The success of Advanced Persistent Threats (APT) is reportedly so pervasive that detecting and defeating them with any consistency may seem to be a hopeless battle. APTs are also no longer solely the domain of nation-states with vast resources, nor are they focused only on espionage or attacks against military and other government entities. They are “living” on networks in IT, energy, news, telecom, manufacturing and other sectors of the economy. But according to a number of security experts, while it will probably never be possible to eliminate them entirely, it is possible to detect APTs and minimise the damage they cause.
“There are solutions—the sky is not falling,” says Wade Williamson, Senior Security Analyst, Palo Alto Networks. “A lot of times security folks use APTs as an excuse for failure, but it shouldn’t be. There are technologies that can help.”
Williamson is among those who also argue that detecting and defending against APTs effectively will take more than technology. In general, he says, “the biggest change we need is not one of tactics, but strategy. Security must evolve to become a very creative discipline.
“Historically, security held the view of saying no to requests and blocking 100% of threats. Neither of these maxims is practical today. We need security professionals to be inquisitive—to be looking out for the things that don’t exactly make sense, and to ask themselves what it could mean, and how they should look deeper into the issue.
“We will always need automated security that blocks bad things,” Williamson says, “but we also need creative, engaged security experts to be looking for the creative, engaged bad guys on the other end of the connection.”
That said, there are a number of practices security experts recommend for organisations that are serious about the battle with APTs.
1. Use Big Data for analysis and detection
The word from RSA Executive Chairman Art Coviello during his keynote address at the 2013 RSA conference is, “The whole game here is to shift away from a prevention regime—Big Data will allow you to detect and respond more quickly.”
That is endorsed by people like Aviv Raff, Co-Founder and CTO, Seculert, who notes that prevention from the perimeter is impossible; therefore, detection must be “based on the ability to analyse data, which must be gathered from and analysed over sustained time durations. And that’s where Big Data analytics enters the picture.”
Of course, that takes an investment in analysis tools. “IT does not have the automated tools needed to identify infections in a timely manner,” says Brian Foster, CTO at Damballa. “Instead they just have a ton of data. The industry needs to provide Big Data approaches to IT for detecting infections in their network.”
2. Share information with the right people
According to Anton Chuvakin, writing on the Gartner blog last year, the bad guys share “data, tricks [and] methods” much better than the good guys. “It is considered acceptable to sit on the ‘hard-earned’ knowledge of ways you used to detect that proverbial advanced attacker while your peers in other organisations are being owned by the same threat,” he writes.
To get an edge over APTs, he writes, organisations must share information in a way that helps them but doesn’t benefit the attackers and doesn’t violate laws or regulations governing the sharing of sensitive information.
Beyond the legal considerations, however, there are also economic constraints to sharing information. Brian Krebs, a former reporter at The Washington Post and author of the blog Krebs on Security, says he has seen progress in information sharing, but also efforts to hoard it to exploit it financially.
“The past few years have seen the emergence of several companies that make decent profits selling and exploiting this intelligence, so there remains a fair amount of tension between sharing and hoarding information about threat actors and indicators,” he says.
3. Understand the “kill chain”
This is a so-called “phase-based” model to describe the stages of an APT attack. Those stages include reconnaissance, weaponisation, delivery, exploit, installation, command & control and actions. As Lysa Myers, a virus hunter for Intego, put it in an InfoSec Institute article, “In essence, it’s a lot like a stereotypical burglary—the thief will perform reconnaissance on a building before trying to infiltrate it, and then go through several more steps before actually making off with the loot.”
Obviously, the closer to the beginning of the chain that one can detect and stop an attack, the better. Damballa’s Foster says attackers “leave a trail of breadcrumbs that can lead right to the infected system. Understanding and analysing this kill chain can be the key to implementing the appropriate defense controls at the necessary stage.”
4. Look for indicators of compromise (IOCs)
This is connected to “kill chain” understanding. No organisation can stop every attack, so the IT team needs to know how to look for symptoms—or breadcrumbs. “This includes looking for the unique ways that an APT might communicate out of the network. Any unique DNS queries or websites it contacts are common IOCs,” Williamson says.
“APTs will often customise their tools to their own needs, which will often provide the anomalies needed to distinguish an APT from normal traffic,” he says. “They will also use a variety of common applications like remote desktop applications, proxies or encrypted tunnels to communicate.
Unusual use of these and other applications can be key to finding a true APT. This, of course, requires IT to have a very solid baseline for what is normal in their networks.”
5. Test your network
This can include active analysis or sandboxing. “One of the best ways to determine if something is bad is to actually run it and see if it behaves badly,” Williamson says.
Blogger Krebs adds that while there are vulnerability management tools to help close obvious holes, “there is no substitute for periodically hacking your own networks (or paying someone else to do it) to find out where you are vulnerable. As the saying goes, everyone gets pen-tested, whether or not they pay for it.”
6. Support more training for APT hunters.
Edwin Covert, Cybersecurity Analyst, Booz Allen Hamilton, argued recently in a post on Infosec Island that the industry needs a “new training model” for APT hunters, since the standard skills of an information security specialist are not enough.
“APT mitigation requires the ability to see things that are not readily apparent,” he writes. “The CISSP (Certified Information Systems Security Professional) was designed for technical managers, not APT hunters.”
And the need for specialists is critical. Covert quotes SANS Institute Director Alan Paller as saying there is a need for more than 30,000 APT specialists, but that “only about 1,000 to 2,000 have the necessary skills to combat the numerous real-life scenarios happening in today’s organisations.”