Defending Against the APT Paradigm

Written by

A new paradigm is needed in the industry. The concept of networking was created with the logic that connectivity is enabling and this concept was implemented in such a way where security was simply an afterthought and has created a situation where security in always in catch-up mode. 

In those attacks which are not classified as APT, this is normally not very difficult. However in the case of APT, it is very difficult to profile an attack and get an idea on which technologies would have helped or mitigated the attacks. It’s often impossible to track down the initial point of compromise in an APT attack because they tend to cover their tracks very well.

Taking into account the technology that’s in use today, it’s very challenging, if not impossible, to create a defensive security system which would mitigate an APT attack.

The reality of advanced, state-sponsored attacks are that if they want to get into the network - they will. As a result the best thing an organization can do is segment their applications, install early warning detection system, and respond to incidents in a proper manner.

The problem is that most networks today are still relatively “flat”- meaning that both authorized and unauthorized users are able to access sensitive servers on the network. This allows for malware and lateral movement attacks to spread across the entire organization, making it very hard to remediate.

The challenge with mitigating APT attacks comes down to the sophistication of the particular attack. First consider that APT attacks are commonly executed using zero-day exploits, exploits that the developer does not know exist, and with newly generated malware which does not get detected by today’s signature-based security products. This means that it’s very difficult to rely on existing security controls to prevent and detect the exploit or malware.

The best way to detect attacks is by putting the application with sensitive intellectual property on a segmented network and only allowing access through a single, secure system – such as the Software Defined Perimeter (SDP). Since the SDP only allows network connectivity to authorized users, it enables the organization to implement detection mechanisms without the challenges associated with false positives.

Another good methodology for detecting these attacks is to place honeypots (or honeynets) on the network near the applications that are being protected. This will provide the organization with an early warning system when an attacker starts to scan your network or probe servers. It also produces very few false positives since nobody should be accessing the honeypot for any legitimate reason. These segmentation strategies and detection systems are key to both preventing and containing APT attacks.

Recently, one client called us in because they had discovered that an attacker was pivoting throughout their network and created intrusion detection alerts. As it turns out, the attacker had been inside the network for more than two months before actually triggering any of the internal security systems.

This situation spawned a forensic investigation where our team found that the attackers had gained access to almost every department in the organization – accounting, IT, and even the executive staff. During the investigation, we tracked down a suspicious user account that was added to Active Directory. We were able to trace this account through logs and found that the attackers had not only compromised the Active Directory Domain Controller using a newly released exploit, but they were able to perform privilege escalation and add themselves as a “Domain Administrator" account.

Since many of the systems in the network were directly connected to Active Directory for authentication, this allowed the attackers to give themselves privileges and access the data for the entire organization. About two weeks into the investigation, we discovered that the initial compromise was due to a spear phishing attack that was sent via email – a user has clicked a link in the email which performed an exploit on the local Java installation of the client. This enabled remote code execution on the client and ultimately a foothold into the organizations network.

In terms of the top mistakes that companies often make which allows intruders in:

Lack of User Awareness - User awareness training is critical these days. The most common point of entry into networks is through human error - phishing, USB sticks, etc.

Unmanageable Defensive Tools – We have an industry that is full of hundreds of different tools, which is completely unmanageable and unmaintainable. It’s better to have a small set of the right tools which are configured properly, than to have a huge amount of misconfigured tools.

Lack of Resources – It’s very common for large organizations to have a limited set of resources for security. Security is one of the most challenging problems in business that exists today and it requires a significant amount of resources as a result.

Compliance Not Security – An organization which is focused on compliance is not focused on security. Adhering to a compliance regulation does not mean that your organization is secure and it can provide you with a false sense of security when really security is a multifaceted problem that requires a lot of attention on its own.

Inadequate Knowledge of Systems – Information systems have scaled so quickly that many organizations are clueless about where their information is being stored, served, and how it’s being protected. The constant innovation being made with information systems has caused these organizations to lose track of where their data exists and how it’s being secured.

What’s hot on Infosecurity Magazine?