October 9, 2013 3 Comments
APT Defense Puzzle – Best-Practice & Controls
APT Strategy Series
In the last few years, protecting business assets has become much more difficult as the “bad” guys continue to evolve their attacks to evade IT defenses. When you add into the mix employee-owned mobile devices (BYOD) and cloud-based services, which require networks to be more dynamic than years past, traditional network security controls and practices are simply no longer enough to ensure protection.
A 2013 study by the Ponemon Institute found that 67 percent of organizations admit that their current security activities are insufficient to stop a targeted attack. Trend Micro found that 55 percent are not even aware of intrusions, and fewer know the extent of the attack or who exactly is behind it.
The Advanced Persistent Threat now more closely approximates the “Average” Persistent Threat, and the average organization is going to have to learn how to protect itself from this new and different form of cyber threat. Over the last few years, three factors have combined to attract organized criminal elements to hacking:
- There’s real money to be made –– in several different ways.
- There’s a very low risk of getting caught.
- There are readily-available hacking tools that anyone can modify to suit their purposes.
This APT Defense Puzzle blog, in the APT Strategy Series is a living and evolving blog that will be continually updated and extended with practical best-practice and controls that organizations can leverage to manage and defend against the real and increasing threat of APT. It complements the APT Threat Defense blog which focuses more on top-down Architecture and Strategy with a bottom-up focus on quick fixes and changes that enable tangible improvements in security posture.
Solving the APT Defense Puzzle
The blog is also complemented by a Linked-In group entitled, Solving the APT Defense Puzzle that bring together a virtual community of security professionals to share practical best-practice, controls, and tools together with analysis of APT attacks in the wild in terms of analysis and actionable steps.
Defensible Posture Recap
As stated in the Defensible Security Posture blog, the basic idea of a Defensible Security Posture is that you aren’t striving for an absolute, but rather for a position (or posture) that is able to be defended even when it’s infiltrated.
“He who tries to defend everything defends nothing.”, Frederick II
There are a few basic things we need to understand:
- Defensible does not mean secure
- There are more things to defend than there are resources to defend
- Sometimes your defenses can become your weakness
- Defensibility requires understanding of what critical assets you’re defending
- Defensibility focuses on what, why, how, when and from whom
There is no silver bullet or single solution. APT attackers continually demonstrate their capability to compromise systems by using social engineering techniques, customized malware, and zero-day exploits that intrusion detection, anti-virus and patching cannot always detect or mitigate. Responses to APT intrusions require an evolution in analysis, process, visibility and technology.
A Call to Action
While there is no APT silver bullet there is much an organization can do with a well-designed and managed defensible posture. Given the inherently porous nature of richly inter-connected systems, it is quite likely that determined attackers will penetrate virtually any system. This does not mean there is no defense. It means there is a need to change the concept of defense from walling off the system to detecting, monitoring and mitigating attacks on the system.
The reality is that organizations actually have much more control over cyber attackers when attackers are inside their system than when attackers are on the outside selecting access points into it. Moreover, most cyber attacks are not successful when they merely penetrate the system.
Success for the attacker does not occur until they gather valuable information and then exit the system with it. If an enterprise can detect an unwelcome entity within the system, for example, and block its pathway back out, it can successfully mitigate the attack even if the system has been successfully breached.
Practical Best-Practice & Controls
Developing a Defensible Security Posture is very similar to a complex 5000+ piece jigsaw puzzle only organizations do not have the complete picture yet or always know what pieces are actually missing given the complexity. As we are all painfully aware, security is only as good as your weakest link so a missing piece or two enables the APT attacker to compromise and establish a base camp.
Based upon experience conducting hundreds of network architecture assessments, vulnerability assessments, penetration testing, and social engineering assessments what are the common gaps in best-practice, controls and, tools … typical missing pieces or unseen flaws that are easily fixable yet enable a successful APT attack?
Based upon analysis of successful APT attacks and compromises in the wild, what were the techniques of exploitation and persistence used, what were the lessons learned? What can organizations do that are easily actionable and fixable to prevent a similar attack to evolve and improve posture?
The devil is in the details. The blog presents an ever evolving list of missing pieces and/or validation checks to complete a defensible security posture. Do you have that control or option configured? Is it configured correctly? Did the organization miss this gotcha that others missed?
IT security threats continue to become more targeted and more dangerous, security challenges are getting even more complex, and the costs of security failures keep going up. Business as usual can no longer protect enterprise networks against these threats –– much less what’s coming tomorrow.
IT needs to act now to address the challenges of ubiquitous mobile device access, for-profit hacking, Advanced Persistent Threats, application vulnerabilities and complex multi-vendor hyper-extended network management.
Thanks for your interest!
Nige the Security Guy.