Combating APTs Requires More than Just Technology. Equally Important is a Security Mentality Shared across the Enterprise.
Not a day goes by that we don’t hear about Advanced Persistent Threats or APTs, adversaries with an interest in obtaining and maintaining a foothold in a target organization for an extended length of time. An APT has at its disposal sufficient resources—money, equipment and skill—to evolve attacks in direct response to detection capabilities of the target. These groups are typically state-sponsored and interested in data to support political, military and economic objectives. While previously focused on government entities, enterprises across a variety of industries increasingly are in their sights.
The strategies used by APTs to seize data and wreak havoc are far more sophisticated than typical attacks and, as a consequence, are difficult to protect against. An October 7, 2011 report by Gartner, “Defining Next-Generation Network Intrusion Prevention,” states that: advanced targeted threats—often called “advanced persistent threats” (APTs)—often use custom malicious executables that do not rely on missing patches or that take advantage of vulnerabilities for which no patch currently exists.
Microsoft’s recently released “Security Intelligence Report Vol. 11” confirms this approach by APTs but finds that only one percent of attacks in the first half of 2011 were a result of APTs. The remainder, 99 percent, stemmed from threats focused on known vulnerabilities that have not been patched.
Although APTs account for a small number of attacks, the damage can be widespread with long-term effects. This is due to the fact that APTs typically target data and systems—such as intellectual property, trade secrets, national security data, and critical infrastructure— essential to the strength of our economy, global defense strategies and continuity of operations.
With 99 percent of attacks focused on known vulnerabilities, the vast majority of an organization’s IT security resources should be directed toward closing these gaps in defenses. But organizations with high-value digital assets can’t afford to neglect the one percent. And over time this percentage is likely to increase, particularly if organizations fail to take a proactive approach to security. With already stretched IT budgets organizations need technology solutions built from the ground up to deal with both types of attacks and a security mentality that is pervasive across the enterprise. Let’s start by taking a closer look at technology.
Traditional static defenses are failing to keep up with the tens of thousands of malware attacks we now see on a daily basis that exploit known vulnerabilities. Designed for a different time, when IT environments were stable and slow to change, these traditional security tools weren’t built to deal with rapidly changing environments and rapidly changing attacks. Organizations need to identify agile security solutions that can dynamically provide needed protection for today’s world. These next-generation solutions automatically speed protection of known vulnerabilities and also provide an intelligent and essential foundation for combating APTs.
APTs target unknown vulnerabilities and that’s the rub—you can’t protect what you don’t know. Security solutions that allow you to customize security to your network using awareness and agility provide a means to deal with APTs. Specifically, agile solutions should allow IT security teams to create custom protections for their networks. These custom protections should be focused on driving intelligence about APT actors back into current defenses. This could be as simple as laying traps, for example monitoring specific hosts that never interact or users that never access certain servers or files for abnormal activity, or could involve more complex detection, for example monitoring for emerging indicators of APT actors. APTs take advantage of the unknown. Agile security enables you to know more, so you can do more.
But combating APTs requires more than just technology. Equally important is a security mentality shared across the enterprise. Organizations and their employees must embrace security processes as part of daily business practices. This isn’t security training per se but a mind-set. As a simple example, employees must stop and think before opening attachments received via email. This may sound obvious but according to Microsoft’s previously cited report nearly 45 percent of successful attacks required some sort of user interaction. Security teams must shift their mentality as well. The traditional broken loop approach of “find a threat, fix the problem, remediate the infected hosts and notify users” needs to include a final step of driving all of the intelligence learned in the previous steps back into all security technologies to thwart future similar attacks. A shared security mentality across all employees will help protect an organization in general from all types of attacks.
Organizations can’t buy an “Anti-APT” solution—nothing can detect an unknown threat. But by adopting a security approach based on agile security and a security mentality that permeates the organization, IT security teams can know more and will stand a better chance of coming out on top in today’s threat landscape.
