Enterprises need to take a multi-disciplinary and consolidated approach to secure all IT assets. Antivirus and intrusion prevention capabilities are essential but firms should consider data loss prevention (DLP) technologies, too, and look at the big picture when it comes to the threat landscape. True mitigation results in a blend of policies and protection against the full threat spectrum. Antispam, Web filtering and application control all do their part to block APTs during different stages of attack. The rule of thumb is that no single security layer is foolproof, and integrating them intelligently helps ward off multi-vector threats.
Here are the layers that enterprises must have:
When mitigating APT attacks, enterprises must be prepared to deal with highly-skilled hackers with extensive testing facilities and high buying power on the zero-day market. Because an APT hacker can use zero-days and test his binaries against all known vendor engines before sending them to his target, traditional antivirus and intrusion prevention engines likely won't spot the initial attack.
This, however, doesn't mean that firms shouldn't bother installing the relevant security solutions − instead they need to take the additional step of making it hard for hackers to figure out and replicate their environment. It also highlights the fact that human judgment − on things like logs and correlated data − is a prized asset. This judgment, for the time being, is not easily replicated in a testing environment.
The good news about APTs is that an enterprise can combat them through its regular risk management process (these protection measures go beyond APTs and also help mitigate traditional threats). APTs simply raise the bar with respect to external risk and impact. How much budget an organization wishes to allocate to tackling APTs will depend, as always, on its appetite for risk. One thing, however, is for sure − top management, CIOs and risk boards around the globe must urgently assess their exposure to APTs and start taking preventive and remediation measures.