3. EXPLORATION / EXPANSION OF
THE ATTACK
was buried in the millions of files on the server,
Now that the attacker has successfully gained
ered security is so critical, as is the audit of that
control of a system in the target environment,
security on a regular basis.”
the infected system can be used as a conduit
into the target network and as a deployment
it would be very hard to find. This is why lay-
Reducing the APT Risk
thought were protecting you
•
Install a Security Information Event
Management (SIEM) system to provide a
However, the best defensive tactics require
holistic view of the organization’s IT security.
going beyond the implementation of common
Having one single point for the collection,
security solutions and necessitate developing
review and notification of security alerts, as
a thorough situational awareness and under-
well as the audit information related to
standing.
mechanism for additional tools. An attempt is
Organizations should already have a strong in-
also often made to exploit vulnerabilities on
formation security strategy in place. By ensur-
“Ensure that your organization has and under-
spot trends and see patterns that are out of
other internal systems to gain further access
ing that standard best practices are stringently
stands ‘separation of duties.’ This is a difficult
the ordinary.
and move deeper into the target’s network to
followed, some APT threats can be avoided.
component for many organizations as it costs
expand control. During this next phase of the
These measures include:
money and adds staff,” White stated. “The prob-
attack:
•
The compromised system is used to gain
•
•
access into the target network
•
Information is captured over an extended
Additional tools may be deployed that help
to click on attachments or links received from
contacts that are unknown or suspicious)
•
fulfill the attack objective
4. DATA THEFT / EXTRACTION
Once network access has been achieved, data
Install comprehensive security on all devices
– particularly as malware is a key component
in successful APT attacks
•
Use a firewall to limit access to the network
and monitor network traffic to stop malware
such as passwords, files, databases, email ac-
from communicating. This will not stop all
counts and other potentially valuable data can
be easily stolen and sent back to the attacker
for analysis and further exploitations — or
worse.
•
Even after data has been stolen, an attacker
may decide to remain present on the target
Implement an email and social networking
usage policy (including training employees not
period of time
•
Use strong passwords
•
network. This requires the attacker to cover
regular basis. Organize internal security staff
lem I have seen in many organizations is that
that are specifically trained in the tasks of
the IT function is also often the security func-
monitoring the network, gathering intelligence
tion – this leads to the problem of ‘who’s watch-
and recognizing the signs of suspected APT
ing the watchers.’ There must be separation —
absolute power cannot be allowed to settle in
IT. Even when organizations do this, they need
to be careful. All too often we see the security
officer for the network getting absorbed back
Scan for security vulnerabilities on a very
attacks.
•
Implement Data Leak Prevention/Data Loss
Prevention (DLP) technologies designed to:
•
Use business rules to classify and protect
confidential information so that
into IT when things get tight, and suddenly the
unauthorized users cannot accidentally
network administrator is also the security of-
or maliciously share data whose disclosure
ficer and the reporting officer for the network.”
could put the organization at risk
attacks as many APTs know how to bypass this
protection, but it will make it more difficult for
separation is to not allow one individual to
against a dynamic set of rules to prevent
potential attackers
become the single point of failure. I have dealt
unauthorized data from leaving the
Use spam filtering technologies (many attacks
with several cases where a single individual had
organization
start from spam messages)
all the root passwords, logins, etc. If this person
Use anti-virus software. Half of nondiscovered vulnerabilities and older tools.
maintain access for future initiatives.
•
White continued, “The other component of
sophisticated attacks use previously
their tracks in order to evade detection and
sensitive data access, will make it easier to
Furthermore, look for an anti-virus solution
is compromised, they can access/destroy/reveal
everything. It would be a lot easier and less
expensive to just target personnel with traditional espionage approaches or extortion than
to develop advanced worms, etc.”
•
•
Scan outbound email and web traffic
Increase traffic monitoring for malicious
outbound activity such as requests to
malicious websites, dynamic DNS servers
and sensitive file transfers
“Be aware, APTs can be insidious. I wouldn’t
that includes a Host Intrusion Prevention
expect it to happen quickly nor to be one di-
System component that can spot exploits
Specific methods your organization can take
ing” is the only successful way to prevent APTs
mensional,” added White. “If I was designing an
before they trigger, as well as blocks the
to further reduce the APT risk include:
from happening. “You can patch, firewall, lock
attack on an organization, the idea of a Trojan
malware that those exploits might implant.
•
hidden in servers for a long time that suddenly
springs to life is very appealing. If this Trojan
10
|
CURRENT 2015-2016
•
Dr. White adds that “advanced persistent train-
Update/upgrade computers to newer,
down, etc., until you have exhausted the budget
Maintain a solid patch management process.
supported versions. Older software is often
— and the weak link can still be the person who
Make sure that you aren’t missing updates you
easier to exploit.
brings in a flash drive found in the parking lot.”
Stronger Together
|
11