The threat landscape has changed irrevocably. The primary foe of security professionals is no longer an asocial teenager basking in the glow of a monitor looking for an easy target, but rather the highly skilled technologists who are deliberately seeking treasure troves of sensitive information.
Infosec pros must now assume attackers will successfully penetrate enterprise perimeters through dogged determination and the use of sophisticated tools.
The change in landscape didn’t happen suddenly. In 2006, we saw a highly targeted attack against the TJX Companies Inc. that resulted in the theft of personal information belonging to millions of individuals. In 2009, the Operation Aurora attacks saw Chinese sources infiltrating major American companies including Google Inc., Juniper Networks Inc. and Adobe Systems Inc. The following year, the Iranian government claimed that U.S. and Israeli interests were responsible for the Stuxnet worm attack on the Iranian nuclear program. And just last spring, RSA admitted it had been the victim of what it called “an extremely sophisticated cyberattack.”
Defining and understanding targeted APT attacks
These attacks are representative of what security professionals face today. Aptly named advanced persistent threats, APT is a “fuzzy” and even controversial term that refers to a style of attack rather than any specific technique. Targeted APT attacks are waged in a one-to-one fashion by professional hackers using advanced skills. While the “script kiddies” of yesteryear first selected a vulnerability and then scanned the Internet looking for systems susceptible to their chosen exploit, APT attackers first select their target -- often a government agency, financial institution, corporate competitor or other high-value asset – and then probe for a method of entry. Even though many information security industry observers bristle at the use of the term advanced persistent threat for a variety of reasons, it has become the most common phrase used to define this type of attack.
Coping with APTs requires security professionals to develop a new mindset. Infosec pros must now assume attackers will successfully penetrate enterprise perimeters through dogged determination and the use of sophisticated tools. They will leverage zero-day attacks, social engineering, phishing and other techniques until they find a chink in our armor and gain a foothold on our network. Once they’ve established a virtual base of operations, they can escalate the privileges available to them and expand their scope of control until they achieve their objectives, even if it takes weeks or months for them to do so.
Hardening the network against targeted APT attacks
Fortunately, there is a proven strategy for defending an enterprise network against APTs, and the good news is that it emphasizes many common network security best practices. The tried-and-true approach of implementing a layered series of controls to achieve defense-in-depth network security is the best way to protect an enterprise network against APTs.
First and foremost, take stock of the controls that already exist on the network and ensure they are both effective and well-managed. Most enterprises already have a mixture of firewalls, intrusion detection and prevention systems (IDS/IPS), antimalware packages and other controls. Are they audited regularly? Do they have current signatures? Are they consistently deployed? Check the basics before even considering adding additional layers of defense.
Second, examine existing user education programs. Many APTs depend upon social engineering or exploit the poor security habits of users in other ways. For example, experts theorize that the Stuxnet worm penetrated the perimeter controls of an Iranian nuclear facility when it was carried into the secure facility by an authorized user on a flash drive. Make sure end users understand their role in protecting the security of the organization and that the organization has set clear expectations for user behavior.
More APT Resources
Podcast: APTs and the state of traditional perimeter protection
Are you enforcing policies against APT attacks?
Using the threat of APT as a catalyst, this is a good time to evaluate existing network security controls and add additional safeguards, as necessary. After taking these remedial actions, consider the possibility of adding additional layers of defense to the network. There are three specific areas of control that are worthy of consideration:
- If a Security Incident and Event Management (SIEM) system isn't already in place, contemplate this as an opportunity to deploy one. SIEMs are a valuable tool in combating APTs because they consolidate and correlate security data from disparate sources. They can help identify the "needle in the haystack" that indicates a successful APT-style penetration of a network.
- Data loss prevention systems are an excellent last line of defense and may detect and block intentional or accidental attempts to remove sensitive information from a network.
- Finally, content filtering provides the ability to further protect against phishing attacks and other Web- and email-borne threats. While user education is clearly the most comprehensive way to prevent successful social engineering, content filtering may catch users who have fallen victim to a solicitation before they compromise their accounts.
While it’s true that APTs present a new type of threat to information security, they don’t change the range of actions we must employ to protect ourselves. We simply need to return to the basics of defense-in-depth and layered controls that security professionals have been preaching for years.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on network security for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in May 2012