But how many CISOs are actually taking concrete steps to mitigate the risk of attack, and what should an effective anti-APT strategy include?
Well, first some clarity around definitions. APT is actually a term borrowed from the military, where it had been used for several years before its appropriation into the IT lexicon. In the CISO's sphere, however, it can be viewed more generically as signifying a type of targeted attack, one which is ‘persistent' by virtue of its covert nature – aiming to stay buried, hidden inside a victim network for as long as possible while exfiltrating data – and a ‘threat' for obvious reasons, because those well-resourced and highly motivated cyber actors behind it are intent on getting that data at whatever cost.
What is often misunderstood, however, is the ‘advanced' part. More often than not, the cyber attack itself doesn't feature particularly sophisticated malware – instead relying on DIY toolkits that expose known vulnerabilities. However, it is the mixture of tools and techniques it employs, to first gain network access and then lay hidden for so long, and the difficulty of attribution, which could be said to make this type of attack advanced and dangerous.
Scale and source
Some info-security vendors have certainly done themselves and the industry no favours in the past in misappropriating the APT term – after all, there is only so much product marketing-related FUD a CISO can take. However, even just a cursory glance at the threat landscape over the past 12-18 months will reveal expanding threat activity that is surely just the tip of the iceberg.
A report released back in April by security vendor FireEye casts an illuminating light on APT activity globally. During 2012, the firm monitored more than 12 million ‘callbacks' – a classic feature of APTs when the malware tries to communicate back with its command and control server – across infected enterprise hosts running into the hundreds of thousands. It found command and control servers in 184 countries, a 42 per cent increase since 2010, highlighting the increasingly international nature of advanced attacks. It also claimed that to avoid detection these servers were often located in the same country as their attack target. Thus, the fact that the 66 per cent of command and control servers were hosted in the US is a good indication that this country is still a prime target, FireEye argued.
By the same rationale, it's somewhat of a relief to find out the UK accounted for just two per cent of these servers, although it would be unwise for British organisations to let their guard down. Security vendor Trend Micro's ‘Q2 Report on Targeted Attack Campaigns' referenced five global campaigns spotted in the second quarter of 2013 alone. The belief is that due to the covert, stealthy nature of such campaigns, many more are currently under way which have evaded detection.
“Around 95 per cent of our customers already have some form of breach, which typically is a surprise to them,” says FireEye product manager Jason Steer. “Whether it is Zeus, Citadel, ransomware or a RAT like Poison Ivy, it's an exfiltration and connection channel they don't know about.”
Also difficult to pinpoint with any accuracy is attribution. As mentioned, the location of a command and control server is no indication of the attacker's location, and FireEye points out that on top of this, the cyber gangs are increasingly innovating to disguise callback comms. Social networks are now being used by the bad guys to receive updates on exploits, and they are also embedding commands or stolen info in normal-looking files such as .JPGs to evade deep-packet inspection tools. Even with this obfuscation, however, FireEye's report claims that an overwhelming 89 per cent of callback activities in 2012 were associated with APT tools made in China or originating from Chinese hacking groups.
The bad guys and their targets
It's not just state-sponsored actors from China that represent a major threat, according to Raimund Genes, chief technology officer of internet security vendor Trend Micro. “The US is now the biggest buyer of zero-day exploits out there, and they don't buy to inform the software vendors so they can fix their systems,” he says. “They're buying to launch attacks.”
More worrying still for CISOs, cyber crime gangs also have the means and the motivation today to launch sophisticated targeted attacks – a trend that means mid-sized companies must also be alert to the threat. They need not be contractors for high-profile firms or sub-divisions of larger organisations to attract unwanted attention, Genes says.
“The know-how of some mid-sized European companies is worth a fortune in certain industries,” he says. “I'm not talking about the baker round the corner here, but think for example about a law firm that conducts M&A deals – many of them are quite small companies. People always think it can't happen to them, but if they ask themselves ‘do I have competitors?' and ‘would they like access to our customer database?' and the answer is ‘yes', then it could certainly happen.”
With ready-made exploit kits and the expertise to launch them at selected targets available pretty readily in underground forums, then that customer database, a piece of valuable IP or sensitive M&A information could be within the grasp of an interested party for as little as £3,000-£6,000, according to Genes.
However, too many technical and non-technical employees are still in a ‘state of denial' when it comes to APTs, and where these threats are understood it is usually in association with state-sponsored attacks, according to
ISACA security advisory group chair Amar Singh.
