APT refers to a specialized class of malicious software (“malware”) created by highly skilled and well-funded perpetrators (often foreign governments) to breach secure networks for political or economic purposes. Increasingly, the target is intellectual property, including that found in manufacturing, high tech, oil and gas, finance, and pharmaceutical industries.
APT missions are multi-phased and designed to silently conduct operations that blend in with everyday business activities. The genius of APT, and why it must be taken so seriously, is its ability to continuously apply a repertoire of evolving tactics that exploits the trust of humans, computer systems, and networks.
However, the required steps of every APT mission in its effort to steal sensitive data from a network are invariable and thus subject to counter-measures. For instance, APT malware must first infiltrate the network. Then, it likely needs to propagate to find and access systems containing targeted data. Finally, the malware must communicate with an external ‘command and control’ infrastructure to receive updated instructions and exfiltrate stolen data off the network. As such, it’s possible to stop an APT attack at one or more of its stages.
Although a number of technologies claim to defeat APT, none is sufficiently potent alone. Successfully repelling an attack requires a layered ‘defense-in-depth-and-breadth’ security model that uses multiple integrated approaches designed to identify and neutralize APT activities at the data, system, and network levels (not just depth at a single point).
As a first step companies must train and reinforce user compliance for policies that limit exposure to APT tactics, ideally delivered via real-time prompting. Even the most well-trained and vigilant end users remain susceptible to social engineering tactics. A proven defense to social engineering is to use risk-aware software throughout the business process to automatically alert users with policy guidance before they engage in potentially risky actions, such as following a link that attempts to download content from an unknown website.
Although user prompting can be a good first line of APT defense, it is also important to augment self-enforcement with automated controls to outright block certain high-risk activities commonly exploited by APT. For example, blocking all applications launched from a USB memory stick, or preventing embedded code within a document from running, can eliminate entry points for customized malware without affecting critical business processes.
To be successful, an APT attack must evade traditional anti-malware and perimeter security software that use signature-based detection, so a new defensive approach is needed. A next-generation cyber security model requires multiple layers of integrated threat detection and mitigation across the network and on host systems – i.e., workstations, laptops, and servers.
APT security requires deep, continuous threat analysis and data controls across every aspect of the user session. The level of insight needed to mitigate APT requires the ability to quickly ascertain the scope of an attack, including: mapping and correlating data movement across all ports and protocols; applying global malware intelligence with inbound and outbound traffic surveillance; and blocking APT tactics at its different mission stages.
A complete APT solution can process a continuous stream of host and network session telemetry into a threat analysis system that identifies and prescribes actionable controls for suspected APT events, regardless of their stealth. In many cases, the same data security technologies used to monitor and prevent insider threats can be leveraged to prevent data access or exfiltration by APT by modifying policies that automatically encrypt or block the egress of sensitive information. The layered security approach can stop attacks even if and when malware gains access to its host systems, and can be used to progressively apply ‘lockdown’ rules to isolate and contain data on machines if suspicious activity is detected.
The ability to isolate and ‘destroy’ machines compromised by APT using virtualization technology can also be employed to effectively prevent potential attacks from propagating. Single-use virtual machines, or those that are periodically refreshed, will wipe malware that may have infected the session, and virtual environments can be used as a sandbox to isolate and analyze potential malware. The good news is many companies have already adopted virtual solutions for cost savings, so configuring them to help with APT defense is an added bonus.
Based on my experience working with many at-risk organizations, I believe companies will be compelled to formulate their APT defense strategy in one of four ways: those that have already confirmed an attack will be actively seeking solutions to prevent future ones; those that assume they are (or will be) targeted will begin proactively building an APT security model; those that will wait to experience an attack before investing in advanced cyber defense; and those that will wrongly assume their current IT security will be sufficient to stop an APT attack.
Early adopters of APT security will be in the best position to work with vendors to determine where and how to build effective defenses unique to their particular business needs. Unfortunately, the evidence suggests time is not on the side of those who wait to take action, as this enemy is inexhaustible and determined once you’re in their crosshairs.
Bill Ledingham is CTO and VP of engineering at Verdasys, a provider of enterprise information protection (EIP) solutions for the Global 2000 companies.