Home Global-ICTGlobal-ICT 2012 APTs – a new threat for a new age

APTs – a new threat for a new age

by david.nunes
Eva ChenIssue:Global 2012
Article no.:9
Topic:APTs – a new threat for a new age
Author:Eva Chen
Organisation:Trend Micro
PDF size:253KB

About author

Eva Chen is CEO and Co-founder of Trend Micro.

Ms Chen holds master’s degrees in business administration and information science from the University of Texas and a degree in philosophy from ChenChiUniversity in Taipei, Taiwan.

Article abstract

We are currently witnessing a second evolution in cyber security dominated by shadowy, well-resourced and state-sponsored hackers. The ‘preventative’ approach to information security is no longer an effective defence. The solution involves a database of threat intelligence located in the cloud creating a web-based threat prevention network that can block any unknown code before it has a chance to reach a user’s inbox.

Full Article

One of the most exciting but challenging aspects of being the CEO of an information security company is that the bad guys are always trying to find new ways to outsmart us. It’s getting close to a quarter of a century since we began our journey and the ever-shifting threat landscape means we can never stand still. To be successful in this business you need to spot the trends early, and be prepared to innovate and innovate again in order to keep up with the incredible pace of change.

We’re currently witnessing what can only be described as a second evolution in cyber security; one where the enemy is more dangerous, more determined and more difficult to detect than ever before.It’s a landscape dominated by shadowy, well-resourced and state-sponsored hackers where the old ‘preventative’ approach to information security is no longer an effective defence.

When we first started in 1988, the nature of the threat facing us was very different. In those days there was little money to be made from cyber crime, in fact the term was yet to be coined, instead the main risk came from so-called script kiddies, young solitary mischief makers motivated by the intellectual challenge of hacking and defacing web sites or spreading their notoriety via viruses and worms.

Things gradually began to change however, and as the Internet matured and began to take shape as a platform for commerce it wasn’t long before well organised criminal gangs began to look for ways to get involved. Spotting that individuals were now banking and buying goods online, and that companies were using web-based communications to transmit sensitive data, the gangs began to invest in the human and technological resources necessary to exploit technical vulnerabilities in the Internet and take advantage of user naivety to steal, defraud and hold users to ransom online.

A global underground market subsequently sprang up where credit card, account log-in and other valuable personal information could be bought and sold alongside the technological toolkits necessary to commit some of these crimes. Suddenly the main motivation for cyber crime was money and the technical means to achieve this became dangerously democratised. New pieces of malicious software or malware were written to spy on users, log their keystrokes, steal banking data and achieve other nefarious ends while vast botnets – huge networks of infected computers – were remote controlled by the criminals to send out spam and malware in vast quantities.

In many ways the criminal gangs pushed the boundaries of what could be done and for some time the security vendors and important industry players struggled to keep pace and offer adequate protection for their customers. The old way of dealing with malware – capturing a sample, analysing the code and extracting its ‘signature’ in order to block the file if encountered again – became outdated. Soon malware was being generated by automated technologies in such vast quantities and in such variety that this methodology simply became impractical. Criminals only needed to engineer some code which had never been discovered before to produce a so-called ‘zero day threat’ which no signature could ever deal with.

The solution to this was the creation of a web-based threat prevention network. This database of threat intelligence is located in the cloud, enabling us to block any unknown code before it has a chance to even reach a user’s inbox or before they can visit a particular web site on which it may reside. It checks against vast databases of known bad sites, IP addresses and files cross-checking and correlating results as well as performing behavioural analysis to give the green or red light, and if a piece of code has never been seen before it will quarantine and analyse it until a decision has been made.

Cyber criminals have also been put on the back foot by the increasingly proactive efforts of industry and law enforcement to shut down and disrupt the botnets which underpin so much criminal activity. In March 2011 the Rustock botnet was taken down and spam levels across the globe fell by almost half. The operation against the Esthost botnet in November has been described as the largest cybercriminal take down in history.

Advanced persistent threats

There is now a new menace, which has risen to prominence in business consciousness over the past year or two and has heralded a second evolution in cyber crime – the Advanced Persistent Threat (APT).Typically these attacks are well-resourced and patiently thought out, targeting a specific organisation often for a specific piece or pieces of information which is of strategic, political or military advantage rather than direct financial gain. The goal is to remain hidden. Without the requisite internal monitoring systems in place an organisation could be unaware for months, or even years, that such a threat is operating within its networks and systems. Reports have suggested in the case of now defunct Nortel, that hackers had access to trade secrets for almost a decade.

Most often individuals are targeted with social engineering techniques designed to fool them into clicking on a malicious link, or opening an infected attachment. This will deliver the malware into the organisation. From this initial beachhead, the intruder will move laterally through the victim network, looking for data or systems of interests. The malware will continuously communicate with its master over the Internet, sending back any desirable data and waiting for commands. This kind of cyber espionage first came to public prominence when Google announced that it had been targeted by hackers which they believed to have tracked as far as China. The so-called Operation Aurora attacks opened the floodgates on this modern day cyber scourge, with subsequent large scale hacking campaigns exposed affecting the energy industry (Operation Night Dragon), ex-Soviet countries (LURID attacks) and Japanese, Indian and Tibetan targets (LuckyCat) to name but three.

Contrary to what many doom mongers are saying about these attacks, they are not impossible to detect, they simply require a new approach, just as we needed to move away from relying on virus signatures previously. The main problem is that the old approach of blocking and stopping won’t always work, as these ‘low and slow’ threats are designed to sneak into an organisation as covertly as possible. Organisations therefore need a combination of cloud-based threat protection to block as much as possible before it gets into their organisation, but also technologies such as file integrity monitoring, host intrusion prevention and log inspection tools to monitor for unusual behaviour inside the network as well as data loss prevention to stop any sensitive information from getting out. It all needs to be overseen by an intelligent threat management system to ensure nothing falls through the gaps. Most importantly, though, the technology solution is not a silver bullet and needs to be used to support a proactive data protection strategy, rather than be thought of as another easy tick box solution to a problem that isn’t fully understood.

Make no mistake about it, cyber crime is still rife and will always be a problem for organisations but the emerging menace of cyber espionage represents a whole new threat. The UK and US governments, among others, are already taking serious steps of their own to bolster cyber defences and entrench their own offensive capabilities, but all too often private industry is the low hanging fruit when it comes to cyber security, making it easy for attackers to strike. I hope that true awareness of the risks out there is permeating organisations big and small and that this is the first step on the road to a more robust approach to cyber security.

Related Articles

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More