Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:37 PM
Connect Directly

To Catch An APT

It's not about prosecuting the nameless, faceless attackers behind these relentless targeted attacks -- it's about minimizing the damage they incur

This is the second installment of a two-part series on security in the "Age Of The APT." Part one is here.

An advanced persistent threat (APT) attacker probably already has infiltrated your network: That's the new normal in security. But what can you do about it?

It's a matter of moving beyond the traditional mindset of thinking purely in terms of prevention. "We're trying to help people to think beyond intrusion prevention to post-infection detection and mitigation," says Will Irace, director of research for Fidelis.

Accepting the premise that the attackers are already inside can be unsettling -- even shocking -- to some organizations, but the reality is that these cyberespionage attacks have evolved from a military/Defense Department problem to one plaguing various corners of the commercial world as well. "Previously, it was the military, then it was government actors, then it was the Defense industrial base. We've seen the same actors continue to expand the number of their targets" to commercial firms in oil and gas, pharmaceuticals, and other areas, says Richard Bejtlich, CSO and vice president of managed services for Mandiant. "That to me is pretty amazing -- that they target so many different victims now."

Bejtlich says despite the ongoing and recurrent nature of these attacks, victim organizations eventually get better at staving them off. "The first time anyone deals with this, it's like nothing they’ve ever had to deal with before. That there is somebody out there after you, and they will not give up and will always keep trying to get back into your organization, is new for most people" to face, he says. "It may take [as long as] a couple of years, but we [ultimately] do see improvement" in how victim organizations defend against these targeted attacks.

Few of these attacks ever see the light of day in terms of public disclosure. A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now. The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the targeted agencies, sending it back to their home servers.

The goal is to detect these types of attacks as quickly as possible, and to minimize the amount of exposure or loss of your intellectual property or trade secrets, for example. "How do you reduce the window of opportunity you have so they are not in your organization for weeks or months ... so you can detect them in a time frame of hours or days?" says Eddie Schwartz, CSO, at RSA Security. "That requires having access to all potential data related to the security problem."

Schwartz says unlike a traditional security event, with an APT-type attack you can't make a decision based on a single log or firewall event. "An end user account banging away at a system it normally doesn’t have access to," for instance, is just one piece of the targeted attack, he says.

"With an advanced attack, you have to ask, 'Is this part of something that has 10 to 12 other moving parts you need to track down and chase in the entire chain until we start killing it off [fully]?'" he says.

But these type of attacks are difficult to detect, and many organizations are still relying solely on prevention-oriented tools, such as signature-based technology and firewalls. APT attackers tend to favor zero-day vulnerabilities, or exploiting gaping holes within the targeted firm's infrastructure. The first step in most cases is to social-engineer an unsuspecting user, often with an email message purporting to be from someone he knows, or within his industry, and it carries its payload of a malicious attachment or URL that, when opened, gives the attacker a foot in the door.

The ideal defense against an APT attacker, security experts say, is a combination of the traditional preventative tools plus real-time monitoring of their networks and systems. But many tools today are looking at different pieces of the infrastructure, and making sense of all of the events and logs is often a painstakingly manual job. That just gives the attacker more time and opportunity to burrow further into the victim organization, often getting layers deep such that it's difficult to root them out.

Bottom line: There's no silver bullet today to defend and mitigate against these targeted attacks, experts says.

"Most of the monitoring tools historically deployed by enterprises lack the ability to get into the weeds and present meaningful information about the relationship between content and context. Was the file Alice posted to an image-sharing site really an image, or was it an exfiltration: an encrypted blob of data posing as an image? Is there malicious VBscript in the Microsoft Office file three layers down in a Zip archive that was mailed to my HR department?" Fidelis' Irace says. "It's not enough to discover such a thing 10 days after an infection through post-hoc forensic packet analysis: We need technologies that are able to spot and kill that stuff in real-time."

Network behavioral-anomaly detection tools can help, he says, but not with content. Intrusion-prevention systems can catch some things, but don't look at the payloads, he says. "Moreover, they're optimized for defending against packet-based attacks on servers, not payload-based attacks on clients. Sandboxing technologies are helpful after the fact, but they don't provide real-time awareness or protection," Irace says.

And packet-capture tools are good for postmortem investigation. "But like sandboxing technologies, [they] can't help enterprises get into the APT fight in real-time," Irace says.

PAGE 2: Blacklisting and whitelisting defenses. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...