The ABCs of APTs: How To Fight Advanced Persistent Threats
Advanced persistent threats aren't new, but they're hard to discover. Learn why it's essential to extensively monitor and log network traffic--in particular, outbound traffic.
May 3, 2012
Security vendors are raising a hue and cry about the perils of advanced persistent threats (APTs), which only they can protect you from. In fact, some of these companies, such as RSA, an EMC acquisition, have gone so far as to say that APT attacks have reached pandemic levels.
While these companies--including Fidelis Security Systems, NetWitness (another EMC addition), Naurus, RedSeal Networks and Hewlett-Packard--promise that their products will help protect against APTs, many users are not aware of just what an APT is. The term itself has come under some criticism in the industry for being vague.
"APTs are highly sophisticated, custom exploits created solely to gain continuous access to a targeted system and remain there undetected, to collect and steal data over an extended period of time," says Mike Cobb, founder and managing director of Cobweb Applications, who recently wrote the InformationWeek report How Did They Get In? A Guide to Tracking Down The Source of APTs. "They are not new, but we are only just discovering their existence."
Examples of APTs include the Stuxnet attack and last summer's revelation of Operation Shady Rat, in what was known as a spearphishing attack because it targeted specific government individuals due to their access to particular types of confidential information.
Several studies during the past year have gone into the issue of APTs. An April 2011 Ponemon Institute survey of the utilities industry, the State of IT Security: Study of Utilities & Energy Companies, sponsored by Q1 Labs, found that preventing or minimizing APTs was last on the list of security objectives, at just 5%. Preventing cyberattacks was given short shrift compared with basic security goals, such as minimizing risks and vulnerabilities and improving the organization's security posture. RSA Security held an APT summit last fall in Washington, D.C., that drew more than 100 of the world's top cybersecurity leaders from government and business.
Last November, Enterprise Strategies Group released a study that indicated 59% of enterprises with at least 1,000 employees had been hit by an APT, and 72% believed they'll be hit again. The survey also showed that even the 46% of enterprises that believe they are "most prepared for APTs," based on the security they have in place, still consider themselves vulnerable to future, more sophisticated attacks.
But once APTs are identified as such, the question then turns to what tools, resources and processes are available to defeat them. "Most APTs begin with a phishing campaign, so security awareness training is vital to ensure that employees are aware of the threats from unsolicited or suspicious email messages," Cobb says. "Data loss prevention technologies can make the data extraction process a lot harder for the attacker, but if an APT or APT-like activity is suspected, then most organizations will need to call in specialist help to begin the forensic hunt for the malicious code."
Because an APT typically has to send the data collected back to a command and control server to successfully complete its mission, this network activity, as well as the APT's attempts to explore the network in search of data, is likely to provide one of the few chances you will have to identify and halt the threat, Cobb says. It is therefore essential that you extensively monitor and log network traffic--in particular, outbound traffic, he suggests.
Learn more about Strategy: Tracking the Source of APTs by subscribing to Network Computing Pro Reports (free, registration required).
You May Also Like