To Catch An APT

It's not about prosecuting the nameless, faceless attackers behind these relentless targeted attacks -- it's about minimizing the damage they incur
Blacklisting known or recently identified command-and-control domains can go a long way to help catch an APT-born attack. "The No. 1 fastest-growing thing is beaconing detection, which IPS and IDS can use," says Richard Stiennon, chief research analyst at IT-Harvest. "But the scary ones are the ones you're not able to detect with beaconing detection, [such as when] an attacker sets up a new IP address and a new server that has never been used before ... when they get in with a zero-day and exfiltrate to [that server], he says.

"The biggest concern is that 1 percent that's extremely targeted that you're not going to detect," Stiennon says.

Whitelisting can help quell targeted attacks, he says. One criticism of whitelisting has been that many organizations don't necessarily know all of the applications that run on their systems. But newer generations of whitelisting products are able to identify those apps, he says.

Bill Boni, CISO for T-Mobile, says security professionals have to be realistic about the threat. That means assessing how to manage their exposure and how to contain such an attack, he says. "[It] represents a threat vector that any organization that is Internet-connected needs to assess," he says.

And just because you detect an APT infiltration doesn't mean you'll ever get to the real attacker or attackers, or that you will always find all of their tentacles of the breach. "What are our most important resources? How do we make sure we have access control, logging and monitoring, and controls over exfiltration?" he says.

"We know security has always been a bit of an arms race. The challenge is to make sure your organization is in the race," Boni says. "What was necessary and sufficient five years ago -- firewall, antivirus, and IDS -- is still necessary but no longer sufficient to deal with the kinds of attacks now being used against organizations. You need to [always] upgrade your tools to keep pace with the new threats."

And even if you pull together the best combination of security and monitoring tools, never underestimate the APT attacker. It's typically a well-funded, nation-state group hell-bent on getting as much information as it can siphoned out of its victim, for monetary or competitive gain. "You're not going to know how an attacker is going to circumvent [your] defenses," RSA's Schwartz says. "You have to assume they have resources equivalent to yours, and they certainly have the creativity and know-how."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.