Introduction
APT, formerly known as the Advanced Persistent Threat, is the buzz word that everyone is using. Companies are concerned about it, the government is being compromised by it and consultants are using it in every presentation they give. However many people fail to realize that the vulnerabilities that these threat compromises are the insider. It might not be the malicious insider but the accidental insider who clicks on a link they are not suppose to.
One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of 3 years ago, you will lose. APT allows organizations to focus on the real threats that exist today. With the biggest threat being the people problem who already have access and are inside your network.
While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzz word, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.
What is APT?
APT is the new way attackers are breaking into systems. APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. The following are the important things to remember:
- APT focuses on any organization, both government and non-government organizations. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites. When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.
- While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.
- Many organizations make the mistake of thinking of attacks like the weather. There will be some stormy days and there will be some sunny days. However, on the Internet you are always in a storm. In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.
- Attackers want to take advantage of economy of scales and break into as many sites as possible as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.
- Old school attacks were about giving the victim some visible indication of a compromise. Today it is all about not getting caught. Stealth and being covert are the main goals of today's attacks. APT?s goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.
- The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.
- Attackers do not just want to get in and leave, they want long term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.
Putting all of this together means that you will be constantly attacked and compromised, making it necessary for an organization to always be in battle mode. This is a never ending battle. Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months. Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know?
How to Defend Against the APT?
Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.
Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:
- Control the user and raise awareness — the general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.
- Perform reputation ranking on behavior — traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.
- Focus on outbound traffic — Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization.
- Understand the changing threat — it is hard to defend against something you do not know about. Therefore, the only way to be good at the defense is to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.
- Manage the endpoint — while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.
While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.
Summary
APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "Know thy system/network." The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it. The key to making this successful is to 1) always get explicit approval 2) run benign attacks 3) make sure the people running the test are of equal expertise to the true attacker; and 4) fix any vulnerabilities in a timely manner. The good news is, by focusing in on understanding the threats and an organization's vulnerabilities, you can properly defend against the APT.
Always remember to make sure you focus on the trusted insider. While you cannot stop stupid, you can properly control and limit what they can do.