APTs: Changing the security mind-set

Advanced persistent threats (APTs) are the state of the art in terms of cyberattacks, able to penetrate the stiffest of defenses and then lie in wait for weeks or months, working away quietly to probe for an organization’s juiciest data or for the best way to damage its infrastructure, before finally striking.

Even if you’ve never heard of APTs, you likely know about them. The now infamous Stuxnet worm, which was discovered in June 2010, was launched against Iran’s nuclear power infrastructure and reportedly ruined almost 20 percent of the centrifuges it used to refine uranium. Other APTs, also with dramatic names such as Flame, Nitro, Night Dragon and Duqu, are other examples.

APTs represent the pinnacle of the current technology of attacks that target specific areas of, or people, at a company or government agency. They are very hard to detect and defend against, and their use is growing.

Between 2005 and 2013, according to NIST, cyber crimes increased nearly 800 percent, but the type shifted markedly from the brute force attacks registered at the beginning to more sophisticated, and often state-sponsored, attacks.

In 2013, NIST said, 89 percent of the callback activities detected— where malware made calls to infected servers for information, for example — was linked to APT tools made in China or by Chinese hacker groups.

An APT uses multiple phases to break into a network, avoid detection and gather valuable information over the long term, according to security firm Symantec:

  • Reconnaissance: An attacker collects information from a variety of sources to understand the target.
  • Incursion: Attackers break into a network using social engineering to deliver targeted malware to vulnerable systems and people.
  • Discovery: Attackers “stay low and slow” to avoid detection, while mapping an organization’s defenses from the inside and working out how to deploy multiple, parallel “kill chains” to ensure success.
  • Capture: They access unprotected systems and capture information over an extended period and may also install malware to acquire data or disrupt operations.
  • Exfiltration: Captured information is sent back to the attack team’s home base for analysis and further exploitation of an organization’s systems.

How do you defend against APTs? The first thing is to acknowledge the existence of the threat in the first place. NIST, in its 2013 revision of SP 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations,” pointed out that security control baselines for government agencies do not assume that any adversaries may already have achieved a significant foothold and presence in their IT environment. That leaves them free to continue their attack on systems and infrastructure.

To more fully address APTs, it said, concepts such as insider threat protection, heterogeneity, deception, non-persistence and segmentation — all included in SP 800-53 — should be considered.

It also means changing the approach to security from building defenses that keep attackers out — the “castle and moat” approach — to assuming a more nuanced strategy. Albert Lewis, information security policy and compliance lead at Mitre, said APTs have certain characteristics: People won’t always see the initial attack, organizations can’t keep the adversary out and the APT is “not a hacker.”

He advocates a threat-based approach to tackling APTs based on understanding the threat building blocks that attackers use with APTs, sharing knowledge about threats with other organizations and taking up an agile defensive posture that can be more closely aligned with the threat.

There are no silver bullets, said Aaron Colwell, an inside solution architect specializing in network and security at CDW, and nothing will completely defend against APTs.

But organizations can take some action to try to mitigate the risks, he said, starting by securing network endpoints with DLP tools and deploying next-generation firewalls to control user access to certain websites and to analyze files and applications at the network gateway to determine if they contain malware.