While a great deal of attention has been given to the activities of ‘hacktivists’ like Anonymous and Lulzsec, these attacks are kids’ stuff when compared with the sophisticated, grown-up hacks currently keeping security professionals awake at night. Advanced persistent threats (APTs) are customized attacks with specific targets, designed to subvert IT security measures and achieve their goals undetected – something that they are very effective at doing.
The Stuxnet worm is one of the foremost examples of these threats at work. Furthermore, McAfee’s Shady Rat operation showed that sophisticated penetrations are widespread and, more often than not, invisible to their victims.
APTs differentiate themselves from other types of hacking activities by targeting a specific organization for an explicit reason – often to extract extremely high-value data. They are ‘advanced’ in that the attackers often write customized zero-day malware and also frequently launch highly targeted ‘phishing’ attacks in an attempt to exploit user systems. There is no single attack vector, no single activity pattern, and thus no easy way for an organization to protect itself from an APT.
The ‘persistent’ part of the name refers to the extremely patient and methodical approach of the APT to conduct reconnaissance and then target, compromise, and finally steal data. An APT does not care if it takes a week or a year to reach its objective, just as long as it gets there in the end. This sophistication and persistence is why traditional point-based solutions like firewalls, IPS and anti-malware are insufficient protection against these kinds of attacks.
APTs are also constantly evolving, meaning that organizations cannot hope to maintain perimeter defenses 100% of the time. As a result, APTs will continue to remain undetected.
To defend valuable IT assets, organizations need to identify potential targets, implement network segmentation and obtain visibility into as much activity as possible. This is achieved by collecting all the log data available for all target assets.
However, to effectively detect APTs, organizations need to develop a comprehensive understanding of IT systems so that aberrant activity can be identified as it occurs. This requires visibility into the entire breadth and depth of log data across all systems, regardless of where any possible target assets reside.
In practice, this process is becoming increasingly difficult. ‘Big data’ is a hot topic right now and refers to the fact that organizations are generating more data than ever before. In addition, the structure of IT networks is growing increasingly disparate.
Faced with these two challenges, the only feasible way for organizations to manage and utilize log data is via systems with security information and event management (SIEM) capabilities. These systems centralize and automate the process of log collection and analysis on a continuous basis to ensure that nothing is missed. The visibility afforded by SIEM means that for an attack to go unnoticed, it would not only have to hack into its target, but also into the logging system itself – a very difficult – if not impossible – challenge.
Using log data in this way provides organizations with the traceability required to correlate seemingly unrelated activity occurring across systems – a must for detecting sophisticated attacks intent on using multiple channels to slip in unseen. By alerting organizations to dangers in real-time, this set-up provides the early warning required for an effective response, thereby preventing threats from achieving their goals.
Whereas APTs are not particularly new, they have been thrust into the spotlight by recent events. In addition to Operation Shady Rat, nations across the world have been pointing fingers at one another, accusing others of, and denying their own, involvement in numerous cyber attacks (the amount of effort and organization involved in building sophisticated attacks could suggest they are government backed).
The FBI recently stated that cybercrime now poses the third biggest threat to US but that it will soon rise to number one. Similarly, last year the UK National Security Strategy reclassified cyber attacks as one of the most serious dangers facing the country.
As the situation continues to escalate, it’s hard not to conclude that we are moving into a period of perpetual cyber warfare. As a result, both national and economic security will increasingly depend on organizations being able to detect anomalous activity in real-time, wherever it occurs across systems. While building a fence around the IT estate will always be important, provisions must be taken to ensure APTs can be detected and reacted to once that perimeter inevitably fails.
Ross Brewer, vice president and managing director of international markets for LogRhythm, has over 22 years of sales and management experience in high tech and information security. Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as vice president and managing director of Europe, the Middle East and Africa (EMEA). Brewer has held senior management and sales positions in Europe for systems and security management vendor NetIQ and security vendor PentaSafe (acquired by NetIQ). He was also responsible for launching Symantec’s New Zealand operations.