Protecting Against Persistent Threats

By John Wagley

01 October 2012

Print Issue: October 2012

SOPHISTICATED AND sustained cyberattacks that are perpetrated to steal trade secrets, rather than financial assets, frequently go undetected by traditional signature-based antimalware solutions.

Many organizations do not know they have been victimized, says Bryan Sartin, director of investigative response at Verizon Business. Nearly 90 percent of organizations only learn they have been infected when told by an outside security firm, law enforcement, or other source.

Called advanced persistent threats (APTs), these attacks have been aimed at organizations with particularly valuable intellectual property. But they are now being aimed at a wider variety of targets, says Jon Oltsik, a principal analyst at the Enterprise Strategy Group. One reason is that the attacks are becoming simpler to execute and use.

Many organizations focus on the perimeter when protecting against attacks, but looking for suspicious activity inside the network can be a good way to protect against APTs, says Christopher Ling, a senior vice president at Booz Allen.

Many APT attacks, are initiated by first gaining access to an employee’s password, perhaps through trickery. As the next step, the attacker will search throughout a network to gain access to higher-level administrative passwords. Knowing how this scheme works can help security spot the attacks.

Monitoring logs for this type of scanning traffic is another good way to detect an APT. Malicious activity on a network, it can almost always be detected in an organization’s event logs, says Sartin. The trouble is that there is so much data can be hard to know where to look. Security information and event management solutions can help, he notes. Such tools can be complex to use, however, and the company may need to contract with a service provider that has the expertise needed to make them more effective.

Another way to defeat APTs is to keep them from sending out the data they harvested. Thus, a goal should be to see what’s “egressing the network,” says Sartin.

To that end, companies should look for suspicious patterns, and they should look for signs that communications are being directed to unauthorized domain name system servers. If the logs show unexplained, atypical, or unauthorized communications to and from China, for example, that should be a red flag.

Spotting anomalies can be difficult. Internet communications can be masked to appear legitimate, explains Sartin. But newer tools, such as inference engines, are making it possible to better pinpoint malicious activity.

Such tools take a snapshot of individual hosts and operating systems, including which ports they tend to use when connecting to the Internet. They then test such systems’ communications over time and conduct vulnerability assessments specifically geared to each host.

End-user education is another key component of APT protection, says Oltsik. That’s because many APT attacks begin with phishing attacks in which attackers use e-mails to trick end-users into downloading malware.

Employees need to be taught what to look out for. They also should be told what type of data or information an attacker may be most likely to target in one’s organization, says Ling. A company that sells advanced high-tech devices, for example, might consider paying particular attention to suspicious activity surrounding the details of a forthcoming or new product.

The bottom line is that companies can expect APTs to be as persistent as their name indicates. And business executives must be equally vigilant in fighting against them with a multilayered defensive process.