Defending against APTs: 'We are behind the curve'

High-profile CISOs and senior IT security managers talked advanced persistent threats (APTs) and how they can be countered at SC Magazine's latest roundtable in central London.

Defending against APTs: 'We are behind the curve'
Defending against APTs: 'We are behind the curve'

The term ‘Advanced Persistent Threat' (APT) has long been promoted in the information security industry since being coined by the US military when talking about attacks from a state entity, and China in particular, but it has become an ever-present feature regardless of the actor may be, and certainly includes Western governments too, especially since the Stuxnet worm infected Iranian centrifuges back in 2010, an attack widely-believed to be the work of a Western government.

And with the increasing sophistication of organised crime, and the provision of creime-as-a-service, less technically capable players are now able to join nation states and hacktivists/terrorists in delivering an APT, variously defined as a targetted, stealthy and continuous computer attack where advanced can refer to specific methods used or their totality, and persistent can variously mean repeat attacks or the fact that often malware resides on systems for long periods for sustained attacks.

The attack itself typically has multiple phases to break into a network, avoid detection and harvest valuable information over a long period of time. The threat actor is usually well-skilled and is able to exfiltrate data by using command and control (C&C) servers, exploit kits and malware, as well as social engineering tactics – such as spear-phishing – to steal employee log-in credentials.  

The complex make-up of an APT has, however, resulted in numerous debates on its definition and level of sophistication.

Speaking at the SC Magazine roundtable – sponsored by Akamai Technologies - in central London earlier this month, experts looked at these definititons and appropriate defensive measures, the need for continuous risk assessment and how the threat should be discussed at boardroom level.

James McKinley, head of information security of data protection and PCI DSS at Worldline at Atos, opened the discussion by questioning whether the ‘P' in ‘Persistence' stood for persistent hackers coming back repeatedly or simply advanced malware with backdoors.

He added that the term now probably meant gaining a digital 'foothold' in an organisation, while others – including Quocirca's Bob Tarzey and WorldPay head of payment security Tim Lansdale– said that it was simply a targeted attack using an assortment of tools.

Jay Colley, senior director at Akamai Technologies,  said that the events in Russia, Georgia  and  Ukraine had shown that cyber-conflict is becoming ‘increasingly militarised' and mentioned too how DDoS attacks – sometimes used as a distraction technique – had grown up to 340Gbps in size - and were expected to continue to grow in the months ahead.

Meanwhile, one head of information security – who wished to remain unnamed – said that APTs should not fall into the bracket of common cyber-crime, where financial benefit is the primary motive.

“It's about gain and benefit, we need to take away just looking at financial [reasons],” said the delegate, adding that reputational gain for a hacktivist cause or disruption by a state actor were different types of gain from simple financial benefit.

Others at the table noted how SCADA systems are now under threat as engineers become more mobile and as more devices become internet-connected (more commonly referred to as the Internet of Things), although Colley said that most of these systems retain closed infrastructures and are separated from the rest of the network. He added that other industries should push defensive measures into the cloud, and some delegates questioned whether cyber-terrorism was likely, and asked why we had not seen it yet. However, Tony Morbin, SC Magazine editor in chief and roundtable moderator, noted how a Swedish hydroelectric plant manager attending the 4SICS conference in Stockholm had confirmed, without attribution, that his plant had been put out of operation for a day by a targeted virus attack.

Others argued that risk assessment should be continually monitored as far as APTs as concerned, with Lacey stating that an independent risk assessment should be required. Meanwhile, Save The Children CISO Ray Evans said that there is ‘no common understanding of risk' and subsequently urged firms to be careful which third-parties they work with.

“Be very careful when subcontracting, and get them to provide an assurance that they have an understanding of risk in accord with your own” he said at the roundtable.

This communication extends to the boardroom, says Tarzey, who said that messages about the nature of a risk and its potential consequences, and  the preventative action and resources required to prevent it, should be described simply by the CISO to the CEO.

“You're trying to describe it to the CEO, who doesn't understand cyber-security, that this is a targeted attack,” said Tarzey, director and analyst at Quocirca.

Another delegate added:  “Don't talk about APTs [to the board] - you will get thrown out of the room”.

Experts summarised that information security teams should benchmark best practise, be open and honest with C-level about their capabilities, and – where appropriate – outsource risk management and log management.

When looking at potential solutions, white-listing of approved apps, services and connections came highly recommended, with the ability to provide category approval overcoming some of the issues related to constant updates and patches at a large organisation.  Constant monitoring of all network traffic in real time, establishing what was normal, and then reacting quickly to all abnormal activity was seen as key to closing down attacks.

Resources to tackle a 24 hour opponent, and the skills gap, trying to get the right staff at smaller enterprises was also an issue, with one delegate asking, "I just don't have the time or the staff to thoroughly investigate all our log files -  what should I do?"   Unsurprisingly, Colley suggested that the solution might well be to outsource to an organisation that did have the resources in place, such as a cloud providing,  and which would take the focus of any attack away from the target company.

On a straw poll, half of the delegates said that they would use or were using cloud services, and half did not feel confident about outsourcing to a cloud provider due to security concerns - or, in the case of smaller concerns, a perception that the cost may be too high.

For more information on SC Magazine's Editorial Roundtable Series please click here.

Also see APT report January SC Magazine print edition.