Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Engineering an APT

Years back, when viruses threatened our infrastructure, the industry responded and changed the battlefield. As the threat landscape continues to evolve so must our defense strategies.

Years back, when viruses threatened our infrastructure, the industry responded and changed the battlefield. As the threat landscape continues to evolve so must our defense strategies.

A decade ago traditional IT security threats and their targets were largely unsophisticated. For example, the 2001 Code Red worm infected hundreds of thousands of servers exploiting a known vulnerability for which a patch was already available but generally ignored by users. Similar viruses, like Slammer and Blaster, soon followed and targeted millions of servers and endpoints. No doubt, these viruses were inconvenient and damaging but they were also opportunistic, taking advantage of known weaknesses in some of the most popular software and systems of the time.

Defending Against APTThis rash of viruses spurred an industry of vulnerability researchers, thousands of individuals looking for flaws and creating exploit-based signatures to quickly defend against these widespread attacks. The effectiveness of these researchers dramatically changed the nature of these threats. Those creating the threats had to become more sophisticated and devise attacks that were increasingly rare and hard to identify.

In today’s world, we still have to deal with mundane vulnerabilities that are discovered every day and keep our systems up to date to protect against them. But in specific instances we also have to worry about a far more sinister problem—Advanced Persistent Threats (APTs). An adversary with an interest in obtaining and maintaining a foothold in a target organization for an extended length of time, an APT has at its disposal sufficient resources—money, equipment and skill—to evolve attacks in direct response to detection capabilities of the target. These groups are typically state-sponsored and interested in data to support political, military and economic objectives.

An increase in the number and sophistication of APTs has compounded the need for swift and effective security measures at all potentially vulnerable points.

A range of new technologies and methodologies have emerged to help combat APTs. For example, cloud-based endpoint security technologies are one way to discover these damaging attacks. They allow organizations to forensically discover APTs with a data-driven approach. Using the community concept inherent in a cloud-based approach, researchers can isolate both common and uncommon processes and applications within their environment. These technologies track the frequency by which applications are seen, comparing them to the broader organization or to the world at large. By zeroing-in on applications that are not common, these solutions can more quickly identify targeted attacks and begin investigation.

Next-Generation Intrusion Prevention Systems that use vulnerability-based rules and contextual awareness can also assist in combating APTs. Vulnerability-based rules can cover hundreds of known and unknown exploits for protection ahead of emerging threats. Contextual awareness provides visibility into the precise composition and expected behavior of the network being protected, the individual users and groups found on the network, and the actual applications and systems that are running on the network.

To further protect specific data or specific users (typically the focus of APTs) these systems must enable the security team to create custom rules that define the behavior allowed on the organization’s specific network and, in effect, lay traps. Leveraging contextual awareness to understand how your network works can make it easier to lay traps for attackers. In a simple example, if your U.S.-based company doesn’t do business in certain countries there is no reason for your users to contact websites in those countries. By deploying simple rules for Domain Name System (DNS) queries for those country-specific domains, or a simple blacklist of IP addresses located in those countries, you can quickly catch network traffic headed in that direction. While this is an overly simple example it shows that customization doesn’t need to be complex. You simply need to be creative in your approach to laying traps.

Advertisement. Scroll to continue reading.

Other technologies such as targeted analyzers—tools to analyze specific file types (like PDFs) in extreme detail—security information and event management (SIEM) solutions and network forensics systems can also help to provide the necessary data to uncover an attack focused specifically on your organization and identify the potential damage.

A decade ago when viruses threatened our infrastructure, the industry responded and changed the battlefield. As the threat landscape continues to evolve so must our defense strategies.

In contrast to viruses, APTs are selective. Each organization must calculate their risk profile and invest in IT security resources based on that perceived risk. However it is critical to understand that APTs have at their disposal an extensive arsenal when it comes to devising an attack. Organizations must take a similar approach when it comes to protection.

No single weapon can protect an organization from an APT. What’s needed is a defense in depth strategy, with tools that can be modified as the threat landscape changes, technologies that tap into the collective intelligence of a large user community, and experienced staff that can look at the data and accurately interpret it. By combining the right tools, technologies and talent, organizations can enhance their protection in the face of today’s evolving threats.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...