 | Issue: | Global 2012 |
| Article no.: | 13 | |
| Topic: | The rise of the APT: the average persistent threat | |
| Author: | Larry Clinton | |
| Title: | President | |
| Organisation: | Internet Security Alliance | |
| PDF size: | 218KB |
About author
Larry Clinton is President of the Internet Security Alliance (ISA).
Mr. Clinton is the editor of the ISA Cyber Security Social Contract and the Financial Management of Cyber Security.
Article abstract
Modern sophisticated attacks are not carried out by hackers. Sophisticated attacks now seen regularly are perpetrated by well-organized, well-funded professionals. The Advanced Persistent Threat is now evolving to become the ‘Average’ Persistent Threat. Conventional information security defenses no longer work against the Advanced Persistent Threat – what can enterprises do to address modern attacks?
Full Article
Calendar year 2010 consisted of 415,600 minutes.On average, during every one of these minutes:
• 45 new viruses were created,
• 200 new malicious web sites went up,
• 180 personal identities were stolen,
• 5,000 new examples of malware were created,
• US$2 million dollars of corporate revenue were lost
And those were the good old days.
In just the last two years, cyber attacks have become far more pernicious.During this time, we have seen a dramatic evolution wherein the ultra-sophisticated attacks, once referred to as the Advanced Persistent Threat (APT) which had previously been largely confined to nation states and defense establishments, has now become common throughout industry.
The Advanced Persistent Threat now more closely approximates the ‘Average’ Persistent Threat – and the average enterprise is going to have to learn how to protect itself from this new and different form of cyber threat.
Who are these guys and what are they doing to me?
A traditional model of cyber defense might be designed to prevent hackers from penetrating the network and therefore to stop breaches from occurring.
Virtually every key word in the above sentence is now outdated.
Modern sophisticated attacks are not carried out by ‘hackers.’ We are now dealing with professionals.The sorts of attacks now broadly used throughout the economy are perpetrated by well-organized, well-funded, highly sophisticated attackers.These attackers commonly use multi-dimensional attack methods in unique combinations based on the surveillance of the particular system they have decided to attack.
They have at their disposal thousands of custom versions of various malware, that are used in tandem with clever social engineering, such as,targeting end-users using spear phishing techniques (often used is a technique called whaling, wherein they go after the big fish–C-level executives).People, the real weak link in the cyber defense chain, are often the primary targets, not the networks themselves.This allows attackers to maintain their presence within a system even if they are initially eradicated via technical means as they retain access to individuals who they use to reacquire their network targets.
Modern, sophisticated attackers will modify and escalate their attacks as they learn more about the target system.Once they have penetrated their targets, they will typically hide.Unlike an earlier generation of ‘hackers,’ who sometimes sought to compromise systems for the bragging rights, these attackers prefer to be stealthy, remaining dormantat times.Indeed, they may turn themselves on and off intermittently to better to circumvent defenses, ‘calling home’ periodically to infiltrate sensitive corporate data including intellectual property, business operations information and corporate legal and planning documents.
How successful is the average persistent threat?
Perhaps the single most defining characteristic of the modern attacker is that they will – invariably – succeed in compromising, or breaching, the systems they target.The notion of perimeter defense is largely passé. It is only slightly hyperbolic to say that there are only two kinds of companies, those who know they have been compromised, or breached, and those who don’t know they have been compromised yet.
These sophisticated attacks became evident about half a dozen years ago in the defense sector.Initially, the degree of sophistication and the attendant cost in launching these attacks suggested most of them to be state sponsored.However, as with most technological innovations, including attack methods, over time, the modalities to launch these attacks have been disseminated throughout the attack community so that these methods are more generally available to non-state entities, such as, organized crime, acting on financial motives, and even some ‘hacktivist’ communities, who are interested in using the newer attack methods to pursue a social and/or political agenda.
