Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Insider Threat Tech Center : Security Views

Advanced Persistent Threat: The Insider Threat

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.

Aug 16, 2010 | 12:37 PM | 

By Eric Cole
Dark Reading

APT is the buzzword everyone is using. Companies are concerned about it, the government is being compromised by it, and consultants are using it in every presentation they give. But people fail to realize that the vulnerabilities these threats compromises are the insider -- not the malicious insider, but the accidental insider who clicks on the wrong link.One of the main reasons organizations are broken into today is because they are fixing the wrong vulnerabilities. If you fix the threats of three years ago, then you will lose. APT allows organizations to focus on the real threats that exist today -- with the biggest threat being the people problem who already have access and are inside your network.

While APT is important, we need to clear the smoke and hype, focusing on why it is important and what it means to you. Instead of just using it as a buzzword, if we understand the core components of APT, we can use it to improve our security. In APT, threat drives the risk calculation. Only by understanding the offensive threat will an organization be able to fix the appropriate vulnerabilities.

APT is the new way attackers are breaking into systems. APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. The following are the important things to remember:

1) APT focuses on any organization, both government and non-government organizations. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD) sites. When it comes to the Internet, the lines between government and commercial are blurring and anything that could cause harm to a country will be targeted.

2) While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly, and utilizing encryption to avoid detection.

3) Many organizations make the mistake of thinking of attacks like the weather, with some stormy days and some sunny days. On the Internet, it is always a storm. In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.

4) Attackers want to take advantage of economies of scale, and break into as many sites as possible as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.

5) Old school attacks were about giving the victim some visible indication of a compromise. Today, it is all about not getting caught. Stealth and being covert are the main goals of today's attacks. APT's goal is to look as close {if not identical} to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.

6) The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore, the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.

7) Attackers do not just want to get in and leave, they want long-term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more payoff.

You will be constantly attacked and compromised, making it necessary to always be in battle mode. Since the APT is meant to be extremely stealthy, there is a good chance that an organization might be compromised and not know about it for several months. Before you discount this, if you were compromised and the attacker was not doing any visible damage, how would you know?

Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.

Based on the new threat vectors of the APT, here are key things organizations can do to prevent against the threat:

1) Control the user and raise awareness. The general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions a user are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2) Perform reputation ranking on behavior. Traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3) Focus on outbound traffic. Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization.

4) Understand the changing threat. It is hard to defend against something you do not know about. Therefore, the only way to be good at the defense is to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5) Manage the endpoint. While attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

While the current threat is advanced, persistent, stealthy, and data focused, organizations can implement effective measures to protect their sites.

APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "know thy system/network." The more an organization can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.

The key to making this successful is to always get explicit approval; run benign attacks; make sure the people running the test are of equal expertise to the true attacker; and fix any vulnerabilities in a timely manner. The good news is, by focusing in on understanding the threats and an organization's vulnerabilities, you can properly defend against the APT. Always remember to make sure you focus on the trusted insider. While you cannot stop stupid, you can properly control and limit what they can do.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Insider Threat Reports

report How to Prevent an Illicit Data Dump
There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Here are some tips and tricks to help protect your organization's most sensitive information.

report Email and Data Loss
Email encryption, rights management, email gateways, and full-on data loss prevention systems can keep corporate data secure. Here's a look at the pros and cons of each, to help you determine what?s best for your business.

report An Insider Threat Reality check
Heightened concern that users could inadvertently expose or leak -- or purposely steal -- an organization's sensitive data has spurred debate over the proper technology and training to protect the crown jewels. In this special retrospective of recent news coverage, Dark Reading takes a look at how organizations are handling the threat -- and what users are really up to.

Other reports from the Insider Threat Tech Center:

Related Content

Protection from Insider Threats
Preventing data misuse by trusted users is the most difficult information protection challenge. Insiders already have full authorization to the data, making traditional IT secure methods in effective. Learn about a more powerful security approach and proven strategies to prevent insider misuse.

Strategies for Protecting Intellectual Property
A company's intellectual property (IP) represents a significant portion of assets and a critical component of competitive differentiation, but the potential value of any IP is directly linked to its limit of acceptable use. Learn how you can put your IP to work within collaborative environments without undue risk and maximize competitive advantages.

Protecting Against WikiLeaks Type Events and the Insider Threat
The sensitive information supplied to WikiLeaks and other social justice websites comes from trusted insiders. Get the answers to the open gaps left in the WikiLeaks story and learn how you can prevent insider threats that are just as detrimental in your organization.

Insider Threat: An Inside Look at a Fortune 100 Company's Prevention Program
The ways and means by which a privileged user can successfully steal proprietary data today is staggering. One venerable company that suffered a devastating incident decided to do something about it. Find out how it built one of the most productive insider threat prevention programs in the Fortune 100.

Protection of Intellectual Property and Trade Secrets across a Global Enterprise
As a designer and manufacturer of industrial technology, this Fortune 50 company knew that securing their intellectual property (IP) and trade secret data was essential. It created a program to identify risks to their IP and trade secrets and soon caught a privileged user attempting to compromise IP. Download this case study to see a real example of intellectual property protection at work.




Featured Webcasts
Featured Whitepapers
Featured Reports