Connect with us

Hi, what are you looking for?


Malware & Threats

When it Comes to APTs, Don’t Confuse Tactics With Strategy

Modern cyberattacks and APTs (advanced persistent threats) have quickly become a top priority for both security practitioners and C-level executives, and for good reason.

Modern cyberattacks and APTs (advanced persistent threats) have quickly become a top priority for both security practitioners and C-level executives, and for good reason.

Attackers, whether motivated by national interests, cyberespionage, cybercrime (or organized crime), have all turned to patient, long-term attacks as the default method for compromising an organization and stealing sensitive information. Unfortunately in many circles, the concept of controlling APTs has become synonymous with detecting new or otherwise unknown malware. This is a potentially harmful oversimplification that focuses our security on an attack technique, while potentially ignoring the more resilient attack strategy.

IT Security StrategyTo say that modern attacks are multi-faceted and coordinated is an understatement. They employ a variety of vectors, malicious payloads, hacking tools, evasion tools and an ever-expanding set of techniques to secretly communicate both internally and externally. But again, the attack strategy is more than the sum of the tools. An attack will go through multiple stages, with each stage providing an opportunity for the attacker to further investigate the target and adapt to the environment. The iterative and adaptive nature of these attacks is actually far more important than any one particular technique.

Once an attacker establishes a beachhead in the target network, they will often footprint the local network looking for ways to spread within the network or ways to escalate their privileges. They will enumerate users and services to know what additional exploits can be applied to the environment. The attacker will install proxies, encrypted tunnels, peer-to-peer clients, remote desktop, or use customized protocols to ensure they can communicate and persist in the network without detection. The cyberattack includes all of these components, and security teams need to be able to identify and block an attack in all phases.

Asymmetric Attacks Require Us To Break Traditional Silos

It’s important we remember that IT security is essentially an asymmetric struggle. Networks and their users present a massive attack surface of potential exposures and vulnerabilities that attackers can target. IT security teams can secure 99.9% of their attack surface and repel thousands of attacks, but an attacker needs only to succeed once in order to carry out a successful attack. This what we refer to as asymmetry in the attack model, and it something that we see regularly in both the physical world as well as in IT security.

In the physical world, terrorist organizations are a prime example of an asymmetric threat. Terrorists have a virtually unlimited number of potential targets, and any successful attack would represent a failure of security. To respond to these sorts of threats law enforcement needed to re-evaluate their strategies. Correlation and context between previously separate law enforcement agencies and perspectives have become standard practice. The focus has expanded beyond simply understanding bullets and bombs to also understanding how a terrorist organization is coordinated, how they communicate and operate.

Many of these lessons will apply to IT security as well. Just as a terrorist attack is about more than the bullets and bombs, a modern cyberattack is about more than the exploits and malware. We need to establish context that spans the entire lifecycle of an attack. Infection vectors, exploits, malware, persistence tools, evasion tools, reconnaissance tools, malicious domains, and a near infinite supply of applications and protocols used for command and control are all critical components of the attack.

Our security must be able to understand all of these facets natively and to correlate them in order to identify and stop a real attack. Furthermore we need to understand that any of those components can and regularly are customized to avoid pre-existing patterns and signatures. The challenge of stopping the unknown isn’t limited to just malware, and we need to be thinking broadly about how we proactively identify, test, and respond to unknowns throughout the lifecycle of an attack. An unknown file, a new domain, and a strange customized protocol on your network all demand attention. The risk may be different for each, but any or all can be the sign of a coordinated attack and security teams need to be prepared to deal with them.

Advertisement. Scroll to continue reading.

These are the changes that I think we will need to make in order to respond to the realities of modern attacks. It’s always easier to focus on the quick fixes as opposed to changing our engrained habits and assumptions. But while it may be uncomfortable, these sorts of re-evaluations are necessary for our success, and ultimately our survival. If we don’t adapt, we simply play into the hands of those who want to attack us.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.