As the attack methods have become more widely disseminated, a broader community of attack victims has become targets.According to the 2011 PricewaterhouseCoopers Global Information Security Survey, the so called ‘APT’ has become the major driver of security spending in firms comprising 45 per cent of the financial services industry, 43per cent of the consumer products industry, 49per cent of the public utility industry, 49per cent of the entertainment and media industry and 64per centof the industrial and manufacturing sector.
These percentages are sure to continue to rise.
What is needed to address modern attacks?
According to the latest PwC study, companies are countering APT style attacks largely through signature based anti-virus protection (51per cent) and intrusion detection and protection solutions.
Unfortunately, conventional information security defenses don’t work against the APT.The attackers successfully evade all signature-based anti-virus, intrusion and other best practices and remain inside their targets even after the target believes they have been successfully removed.
Dealing with an evolved set of cyber attacks will require an evolved notion of cyber defense. The evolved notion of cyber defense needs to begin by appreciating that cyber security is not just an ‘IT’ issue – it is an enterprise-wide, risk management issue that must be addressed by the operations and technical staff in full accordance with overall business objectives and overseen by an organization-wide risk management team, not by the CIO or CISO alone.
Senior management must take an active leadership role in understanding and supporting the persistent cyber threat and financing adequate mechanisms to address it.Research has repeatedly shown that the number one problem in enterprises managing their cyber security is not technical, it’s economic. , ,
While there are substantial economic liabilities associated with insecure information systems, there are also economic incentives to deploy less secure systems.It can be difficult for enterprises to fully assess the cost-benefits of security, which may be unclear and unattained until some future date.Businesses are regularly tempted to deploy less secure technologies from VOIP to cloud solutions that have substantial cost and efficiency benefits, or to adopt business practices, such as extended supply chains, outsourced services or partnerships that may have financial benefits and security liabilities.
Even smaller organizations need to adopt more sophisticated risk management approaches to secure themselves, which properly integrate security and business needs and derive cost efficient solutions.
What does defense against modern cyber attacks mean?
Not only do enterprises need to rethink their strategy for cyber defense, the metrics of what constitute cyber defense must also be reassessed.The notion that we are going to keep the attackers completely out of networks may be impractical and even counterproductive if it drains limited resources to an outmoded metric of perimeter defense.
Given the inherently porous nature of cyber systems, it is quite likely that determined attackers will penetrate virtually any system.This does not mean there is no defense. It means there is a need to change the concept of defense from walling off the system to detecting, monitoring and mitigating attacks on the system.
The reality is that enterprises actually have much more control over cyber attackers when attackers are inside their system, than when attackers are on the outside selecting access points into it.Moreover, most cyber attacks are not successful when they penetrate the system.In most instances, success for the attacker does not occur until they gather valuable information and then exit the system with it.If an enterprise can, for example, detect an unwelcome entity within the system and block its pathway back out it can successfully mitigate the attack even if the system has been successfully breached.
Size doesn’t really matter
While sophisticated attackers have initially targeted so-called high-value systems, we now know that any, and perhaps every, system holding valuable information is a likely target.Moreover, the smaller the company, the more difficult it is to protect its network since good cyber security has a minimum fixed cost for systems and labor.The smaller the company the larger its cost is as a percentage of overall IT fixed costs.With that in mind, ISA has developed a list of practices that even smaller companies can, and should, use to protect themselves against an advanced cyber attack, without breaking the bank.
1. Hire a security professional – this is not a part time job for your system administrator;
2. Train and compensate your employees with respect to good cyber behavior;
3. Upgrade your systems to the latest operating system;
4. Remove Admin privileges from the Windows Desktop environment;
5. Require two-factor authentication;
6. Only permit the network controller to be administered by direct physical connection;
7. Restrict access to the Internet for non-customer facing servicers;
8. Restrict web surfing to ‘uncharacterized’ web sites;
9. Monitor your network;
10. Read and take action on your reports.
By adopting a contemporary and enterprise-wide approach to information security, including supporting reasonable best practices targeted to the more sophisticated threats, enterprises of varying sizes and economic sectors can substantially improve their security against modern ultra-sophisticated cyber threats.
