Mitigating and protecting against APTs

Opinion by Brian Laing

Advanced persistent threats (APTs) are serious perils.

Advanced persistent threats (APTs) are serious perils.

They are campaigns; long-term attacks on your network to extract data, to sabotage, or to purposefully intrude. If at first the APTs are unsuccessful, attackers will try other combinations of exploits or target other doors and windows.

Threats themselves can morph to evade detection, as well. However, in order to protect your organisation from APTs you need to understand the doors into your network.

APTs can enter your network in many ways, but a good place to begin your search for vulnerable openings is with the computer you sit in front of every day.

Clients - The client is the part of your network that connects to more parts of the internet than any other. Each APT can use different combinations of modules, exponentially increasing the damage potential, and each module gives the APT different capabilities.

The APT also collects information such as trust relationships and passwords, which can be used to connect to other targeted clients and servers. Clients need to make sure that any endpoint software is current (and installed). Signature/pattern files need to be current. Patches on other devices need to be current. Browsers need to be current.

Servers - Servers can also be directly targeted, but it is less frequent to use an APT for this purpose. Servers are usually targeted via application-based vulnerabilities, such as an unpatched Apache server.  

Portable media - USB drives are often today's favourite intrusion point. The first thing you can do to protect your network from a threat is to either never install anything from portable media unless it is from a trusted source, or scan the portable media first.

Social networks and social engineering - Many people use the same username and password combinations on multiple systems and for both personal and business use. This information gives an attacker access to multiple systems, so the information can be more valuable on the black market than a credit card number.

Network administrators should require that individuals change passwords at some interval they define. They should also use programs that define how strong the new passwords are, require that passwords be greater than a certain length, and use combinations of different characters in addition to uppercase and lowercase letters, and numbers.

Wireless networks - Many people don't realise that by simply sitting in the company parking lot, an attacker may be able to access a wireless connection. Moreover, a simple antenna can allow attackers to receive a signal from quite a distance.

Add on top of this the many known issues with common wireless security measures, and you have an easy remote way for attacks to gain their initial infection point. The first thing you can do to protect your wireless network is limit access to it. A wireless network should be treated as if it was wired. Passwords should be required to access the wireless network. The network should also be hidden from individuals lurking in the parking lot.  

Now that we understand all the entry points to the network, it is worthwhile looking at what security technology has proven to be ineffective when faced with APTs.

Traditional security solutions such as firewalls, anti-virus, intrusion prevention systems and web filters are extremely useful and valuable for their intended purposes, but are all blind to these new types of advanced and sophisticated threats. It takes a different approach to identify targeted attacks inside an organisation.  

Next-generation firewalls - The problem with NGFWs is that the list of signatures is relatively static, and even frequent updates can't keep pace with the dynamic nature of advanced malware. Over 300 million new variants of malware were found last year alone.

The same inability to keep up with changing malware threats also applies to both anti-virus and intrusion prevention systems that rely heavily on signature-based lists as their primary detection methods.

Reputation-based solutions - Content that is not categorised simply ends up uncategorised, resulting in a weakness in the reputation method. It isn't possible to manually analyse the content fast enough to provide protection.

In 2011, over 150,000 new URLs were created daily. Most of these URLs were tagged as uncategorised content. Not surprisingly, most of the malware exists in uncategorised content.

Heuristic security methods - The weakness in the heuristic type of solution is that you must first define what is considered normal behaviour, and this definition can vary substantially from organisation to organisation. The definition can even vary within different parts of the same network. To avoid detection, all an attacker needs to do is simulate normal behaviour and not engage in any activities that draw attention.

Challenges at the network perimeter - The only way to ensure that targeted malware can't enter across the network perimeter is to ensure that every potential connection point to the network is policed 100 per cent of the time.

However, that complete and constant level of coverage is impossible to achieve. Laptops, smartphones and tablets routinely connect to external networks and return to the parent network. USB flash drives attach to everything, contractors and partners are only as secure as their own networks, and cloud services represent yet another difficult-to-secure point of access. These tools are a fundamental part of modern business, yet their communications are open to eavesdropping and exploit.

Large enterprise organisations also have overlapping technologies and competing areas of responsibility. For most organisations, the risk of compromise and the effects of the security solution are not worth interruptions to services and poor systems performance.

While the seriousness of the threat is understood, organisations need a solution that actually solves the problem and is transparent to users.

APTs are an imposing threat, which can have a severe impact on an organisation's network. It is therefore imperative that IT managers understand the most vulnerable areas of the network and the best way to protect against them.

Brian Laing is a vice president at AhnLab


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events