Advanced persistent threats (APTs) are among the most insidious cyberattacks faced by businesses today. We’ve all heard of the Stuxnet worm, and other high-profile attacks, including the 2014 Sony Pictures Entertainment hack, described by one observer as "the perfect APT." And last year, the Carbanak attack, which specifically targets financial institutions, made headlines.
Will an APT affect your business? Well, ISACA’s 2015 Advanced Persistent Threat Awareness Study found that 74% of respondents believe that they will be targeted by an APT, and 28% had already been attacked. The trouble is, APTs are, by nature, extremely sophisticated. They’re designed to be stealthy and evade detection, enabling them to spread undetected across networks over weeks or even months.
It might seem that mitigating the risk of an APT means deploying highly sophisticated cybersecurity measures, out of reach of most ordinary organizations. Not so. In fact, you can go a long way towards reducing APT risks by going back to basics: Understanding the fundamentals of how such an attack is planned and deployed, and how your organization’s network structure can help or hinder such an attack. In short, understanding how to reduce the attack surface you have available to malicious hackers.
However sophisticated they are, all APT attacks typically follow a similar path.
Reconnaissance: Attackers will typically will use a variety of techniques to gain an intelligent picture of what a business’s network actually looks like in order to figure out what security policies and applications are in place, or identify remote-access capabilities that could provide them with access points. Common techniques include:
- Open-source intelligence involves scanning externally open services for vulnerabilities
- Human-source intelligence targets key employees for access information
- Foot printing identifies which versions of software or resources an organization is using to create a profile of its network infrastructure t
Exploit delivery: Once an appropriate access point for targeting your network has been identified, the attackers deliver a malicious tool or application that enables them to penetrate your network. Chosen attack vectors can include email attachments, so-called "water-hole" attacks, where the attackers compromise an existing website they know a target is likely to visit, or even physical delivery of the exploit on an infected USB stick.
Exploration and lateral expansion: Having succeeded in getting inside your network, the attackers’ tries to move laterally within your network to ultimately get to your valuable business data. But this data is usually on another computer system, so the attacker needs to find a path to it. This lateral movement is where an APT’s persistency comes in. Exploration takes time -- during which individual users may reboot their systems, change their security signatures and otherwise make it difficult for the attacker to re-access their machines.
Therefore, attackers ideally aim to deploy software directly onto individual machines that will allow them to come back whenever they need to, even if the user has rebooted or patched it. The most common way to do this is via remote administrator tools (RATs) -- the same type of tools that are used for remote troubleshooting or helpdesk functions.
Finally, attackers extract the valuable information they’ve been seeking, perhaps by blending it into benign traffic over HTTP or encrypting it in ways that make it difficult to spot, such as over HTTPS.
Reducing your network attack surface
While it's difficult to prevent attackers from carrying out the first stage in their APT journey -- after all, there’s nothing particularly secretive about many OSINT scanning techniques -- it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics network security principles:
- Segment your network. Break up your flat internal network into multiple zones, based on the use pattern and category of data processed within each zone. This segmentation then prevents the APT from jumping from one "stepping stone" machine to another.
- Place firewalls to filter traffic between those zones. "Choke points" such as firewalls must be placed between the zones to filter the traffic entering and exiting. In other words, firewalls must be placed on internal, lateral traffic paths, not just your network perimeter.
- Write restrictive security policies for those firewalls to enforce. Gartner Research has suggested that 99% of firewall breaches are caused by firewall misconfigurations, not firewall flaws. The message is clear: Your firewalls absolutely must be configured accurately and intelligently, to analyze and block the kind of internal communications that signal APTs.
When you design your network’s segmentation, consider two zone types that all networks should be split into. First, identify and define sensitive data zones for systems handling and storing payment and credit card details, employee records, company financials, intellectual property, and regulated data. Second, identify and define human user zones that contain human-accessible desktops, laptops, tablets and smartphones. You are probably already segmenting wireless-access zones, but wired-access desktops should also be segregated. Since an APT’s first point of attack is normally such a desktop, this segmentation then prevents the APT’s lateral movement.
If this sounds remarkably simple, that’s because it is. The important point to bear in mind is that no matter how sophisticated an APT is, it’s operating on your turf. Discovering the signs of an APT inside your network can be challenging, but with intelligent use of security basics, you will go a long way to preventing lateral exploration, and in turn stop the APT in its tracks.
Prior to co-founding AlgoSec, Avishai Wool co-founded Lumeta Corporation in 2000 as a spin out of Bell Labs, and was its chief scientist until 2002. At Lumeta, Wool was responsible for transforming the firewall analyzer technology he helped develop at Bell Labs into a commercial product. Prior to Lumeta, Wool was a technical staff member at Bell Labs’ Secure Systems Research Department, where he led a team of researchers who created the first research prototypes for the firewall analyzer. He has published more than 90 research papers and holds 13 US patents, and has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Wool has a B.Sc. (Cum Laude) in mathematics and computer science, and a M.Sc. and Ph.D. in computer science.