Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

APT attacks clarified

By Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, ISACA International Vice President.

Recent large-scale security breaches have highlighted an emerging class of threat to networks: the advanced persistent threat. However, confusion exists as to what exactly an advanced persistent threat (APT) is and, even more importantly, how to manage the risks associated with it. According to a recent study by ISACA, 94 percent of the 1,500 respondents believe APTs represent a credible threat to national security and economic stability. More worryingly, more than one in five said their enterprise had already experienced an APT attack (and that represents only the ones who are aware they were attacked). Of those that are left, over 60 percent say that it’s only a matter of time before their enterprise is targeted. Are the controls your organization is using sufficient to adequately protect the enterprise network from these persistent attacks?

At first thought to be limited to government networks, it soon became clear that they can have a serious impact on all enterprises. To underline the point, large-scale breaches made international headlines with awareness of Stuxnet and Flame widespread. Perhaps one of the most widely reported APT attacks, due to the organizations affected as a result, was the breach experienced by the security firm RSA in 2011. Its investigations identified an APT as the initial catalyst that opened the door to the scammers.

What is an APT?

Stealthiness, adaptability and persistence characterise this class of threat. For example, while traditional cyber-threats will try to exploit a vulnerability and, when unsuccessful, move on to something less secure, APTs don’t give up. The people and groups behind APT attacks are determined and have the resources available to launch zero-day attacks on enterprises, making it hard to defend against them.

The APT is advanced and stealthy, often possessing the ability to conceal itself within the enterprise network traffic, interacting just enough to get what it needs to accomplish its job. This ability to disguise itself and morph when needed can be crippling to security professionals’ attempts to identify or stop an APT attack. The APT’s single-minded persistence on pursuing its target and repeated efforts to complete the job it has been created to do means it will not go away after one failed attempt. It will continually attempt to penetrate the desired target until it meets its objective.

Spear phishing is a very common method used by those launching APTs as an entry point to an enterprise. Often email filters are not effective enough to identify these well-designed communications, needing just a single user to be spoofed into clicking a link and opening an attachment for an APT to execute the first phase of an attack. Adding the human factor to a threat class that does not prey on known vulnerabilities makes defence and prevention even more challenging.

Another difference between APTs and other attacks is the target: the theft of intellectual property (espionage) as opposed to achieving immediate financial gain. This could be critical research, enterprise intellectual property or government information, among other things.

Can they be stopped?

The reason APTs are so successful is they don’t just take one form or another. They come in many guises and will employ a variety of ‘tactics’ to successfully complete their mission. For this reason, there is no one single method to defend against them. Instead ISACA advises that organizations must take a holistic, multi-layered approach:

1) Get technical (but don’t stop there).
The technical controls that respondents to the above ISACA survey most often said they use to prevent against APTs are network perimeter technologies such as firewalls and access lists within routers, as well as anti-malware and antivirus. While these controls are proficient for defending against traditional attacks, they are not as suited for preventing APTs.

This is true for a number of reasons: APTs exploit zero-day threats, which are often unknown vulnerabilities, and many APTs enter the enterprise through well-designed spear phishing attacks. For this reason, additional controls - such as network segregation, continuous monitoring, mobile device management systems and an increased focus on email security and user education are all beneficial.

Don’t forget, it’s not just about your organization. Consideration must also be given to third parties to ensure that the data outsourced remains protected: even if the provider itself experiences an APT attack. Don’t be afraid to ask what’s being done to protect your data. You might even learn something that could be useful within your own enterprise.

2) Get Organized.
Managing a successful APT attack is not always as easy as removing the violating threat. Many APTs are adaptable and have the ability to change to suit the circumstances. Typical incident response plans designed to stop and remediate might not be suitable for an APT; the plans should be reviewed and specific provisions for APTs should be considered.

Look at where the vulnerabilities exist within your organization and implement plans and procedures that will help deflect these types of attacks.

3) Get educated.
As mentioned previously, APTs will look to exploit the human factor with social engineering: one of the most successful weapons that APTs employ. It stands to reason, therefore, that the workforce has a critical element to play in defending against these attacks. For example, make employees aware that the information they are posting on social networks can be researched and used as intelligence by criminals. Hold regular training sessions to make sure they know how to spot and stop spear phishing attacks.

And it’s not just the general workforce that needs to be trained - those employing and manning the defences also need to keep abreast of developments. Keep informed of how these attacks are continuously being adopted to remain aware of what attack methods these criminals are using. Attend training sessions and seminars designed to keep you informed of the latest attack vectors.

APTs are relatively new to the market. They are different from traditional threats and need to be considered as a different class of threat. Leveraging a variety of preventive and detective technical controls as well as education, training and policy will all help reduce the likelihood of a successful breach. This holistic approach will help ensure that when it’s your organization’s turn to be attacked you are able to deal with it appropriately.

The author

ISACA International Vice President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, is the head of information security at INTRALOT GROUP, a Greece-based multinational supplier of integrated gaming and transaction processing systems, where he manages information security in more than 50 countries in all continents.

ISACA is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl’s Court, London. For further information, please visit www.infosec.co.uk.

ISACA recently released an APT study, available as a free download at www.isaca.org/cybersecurity

•Date: 22nd March 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here