Guest author Corey Nachreiner, CISSP, is director of security at WatchGuard, which sells network- and content-security products.
The class of targeted attacks known at APTs (advanced persistent threats) is no longer reserved for Fortune 500 companies. As predicted by leading network security experts, APTs have started to infiltrate small- and medium-sized businesses (SMBs) at an alarming rate. And they are proving to be just as devastating, regardless of the size of the organization or the motive for the attack.
Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended-threat malware. But now, we’re starting to see smarter, every day malware criminals speed up the evolution of APTs and make small and mid-sized organizations even bigger targets. According to Jeremy Grant, senior executive advisor for the U.S. Department of Commerce’s National Strategy for Trusted Identities in Cyberspace program, hackers are going after small businesses because they typically have more money and information than individuals and are less protected than large corporations, according to Wired.
In an October 2012 survey released by the National Cyber Security Alliance, states that U.S. small- and medium-sized business owners and operators clearly have a false sense of cyber security. Seventy-seven percent of the 1,015 survey respondents say their company is safe from threats such as hackers, viruses, malware and breaches, yet 83% have no formal cybersecurity plan. These findings suggest smaller firms are highly vulnerable to this growing threat and can no longer afford to neglect Internet- and network-security policies and practices if they want to avoid being the next victim of these sophisticated attacks.
What is APT? Let me spell it out.
APTs use the most advanced malware and attack techniques. They often leverage techniques such as encrypted communication channels, kernel-level rootkits and sophisticated evasion capabilities to get past a network’s defenses. More important, they often leverage zero-day vulnerabilities – flaws which software vendors haven’t yet discovered or fixed – to gain access to the systems. In short, APTs are “Q-level,” James Bondesque malware.
This malware is designed to stick around. It carefully hides its communications, using techniques like stenography. It “lives” in a victim’s network for as long as possible, often cleaning up after itself (deleting logs, using strong encryption and only reporting back to its controller in small, obfuscated bursts of communication).
Extremely Blended Danger
APTs are extremely blended threats, much like botnets, and very targeted. Attackers are groups of highly skilled, motivated, and financially-backed attackers with very specific targets and goals. In addition to Fortune 500 companies, typically the attackers (often sponsored by nation-states) have also targeted government-related infrastructure or the industrial sector.
No network security provider can block every APT attack, no matter what they claim. According to Gartner, an estimated $60 billion is invested by corporations and governments in network security, yet hackers still sneak past them. By definition, APTs often employ new techniques for which counter-measures and defenses may not exist. While these kinds of attacks occur, a smaller business with no security plan is vulnerable to even the most basic kinds of attack.
There are defensive strategies that can provide high-value protection and significantly mitigate the chance of an advanced and persistent infection for a relatively small investment. IT administrators should strongly consider using more than one of the many reporting and monitoring functions available throughout the industry that provide smart and strategic defense against these blended threats.
If you already have a security infrastructure set up, many of these tools are likely already at your disposal. Ask your network-security provider about the following best practices, which will undoubtedly equip your firm with the tools to mitigate risk, monitor activity and detect and/or stop the next APT.
Build Multiple Layers Of Security Control
A multi-layered approach to network security is the best protection. When combined, firewalls, intrusion-prevention services, proactive anti-virus apps, anti-spam and anti-phishing protection and cloud-based reputation defenses will maximize your chances of being hit with an APT attack.
Signature-less Malware Protection
Similar to zero-day attacks, APTs often use malware that has not already been found by anti-virus protection and, therefore, no signature exists. The only way to catch this kind of APT is to use active, non-signature techniques.
Select a network-service provider that partners with best-in-class anti-malware and anti-virus-service providers that can detect malware without signatures. This type of service provider often specializes in code emulation, behavior analysis, and “sandboxing” to determine what a file does and if it may be malware. These techniques can often catch malicious files without actually having reactive signatures for them.
An Evolving Defense Framework
APTs are just further proof that hackers and attacks on the Internet are constantly evolving, so naturally, the only way to really protect against evolving threats is to have a defensive platform that can change along with them.
Security hardware platforms with adaptable and flexible defense frameworks make it possible for network-security providers to quickly incorporate new defense capabilities, such as cloud reputation and the use of heuristics to detect malware, as new technologies are released.
Better Manageability Through Visibility
Often, security practitioners focus on prevention and forget about discovery and response. Deploying tools that help to quickly identify anomalies or problems in a network often find malware through unique monitors, network traffic reports and administrator access to approved or denied external sites.
Additional reporting tools and appliances are available through network-security providers and increase visibility and ensure the system is providing optimal internal network protection.
Hold to RFC (request for comment) standards for services such as Web traffic (HTTP), e-mail traffic (SMTP), domain-name traffic (DNS) and file transfers (FTP). Enforcement of these standards will spotlight when crucial rules are broken.
For example, if the SMTP RFC states that the maximum line length for an email is 1,000 bytes; deploying enforcement standards will protect a network from attacks (like buffer overflows) that try to use overly-long email lines. That’s just one example; this kind of signature-less protections that can even block zero-day attacks that break protocol standards.
Because APTs are continually evolving and getting more elusive by the day, no network-security strategy will anticipate or block every attack. Always assume that a network is already breached and then build a security vault using the tools and best practices discussed here. Using strong prevention and visibility tools will help recognize threats and ensure that IT administrators are taking all necessary action to help mitigate them.
Image courtesy of Shutterstock.