Share

Related Stories

  • Risk management and the lessons learned from 9/11, Hurricane Katrina
    Michael Chertoff reflected on some of the lessons learned as a result of the federal government’s response to two major crisis situations during his tenure in public service, as the former Homeland Security secretary delivered the opening keynote at this week’s Gartner Security & Risk Management Summit just outside of Washington.
  • Everyday malware, spyware still a top concern of IT administrators
    Over half of IT personnel view everyday threats from malware and spyware as their number one security concern, not headline-grabbing attacks like Stuxnet, Night Dragon, and Operation Aurora, according to a survey by vulnerability management provider eEye Digital Security.
  • Even in public sector, mobility presents largest security challenge
    The trend of consumerization facing many enterprise-based IT departments is also being felt in the public sector, even in areas where confidentiality and security are paramount. This was the message imparted by the NSA’s Debora Plunkett during a special session at today’s Gartner Security & Risk Management Summit in Washington.
  • NY Times: Stuxnet was a US-Israeli effort to disrupt Iran's nuclear program
    The Stuxnet worm was an Israeli-US project developed at the highly secretive Israeli Dimona complex in the Negev desert to sabotage Iran’s nuclear program, according to a report in the New York Times.

Top 5 Stories

News

The hype, and the reality, behind advanced persistent threats

23 June 2011

APT – it’s perhaps the hottest new (and perhaps overused) acronym in security today. During this week’s Gartner Security & Risk Management Summit outside of Washington, distinguished Gartner analyst John Pescatore examined the true reality behind this type of threat and, more importantly, discussed some solutions to combat them.

In a session titled “Cyberwar and APT: Hype and FUD”, Pescatore began by reflecting that, about every five years or so, the threats organizations face outpace their ability to combat them, largely because of developments in technology and the demands business place on their delivery. But what exactly are these new-fangled concepts of cyberwar and advanced persistent threat (APT), and how real or new are these threats? These were just some of the questions that the Gartner VP and analyst sought to answer for the audience.

“There is no such thing as the unstoppable attack in cybersecurity”, Pescatore claimed. “Every attack, in order to succeed, needs to exploit a vulnerability”. He jokingly then added that we could prevent attacks, if only we could remove all the vulnerabilities – a Pollyannaish-type quip that got quite a rise out of the crowd gathered to hear him speak.

While IT departments have faced all manner of attacks over the last decade plus, Pescatore says today’s new breed of attacks differ from their predecessors in their being financially motivated and supported by large organizations, whether they be criminal rings or nation-states.

Furthermore, due to the explosion in social media participation, organizations find themselves far more susceptible to narrow, targeted attacks in today’s environment. This widespread participation by executives and other employees on social media sites, and the information that can be gathered through them, makes it far easier for attackers to engage in stealthy, narrowly focused attacks that may go undetected for a long period of time – the hallmark of an APT.

Pescatore defines an APT with uncommon brevity – an attack that penetrates your current level of protection, takes long for you to detect, and causes meaningful harm. When defined in this manner, it really signifies a new term for an old practice. APTs are not the preserve of state-to-state cyberwarfare, or industrial espionage, he contended; it’s simply the compromise of an organization’s security defenses that takes advantage of a threat they are not monitoring for, over an extended period of time, that causes some type of damage.

And not all APTs make use of zero-day vulnerabilities, yet some like Stuxnet do. What an APT does is generally take advantage of a vulnerability that a particular organization may not typically look for. For example, zero-day attacks that were previously used in financially motivated attacks being re-directed toward non-financial organizations.

In the Gartner analyst’s opinion, the threat of APTs and cyberwar-like attacks are secondary in impact to the more typical financially motivated targeted attacks organizations face today, at least for the next four years or so. Cyberwar-like attacks, he believes, are still a long way off, perhaps not taking form in a widespread sense until late into the second half of the 21st century.

“When some nation-state wants to do damage to another nation-state, personnel influence, bribery, and getting to unsatisfied people in key positions in government agencies will still be the number one cause of cyber damage rather than long-lived [cyber] attacks, because this is still the way we see the vast majority of nation-to-nation espionage and economic warfare happening and succeeding”, Pescatore asserted.

APT Defense

Completely preventing an APT, he continued, is at best theoretical and only possible under the most extreme of circumstances, many of which are neither feasible nor desired. First would be getting rid of software and people, in conjunction with strong lockdown controls (near-infallible authentication, encryption for all data) and impenetrable firewalls.

In a more practical sense, Pescatore shared several strategies to protect against APTs. First involves the category he labeled as “due diligence”, including vulnerability/patch/configuration management, intrusion prevention systems, and privileged access management. Second was hardening, which includes application whitelisting, network access control, and vulnerability avoidance (for hardware).

The final aspect of robust APT mitigation comprises what he called “lean forward” strategy components – among these are sandboxing, situational awareness, and network/computer forensics capabilities.

“What we don’t see among these recommendations is security through obscurity”, said Pescatore, because this type of strategy is no longer relevant in today’s environment. The tools labeled as “lean forward”, he continued, are certainly the more advanced, and in many cases are the more expensive security technologies now available. However, these tools, says Pescatore, will become ever-more relevant in the evolving computing environment.

“When you look at this world where your users can be anywhere, using any type of device, we are losing, in a very big way, our ability to depend on endpoint security software”, he concluded, and the same trend applies to server-based security software.

He closed his recommendations with one pearl of wisdom, what he called “the horrible part of security”: “If you see something is wrong, and you see something is at risk, then you have to be prepared to do something about it. If you don’t do anything about it, then you have a whole different type of legal culpability.”

This article is featured in:
Data Loss  •  Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×