“As one SME owner put it to me, APTs are ‘beings of an imaginary world',” says the former News International CISO. “This attitude may have manifested itself partly because of the ‘cry wolf' syndrome and partly, and importantly, because of the lack of detection – monitoring control – mechanisms in most organisations.”
So, faced with a growing volume of threats and shrinking budgets, what can CISOs do?
Getting the right balance between threat protection and cost is tricky to achieve, but risk management should be a guiding principle, according to Vijay Samtani, senior manager at Deloitte's Security and Resilience Practice: “Worst-case scenarios are worth looking at, but clear-eyed and in a rational way. Mature organisations understand the worst-case scenario and apply a slide rule to say ‘how much do we want to invest in dealing with it if we think it'll only happen once every 100 years?'. Try to get an accurate picture of real risk and base your strategy for dealing with APTs on that.”
Samtani's fellow senior manager at Deloitte, Nick O'Kelly, adds that IT chiefs should take a step back and assess what technology they already have in place, as some of it may help in the fight against targeted attacks, although some is just not optimised to do so at present. “My advice is, before you go out and spend more money, look inwards and understand what the risks are and what controls are in place to defend against them, and ensure what you have is configured properly because you might already have a solution there,” he says.
ISACA's Singh recommends beginning with identifying human- and business-critical IT assets to work out “who has access to what”.
“Use SIEM-based technologies to build up a picture of what is normal behaviour (think access) for these critical employees – obviously in consultation with the employees, HR and legal team,” he says. “Understand what time they login to check emails, what time they tend to work on business data and then build that logic into your SIEM product and configure alerts to start identifying abnormal behaviour.”
For Trend Micro's Genes, getting the basics right, like keeping operating systems and apps patched and up to date, can also improve resilience to targeted attacks. “It's a shock we still have so many infections based on old vulnerabilities,” he says. “Conficker is still making malware top 10 lists even though it uses vulnerabilities that could have been patched years ago.” And while traditional antivirus tools are important, firms should assume that a determined attacker will be able to breach their perimeter. In this case, automated detection and network analysis tools are important to close down the all-important window between infection and detection – which Trend Micro research puts at 180 days on average, according to Genes.
Training and awareness: a key defence or waste of money?
Despite the sophistication of some spearphishing attacks today, which can even fool some of the most experienced experts, user-training and awareness programmes are still a valuable investment of time and resources, according to Deloitte's Samtani.
“I'd challenge the notion that users can't be educated into becoming an effective defence against APTs. We've found effective awareness and training can mitigate threat to a serious extent,” he argues. “Vendors with something to sell want to promote the thing they're selling, and not many people bang the drum about how effective and cost-effective training programmes can be. Of course, it can't be 100 per cent, any more than enterprise technology can be, but it would be foolish to ignore the power of good awareness training.”
It's not only about raising awareness in terms of how to spot an attack, but also tailoring role-playing exercises according to the employee's role, and giving them a way to contact an external or internal resource if they do suspect a breach.
For KPMG director of information protection and business resilience Paul Hanley, awareness campaigns must be “sustained and updated”, based on evolving threat campaigns. “We also recommend running table-top scenarios for APT events, and identifying how well the team would respond – quite often a clear RACI [responsible, accountable, consulted and informed] response hasn't been defined,” he explains. “Once an APT has been found, then proactively having a plan to deal with it is a must, using any lessons learnt during the scenario testing.”
Of course, no IT security response is perfect, and with targeted attacks appearing with ominous frequency on the threat landscape, the chances are that at some point in time the bad guys will be successful.
When this happens, the CISO's response is critical, according to Deloitte's O'Kelly. “As much as you can be drawn into an ‘oh my God we've been hit, what do we do now?' mentality, there's no reason to be rash. It's about getting as much info about the full extent of the compromise as possible because you could be putting out one small fire when there are several more going on elsewhere in the organisation,” he advises.
“Whether you get your own tools or get the experts in, certainly make sure you understand what you're dealing with beforehand, or it could be the worst decision you make.”
Whatever happens, the targeted attack threat is a “big deal” that no CISO can afford to ignore, according to KPMG's Hanley. “One client found out from external sources that they had been compromised, but decided not to take any action on it, despite allowing access to highly confidential information. This view was taken by the security team, without having completed a risk assessment, and without consultation with the business and risk teams about the impact of the breach,” he explains.
“While in my experience it is rare for an organisation to take this position, my view is that it's the same argument some organisations used a number of years ago for not implementing antivirus systems or firewalls: ‘Why would anyone attack us and is it really that big a risk?' Yes, it is."