Comment: Defeating APT in the Cyber Trenches

The Maginot Line concept didn't work for the French, and it likely won't work for your organization either, says Jim Butterworth
The Maginot Line concept didn't work for the French, and it likely won't work for your organization either, says Jim Butterworth

We’ve spent billions building and establishing our perimeters, erecting and fortifying our firewalls, placed tactical sensors within each boundary area, automated our sentry watch operations, and created whitelists and signatures for identifying friend versus foe. All of which have left us with the cyber equivalent of the Maginot Line. We can comfortably state that we have placed a tremendous amount of funding and effort in defending. But just how well have these perfect digital walls worked for us so far?

Not so well it would seem, when you consider the increasing incidence of APT attacks. It doesn’t matter whether they are individual, group, or state-sponsored, politically or financially motivated – attackers’ ability to continuously adapt their techniques and tactics is what allows them to remain persistent and stay entrenched in the network for so long.

APT hacking tools such as private remote access tools (RATs) built from private-source code as well as SQL grinders, .NET malware, and sophisticated encryption schemes cannot be detected by anti-virus or other traditional security methods, because they have been designed and tested against them.

The bottom line is that APTs have been successful to date because many organizations have failed to accept the new reality – that cyber intruders are already in your network.

Breaching Digital Walls One Brick at a Time

Today, organizational digital fortifications are being overrun or circumvented. Indeed, any large network with valuable data should assume that a compromise has already occurred.

When corporations are breached, they are left with an enemy either within their walls, or just outside the DMZ, in the trenches. How do you recognize their presence? How do you follow their tactics, techniques and procedures going through (or around) your parameter when they use:

  • Laser sighted focus
  • Stealth
  • Swiftness
  • Deception
  • Adaptability
  • Resilience
  • Persistence
  • Camouflage
  • Patience

With an enemy so ‘up close and personal’, you are left with two choices: retreat or defeat.

Fighting and Defeating APTs in the Network

Organizations must be willing to accept the reality that perfect digital walls using traditional solutions can't really be built. This is not a compromise, or an admission of defeat. It’s simply the first step in learning to wage battle where it’s really happening.

Most organizations have perfected a retreat strategy by ignoring indicators, patches and fixes, adding signatures, making everyone authenticate, enforcing standards, and getting around big tables and large screen displays to talk about the problem until we cannot endure another PowerPoint slide. What they have not done, however, is discuss or acknowledge the inherent right of self-defense against a determined foe. So, what does this mean?

"We live in a digital world; retreat is not an option"

Is ‘self-defense’ limited to passive activities taken to shore up your defenses, or could it mean to actively defend your network? The latter approach favors an ‘equal and appropriate’ application of countermeasures necessary to halt the activities of an attacker.

How do you know what is ‘equal and appropriate’? It starts with threat intelligence that has enough fidelity and granularity to allow you to disassemble the attacker’s offensive techniques and focus your attention on rooting them out. If you read and interpreted that as ‘hack back’, then you misunderstood my meaning. Technology exists today that takes the secret sauce out of reverse engineering so you can quickly and easily shine a spotlight on the attackers and thwart their continued incursions into your organization.

The longer an attacker remains in the network, the more likely you are to discover it. Nevertheless, the longer a compromise goes undetected, the greater the chance of data theft and loss. Many attackers will steal data over time, slowly releasing material outside of your company.

In order to defeat, you must be willing to wage daily cyber trench warfare. You must be willing and technically able to look where you don’t want to and have the courage to accept what may be revealed.

The good news is that APTs can be detected and evicted from the network. After an intrusion, the APT attacker is highly exposed due to their interaction and lateral movement, which can leave a great deal of forensic evidence on the compromised hosts.

To maintain pace with your adversaries, you need to see them in your cloud, across your wire, up your stack, into your heap, and maybe – if you’re lucky – onto your disk. Runtime is where we’re waging cyberwar. Active defense means checking runtime for signs of the cyber adversary.

We live in a digital world; retreat is not an option. Instead, take your hands off of your mouse, grab an assembly language book, and dive into the trench.

Jim Butterworth is the CSO at HBGary. Previously, he worked at Guidance Software, where he was the senior director of cyber security. Exclusively client focused, Butterworth brings 15 years of ‘in-the-trench” experience in computer network operations and incident response with him, having conducted engagements worldwide, in every industry, specializing in critical infrastructure protection and highly sensitive networks.

What’s hot on Infosecurity Magazine?