Your Traditional Defense Can Not Protect You From Advanced Persistent Threats (APT)

It seems that lately, threats that were once simply known as “malware” or “viruses” have been elevated to the status of Advanced Persistent Threat (APT), a term that has strategically been used to strike fear in the hearts of consumers.

These days, APTs have a much more common presence in the media, and some of the most notorious have included major global threats such as the recent case:

US Department of Defense: 27th May 2013, the Washington Post reported that Chinese hackers broke into Department of Defense computers and stole designs for several weapons systems. These systems included anti-missile and ballistic missile defense systems. Aircraft and ship designs were also taken. As is a hallmark to an APT, it was discovered that the theft took place some time ago before the breach was discovered.

RSA Attack: In March 2011, RSA, the security division of EMC, announced they were the victims of a sophisticated attack that breached their network and allowed the attacker to reportedly exfiltrate  data relating to RSA’s SecureID two-factor authentication token system. It was reported soon after that Lockheed Martin, Northrop Grumman and L-3 Communications may have been attacked using information obtained in the RSA breach.

Despite audacious claims and billions of dollars invested, traditional defense like firewalls, intrusion prevention systems and anti-virus gateways no longer stop advanced malware or targeted APT attacks.

I do not own the whole script of the video. Credits goes to the author/s of the original video.

Next Generation Firewalls

Next Generation Firewalls(NGFW) have been proven to be ineffective in stopping advanced malware and targeted attacks. While NGFW adopts a more application centric approach to mitigate attacks. They still typically rely on traditional anti-virus pattern matching, reputation analysis and url blacklist.  These approaches are reactive and have been proven to be incapable of stopping advanced attacks such as zero-day, targeted attacks. It has been researched that 90% of binaries morph within an hour and initiate callbacks within minutes of compromise to download further malware. Moreover, NGFW does not detect spear-phishing attacks nor does it analyze documents (PDFs, Office documents, image files) that are used to exploit application vulnerabilities

Intrusion Prevention Systems

Intrusion Prevention Systems are built to detect and analyse network services based attacks on OS and server applications. However, most of today APT attacks are targeting client applications such as browser, PDF readers and Flash plug-ins. Adding to the woes, once the system has been compromised, it moves on to infect other systems through legitimate privileges that it acquired through the initial compromised system. This will not be detected as it is deemed trusted traffic in the eyes of the IPS.

Antivirus

As most of these malwares are customized and have been tested against anti-virus solutions deployed within the environment. They sneaked right by the radar and usually these malwares morph rapidly to avoid further detection by antivirus signatures. These malwares could also hide itself and lied dormant for days, months or  even years and only sporadically calls back to criminal servers to update, repair, or install further malware components.

However, it is not all groom and doom. The key steps for enterprises to protect itself from APT attacks is to move from a perimeter based mentality to a comprehensive approach which includes the following:

a)    Identify what you need to protect

b)    Classification of your data

c)    Continuous assessment of your security posture

d)    Enhance your detection capabilities with APT solutions

e)    Security awareness and training

f)     Enhance your security incident response

g)    Develop a roadmap for optimized security model

Advanced Persistent Threats is becoming a critical business issue (sometime national security issue as well). Either if you have the capacity to perform the above in house or outsource to a provider, APT should not be taken lightly.