APTs: The Battlefield and Rules of Engagement Have Changed
The early era of cyber security differed little from physical security. To shield information technology (IT) from damage and keep client identity or financial data confidential, all a company needed to do was build a perimeter and surveil it. From a purely technological perspective, cyber defense was simple—a firewall, secure email and antivirus software—but effective.
But that was then. In 2015, shrewd social engineering— combined with sophisticated software engineering—is increasingly becoming a determining factor of a successful cyber attack. Here, the emergence of the advanced persistent threat (APT) is perhaps the textbook example. By manipulating human emotions, or convincingly replicating everyday communications, typically by “spear phishing,” APTs can breach computer network security and install malicious software, or malware, to carry out zero day attacks.
Even worse, like mobile application software, smartphones or the Internet itself, APTs are no longer solely the property of the technologically elite but available for sale to anyone.
Broadly speaking, the rise of APT is a telltale sign of the changing paradigm in cyber security. Today, a security breach is no longer a question of if, but when. Ignore the new normal and face peril from APTs. Additionally, in targeting the “weak link” in cyber security—people—APTs merge 21st century technology with predatory cunning.
Every day, more and more people are using the Internet, sharing personal details, contact information and professional backgrounds across a slew of social media. Not only that, but banking, insurance and medical data is now available electronically.
Phishing is predicated on the comfort and familiarity people have with interacting online and navigating a website by clicking links. Meanwhile, social media—Facebook, LinkedIn—are fertile ground for reconnaissance. Done right, that espionage is effective. Even immediately following a training session on cyber security, BAE Systems Applied Intelligence has found that more than 1% of attendees still clicked on suspect links.
Once security is breached, the goal of APTs is to hide among network traffic, blending in while executing with devastating efficiency. In 2014, a data breach at insurance provider Anthem resulted in social security information being stolen from 80 million people, while a similar breach at Home Depot 65 compromised million emails. Retailer Target incurred expenses estimated to total $162 million in 2013 and 2014 for its breach, according to earnings reports from early 2015.
That kind of historic performance is a readymade soft sell, and the emerging services-based cyber crime economy is rising to meet black market demand for APTs. Now bought and sold on the dark web, APTs are no longer reserved for nation-state spy warfare, nor needlessly sophisticated. The bottom line is that with the barrier to entry for would-be attackers lowering due to the burgeoning cyber crime as a services sector, the threat of APTs is growing rapidly.
However, by deploying detection capabilities that can find the underlying suspicious behavior in their IT systems caused by APTs and malware, companies can block and neutralize APTs.
For example, detection systems can keep watch for anomalous network behavior, like a server communicating with another server with no previous record of communication or information exchange that never appeared before. That analysis cannot be done manually and the attack will normally stay dormant for a long period. Now, attacks are staggered.
But, because APTs are reliant on social engineering, companies can make significant progress in mitigating the threat of APTs by educating employees outside of the IT department. As mentioned earlier, cyber criminals spend time researching staff to gain access. Making personnel aware of how they are being targeted will reduce vulnerability.
However, the biggest lesson we can learn from APTs is that the world of cyber defense is no longer black and white.
The industry has had a difficult time shifting its point of view and understanding cyber protection is no longer about keeping risk out but protecting its assets and business. Though time for reflection in cyber defense is scarce, what APTs have shown us above all else is that while the battlefield and rules of engagement have changed, the people fighting the battle remain as committed as ever.