 | Issue: | North America I 2015 |
| Article no.: | 1 | |
| Topic: | Are you prepared for an APT Attack? | |
| Author: | Robert E Stroud | |
| Title: | International President | |
| Organisation: | Information Systems Audit & Control Association (ISACA) | |
| PDF size: | 352KB |
About author
Robert E Stroud, CGEIT, CRISC, is International President of Information Systems Audit and Control Association (ISACA), the global association that launched Cyber Security Nexus (CSX) to help companies address the cyber security skills crisis and develop their workforces. He is also Vice President of strategy and innovation at CA Technologies.
Article abstract
ISACA’s APT study found that 25 percent of respondents are not confident in their readiness for an Advanced Persistent Threat (APT) attack. Traditional cyber security threats try to find a vulnerability, but move on to something less secure if their initial target is unsuccessful. APTs, on the other hand, are relentless. These attacks are characterized by a single-minded persistence, and they will not go away after one failed attempt.
Full Article
Major breaches over the past few years have brought the Advanced Persistent Threat advanced persistent threat (APT) attack into the spotlight. The recent Sony hack has all the characteristics of an APT, though full details are still emerging. It is another stark reminder that APTs can impact our own organizations, and they can wreak financial and reputational havoc.
The Sony hack is also an unfortunate reminder that it can be very hard to detect the source of an APT attack. As of the writing of this article, the FBI and security consulting firms are issuing conflicting reports of a nation-state attack and an insider job.
A survey by global IT association ISACA affirms how difficult it can be to determine the source of an APT. According to the second Advanced Persistent Threat Awareness Study, an international survey of more than 1,200 cyber security professionals, one in five organizations have already experienced an APT attack. Of the organizations that have experienced an attack, more than one in three were not able to identify the source.
The survey reveals another startling number: 66 percent of companies believe it is only a matter of time before their enterprise is attacked by an APT.
What is an APT?
To effectively defend against an APT attack, it is critical to first know what it is. According to ISACA’s Cyber security Nexus (CSX):
APTs are often aimed at the theft of intellectual property (espionage) as opposed to achieving immediate financial gain, and they are prolonged, stealthy attacks…There is a “who” behind the APT—it is not just a random spray of malware; someone is specifically targeting the enterprise. The purpose of the majority of APTs is to extract information from systems—this could be critical research, enterprise intellectual property or government information, among other things. APTs are advanced and stealthy, often possessing the ability to conceal themselves within enterprise network traffic.
Traditional cyber security threats try to find a vulnerability, but move on to something less secure if their initial target is unsuccessful. APTs, on the other hand, are relentless. These attacks are characterized by a single-minded persistence, and they will not go away after one failed attempt. The groups behind APT attacks generally have the resources and determination to continue until they succeed.
How can we prepare for an APT attack?
It is important to note that the goal should be preparation over prevention. If an APT is determined to infiltrate your organization, it likely will. The key is for your organization to respond swiftly.
If you are unprepared for an APT attack, you are not alone. ISACA’s APT study found that 25 percent of respondents are not confident in their readiness for an APT attack.
Preparing for an APT attack calls for many defensive approaches:
1. More effective technical controls
2. Changes in awareness training
3. Updates to incident response plans
4. Buy-in from executives
5. Effective vendor management, including updates to third-party agreements
6. Having the right cyber security skills in place
Technical Controls
Too many enterprises are still relying predominantly on controls such as antivirus and antimalware, as well as traditional network perimeter technologies. More enterprises need to focus on controls that are more effective against preventing or detecting APTs—controls for mobile devices, remote access technologies and logging/event correlation, for example.
Awareness Training
A common way for an APT to breach the enterprise is through an individual—and social media and BYOD have made this easier than ever. Training on recognizing and preventing spear phishing and social engineering attacks is absolutely critical—yet 67 percent of companies had no plans to increase awareness training about APTs in 2014. This is a number that needs to improve in 2015.
Incident Response Plans
Typical incident response plans are designed to stop and remediate a threat. This is not the best approach for dealing with APTs, which are adaptable and able to change to suit the unique circumstances. These plans need to be revised and, most importantly, practiced.
Executive Involvement
Executive involvement will benefit the organization in a number of ways. From visible support for cyber security—which will get the whole staff on board—to approval of increased budgets and support of policies, executive involvement plays a key role in APT readiness.
Vendor Management
Vendor management is often overlooked when preparing for an APT—but it is essential. Contracts must be updated to ensure that third parties are practicing due diligence to protect themselves and their clients from APTs. They must also require financial restitution in the event that—despite controls—they are breached and result in damage to the customer. ISACA’s APT study found that only 23 percent of responding organizations have updated agreements with third parties. This is a critical area that needs to be addressed promptly.
Cyber security Skills
Security threats are evolving, which makes it essential to review the skills and organizational structure of your security teams. Important questions to ask include:
• Do we have the right skills on our team?
• Do we need training and certifications?
• What skills are we missing on our team?
• Which of those skills should we hire, and which should we outsource to service providers who are experienced in this area?
What are the consequences of an APT?
We need only look at the Sony example again to see the potential impact of an APT. The attackers released intellectual property (in this case, films) early, resulting in significant financial loss. Sensitive communications were made public, leading to embarrassment and potential reputation damage. And more than 11,000 files, including hundreds of RSA SecurID tokens, Lotus Notes IDs, and certificates – as well as their passphrases—were made public. A recent New York Times article reports that the attack resulted: “” in the destruction of three-quarters of the computers and servers at the studio’s main operations.”
We cannot afford to be ill-prepared for an APT attack. We need to clearly understand what they are and how they operate, ready our organizations as much as possible through the six steps mentioned above, and respond quickly and nimbly should an APT occur.
Most companies have not kept pace with the radically changing threat environment. Let’s make 2015 the year we change that.
