Advanced persistent threats (APTs) are among the most insidious cyberattacks faced by businesses today. We’ve all heard of the Stuxnet worm, and other high-profile attacks, including the 2014 Sony Pictures Entertainment hack, described by one observer as "the perfect APT." And last year, the Carbanak attack, which specifically targets financial institutions, made headlines.
Will an APT affect your business? Well, ISACA’s 2015 Advanced Persistent Threat Awareness Study found that 74% of respondents believe that they will be targeted by an APT, and 28% had already been attacked. The trouble is, APTs are, by nature, extremely sophisticated. They’re designed to be stealthy and evade detection, enabling them to spread undetected across networks over weeks or even months.
It might seem that mitigating the risk of an APT means deploying highly sophisticated cybersecurity measures, out of reach of most ordinary organizations. Not so. In fact, you can go a long way towards reducing APT risks by going back to basics: Understanding the fundamentals of how such an attack is planned and deployed, and how your organization’s network structure can help or hinder such an attack. In short, understanding how to reduce the attack surface you have available to malicious hackers.
APT structures
However sophisticated they are, all APT attacks typically follow a similar path.
Reconnaissance: Attackers will typically will use a variety of techniques to gain an intelligent picture of what a business’s network actually looks like in order to figure out what security policies and applications are in place, or identify remote-access capabilities that could provide them with access points. Common techniques include:
Exploit delivery: Once an appropriate access point for targeting your network has been identified, the attackers deliver a malicious tool or application that enables them to penetrate your network. Chosen attack vectors can include email attachments, so-called "water-hole" attacks, where the attackers compromise an existing website they know a target is likely to visit, or even physical delivery of the exploit on an infected USB stick.
Exploration and lateral expansion: Having succeeded in getting inside your network, the attackers’ tries to move laterally within your network to ultimately get to your valuable business data. But this data is usually on another computer system, so the attacker needs to find a path to it. This lateral movement is where an APT’s persistency comes in. Exploration takes time -- during which individual users may reboot their systems, change their security signatures and otherwise make it difficult for the attacker to re-access their machines.
Therefore, attackers ideally aim to deploy software directly onto individual machines that will allow them to come back whenever they need to, even if the user has rebooted or patched it. The most common way to do this is via remote administrator tools (RATs) -- the same type of tools that are used for remote troubleshooting or helpdesk functions.
Finally, attackers extract the valuable information they’ve been seeking, perhaps by blending it into benign traffic over HTTP or encrypting it in ways that make it difficult to spot, such as over HTTPS.
Reducing your network attack surface
While it's difficult to prevent attackers from carrying out the first stage in their APT journey -- after all, there’s nothing particularly secretive about many OSINT scanning techniques -- it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics network security principles:
When you design your network’s segmentation, consider two zone types that all networks should be split into. First, identify and define sensitive data zones for systems handling and storing payment and credit card details, employee records, company financials, intellectual property, and regulated data. Second, identify and define human user zones that contain human-accessible desktops, laptops, tablets and smartphones. You are probably already segmenting wireless-access zones, but wired-access desktops should also be segregated. Since an APT’s first point of attack is normally such a desktop, this segmentation then prevents the APT’s lateral movement.
If this sounds remarkably simple, that’s because it is. The important point to bear in mind is that no matter how sophisticated an APT is, it’s operating on your turf. Discovering the signs of an APT inside your network can be challenging, but with intelligent use of security basics, you will go a long way to preventing lateral exploration, and in turn stop the APT in its tracks.
Prior to co-founding AlgoSec, Avishai Wool co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its chief scientist until 2002. At Lumeta, Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Prior to Lumeta, Wool was a technical staff member at Bell Labs’ Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 90 research papers and holds 13 US patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Wool has a B.Sc. (Cum Laude) in mathematics and computer science, and a M.Sc. and Ph.D. in computer science.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
In today’s data-driven world, higher educational institution networks and their management must be modernized to address the needs of everyone across campus. Enterprises face similar challenges and also need to modernize their networks.
Fortinet announced updates to FortiOS and its security fabric. Interestingly, the company bucked the trend and did not lead with GenAI in this announcement.
