Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:37 PM
Connect Directly

To Catch An APT

It's not about prosecuting the nameless, faceless attackers behind these relentless targeted attacks -- it's about minimizing the damage they incur

This is the second installment of a two-part series on security in the "Age Of The APT." Part one is here.

An advanced persistent threat (APT) attacker probably already has infiltrated your network: That's the new normal in security. But what can you do about it?

It's a matter of moving beyond the traditional mindset of thinking purely in terms of prevention. "We're trying to help people to think beyond intrusion prevention to post-infection detection and mitigation," says Will Irace, director of research for Fidelis.

Accepting the premise that the attackers are already inside can be unsettling -- even shocking -- to some organizations, but the reality is that these cyberespionage attacks have evolved from a military/Defense Department problem to one plaguing various corners of the commercial world as well. "Previously, it was the military, then it was government actors, then it was the Defense industrial base. We've seen the same actors continue to expand the number of their targets" to commercial firms in oil and gas, pharmaceuticals, and other areas, says Richard Bejtlich, CSO and vice president of managed services for Mandiant. "That to me is pretty amazing -- that they target so many different victims now."

Bejtlich says despite the ongoing and recurrent nature of these attacks, victim organizations eventually get better at staving them off. "The first time anyone deals with this, it's like nothing they’ve ever had to deal with before. That there is somebody out there after you, and they will not give up and will always keep trying to get back into your organization, is new for most people" to face, he says. "It may take [as long as] a couple of years, but we [ultimately] do see improvement" in how victim organizations defend against these targeted attacks.

Few of these attacks ever see the light of day in terms of public disclosure. A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now. The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the targeted agencies, sending it back to their home servers.

The goal is to detect these types of attacks as quickly as possible, and to minimize the amount of exposure or loss of your intellectual property or trade secrets, for example. "How do you reduce the window of opportunity you have so they are not in your organization for weeks or months ... so you can detect them in a time frame of hours or days?" says Eddie Schwartz, CSO, at RSA Security. "That requires having access to all potential data related to the security problem."

Schwartz says unlike a traditional security event, with an APT-type attack you can't make a decision based on a single log or firewall event. "An end user account banging away at a system it normally doesn’t have access to," for instance, is just one piece of the targeted attack, he says.

"With an advanced attack, you have to ask, 'Is this part of something that has 10 to 12 other moving parts you need to track down and chase in the entire chain until we start killing it off [fully]?'" he says.

But these type of attacks are difficult to detect, and many organizations are still relying solely on prevention-oriented tools, such as signature-based technology and firewalls. APT attackers tend to favor zero-day vulnerabilities, or exploiting gaping holes within the targeted firm's infrastructure. The first step in most cases is to social-engineer an unsuspecting user, often with an email message purporting to be from someone he knows, or within his industry, and it carries its payload of a malicious attachment or URL that, when opened, gives the attacker a foot in the door.

The ideal defense against an APT attacker, security experts say, is a combination of the traditional preventative tools plus real-time monitoring of their networks and systems. But many tools today are looking at different pieces of the infrastructure, and making sense of all of the events and logs is often a painstakingly manual job. That just gives the attacker more time and opportunity to burrow further into the victim organization, often getting layers deep such that it's difficult to root them out.

Bottom line: There's no silver bullet today to defend and mitigate against these targeted attacks, experts says.

"Most of the monitoring tools historically deployed by enterprises lack the ability to get into the weeds and present meaningful information about the relationship between content and context. Was the file Alice posted to an image-sharing site really an image, or was it an exfiltration: an encrypted blob of data posing as an image? Is there malicious VBscript in the Microsoft Office file three layers down in a Zip archive that was mailed to my HR department?" Fidelis' Irace says. "It's not enough to discover such a thing 10 days after an infection through post-hoc forensic packet analysis: We need technologies that are able to spot and kill that stuff in real-time."

Network behavioral-anomaly detection tools can help, he says, but not with content. Intrusion-prevention systems can catch some things, but don't look at the payloads, he says. "Moreover, they're optimized for defending against packet-based attacks on servers, not payload-based attacks on clients. Sandboxing technologies are helpful after the fact, but they don't provide real-time awareness or protection," Irace says.

And packet-capture tools are good for postmortem investigation. "But like sandboxing technologies, [they] can't help enterprises get into the APT fight in real-time," Irace says.

PAGE 2: Blacklisting and whitelisting defenses. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
In SmartDraw 2020, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.