Why on Earth are APTs still all the rage in the security space? The topic is so last year right? Well, not really. We have learned a good deal from how targets have responded, and that can help you to proactively prepare a strategy in the event that your organization winds up in the cross hairs. Having a strategy beforehand assumes that they will get in…which let’s face it, if your organization is targeted…they will. (For more on the security approach of assuming you’ve been hacked, check out my colleague Nimmy Reichenberg’s article for SecurityWeek.) First there will be the target, and surprise, surprise, it very well might not be your company. Your organization could very well be a mere stepping stone as a supplier or partner.
Proper attack methodology is not some arcane art. It is a rather mundane, systematic, step-by-step, and reproducible strategy that you can find in any hacking book a decade old. They don’t rely on ethereal voodoo or making it up as they go along. It is teamwork, planning, reconnaissance, preparation, and a playbook. More than likely there will be multiple teams trying to get inside, with one potentially acting as a distraction cover for the others. You nail one? Well that is it, right? This is where the “persistent” comes in. The other groups become silent and can afford the time to do so if they enjoy financial sponsorship. Standard attackers are limited economically to comparatively short term goals by the pesky requirement of the time required to put food on the table.
You want to know how to rest easier that you got them for real? The doors start rattling again. New zero days with custom malware payloads appear in suspicious emails that paranoid end users catch and send to your reporting address. End users report odd calls from people claiming to be system administrators wanting them to confirm their password. The worst is silence. That means they are likely still there … somewhere, resident, with a known or unknown objective. How do you secure your network from this sort of threat while allowing the end users to continue to work? Anomaly detection of user access and logging is a good start. Vulnerability management and effective patching reduces chances of elevation of privilege from within the network. Minimizing known threats systematically, and understanding the effective security policy of the firewalls while reducing known risks are also important steps.
Network segmentation provides you with the ability to more likely determine where the threat is coming from and isolate it pending cleanup. In this case, properly configured zones of firewalls are not as obsolete as the APT zero day doomsayers might have you believe. It creates barriers for the attackers to overcome, and allows you to see abnormal increases in hits on ports. This can help you understand what the target(s) is/are. It can also help you isolate the C&C from the compromised hosts inside your network. Tracking spikes in access will allow you to find out what they are accessing to stop the attack if exfiltration is underway. Naturally stopping an attack tips the hat that the game is up which could make finding all the groups harder. Law enforcement may even request that you let the attack continue so the objectives are clear.
Some of the best advice I have heard regarding APTs came during a meeting with the CSO of a large enterprise, and it encompasses a lot of what I have just said: know your network and have a plan. If the first time you try to understand how traffic is getting through from individual firewall configuration reports is after the attack is identified and underway, you are going to have a proper fire drill.
Receive notifications of new posts by email.