APT Defense Puzzle

APT Defense Puzzle – Best-Practice & Controls

APT Strategy Series

Defensible Security Posture
Advanced Threat Defense
APT Detection Framework
APT Detection Indicators
APT Red Teams

In the last few years, protecting business assets has become much more difficult as the “bad” guys continue to evolve their attacks to evade IT defenses. When you add into the mix employee-owned mobile devices (BYOD) and cloud-based services, which require networks to be more dynamic than years past, traditional network security controls and practices are simply no longer enough to ensure protection.

 APT Defense Puzzle

A 2013 study by the Ponemon Institute found that 67 percent of organizations admit that their current security activities are insufficient to stop a targeted attack. Trend Micro found that 55 percent are not even aware of intrusions, and fewer know the extent of the attack or who exactly is behind it.

The Advanced Persistent Threat now more closely approximates the “Average” Persistent Threat, and the average organization is going to have to learn how to protect itself from this new and different form of cyber threat. Over the last few years, three factors have combined to attract organized criminal elements to hacking:

  1. There’s real money to be made –– in several different ways.
  2. There’s a very low risk of getting caught.
  3. There are readily-available hacking tools that anyone can modify to suit their purposes.

This APT Defense Puzzle blog, in the APT Strategy Series is a living and evolving blog that will be continually updated and extended with practical best-practice and controls that organizations can leverage to manage and defend against the real and increasing threat of APT. It complements the APT Threat Defense blog which focuses more on top-down Architecture and Strategy with a bottom-up focus on quick fixes and changes that enable tangible improvements in security posture.

Solving the APT Defense Puzzle

The blog is also complemented by a Linked-In group entitled, Solving the APT Defense Puzzle that bring together a virtual community of security professionals to share practical best-practice, controls, and tools together with analysis of APT attacks in the wild in terms of analysis and actionable steps.

See: Solving the APT Defense Puzzle Announcement

Defensible Posture Recap

As stated in the Defensible Security Posture blog, the basic idea of a Defensible Security Posture is that you aren’t striving for an absolute, but rather for a position (or posture) that is able to be defended even when it’s infiltrated.

“He who tries to defend everything defends nothing.”, Frederick II

Kill Chain Actions 2

There are a few basic things we need to understand:

  1. Defensible does not mean secure
  2. There are more things to defend than there are resources to defend
  3. Sometimes your defenses can become your weakness
  4. Defensibility requires understanding of what critical assets you’re defending
  5. Defensibility focuses on what, why, how, when and from whom

There is no silver bullet or single solution. APT attackers continually demonstrate their capability to compromise systems by using social engineering techniques, customized malware, and zero-day exploits that intrusion detection, anti-virus and patching cannot always detect or mitigate. Responses to APT intrusions require an evolution in analysis, process, visibility and technology.

A Call to Action

While there is no APT silver bullet there is much an organization can do with a well-designed and managed defensible posture. Given the inherently porous nature of richly inter-connected systems, it is quite likely that determined attackers will penetrate virtually any system. This does not mean there is no defense. It means there is a need to change the concept of defense from walling off the system to detecting, monitoring and mitigating attacks on the system.

The reality is that organizations actually have much more control over cyber attackers when attackers are inside their system than when attackers are on the outside selecting access points into it. Moreover, most cyber attacks are not successful when they merely penetrate the system.

Success for the attacker does not occur until they gather valuable information and then exit the system with it. If an enterprise can detect an unwelcome entity within the system, for example, and block its pathway back out, it can successfully mitigate the attack even if the system has been successfully breached.

Practical Best-Practice & Controls

Developing a Defensible Security Posture is very similar to a complex 5000+ piece jigsaw puzzle only organizations do not have the complete picture yet or always know what pieces are actually missing given the complexity. As we are all painfully aware, security is only as good as your weakest link so a missing piece or two enables the APT attacker to compromise and establish a base camp.

Defense Puzzle

Based upon experience conducting hundreds of network architecture assessments, vulnerability assessments, penetration testing, and social engineering assessments what are the common gaps in best-practice, controls and, tools … typical missing pieces or unseen flaws that are easily fixable yet enable a successful APT attack?

Based upon analysis of successful APT attacks and compromises in the wild, what were the techniques of exploitation and persistence used, what were the lessons learned? What can organizations do that are easily actionable and fixable to prevent a similar attack to evolve and improve posture?

The devil is in the details. The blog presents an ever evolving list of missing pieces and/or validation checks to complete a defensible security posture. Do you have that control or option configured? Is it configured correctly? Did the organization miss this gotcha that others missed?


IT security threats continue to become more targeted and more dangerous, security challenges are getting even more complex, and the costs of security failures keep going up. Business as usual can no longer protect enterprise networks against these threats –– much less what’s coming tomorrow.

IT needs to act now to address the challenges of ubiquitous mobile device access, for-profit hacking, Advanced Persistent Threats, application vulnerabilities and complex multi-vendor hyper-extended network management.

Thanks for your interest!

Nige the Security Guy.


Advanced Threat Defense – Part 1

Advanced Threat Defense – Part 1

APT Strategy Series

Defensible Security Posture
APT Defense Puzzle
APT Risk Assessment
APT Incident Response
Adaptive Zone Defense

Many organizations continue to struggle to achieve network visibility into a number of advanced, targeted, and layered threats that evade detection by traditional approaches to incident management.

Advanced Threat Defense

This APT Strategy Series blog offers readers a preview of a proposed foundation and strategy for Advanced Threat Defense. While there is no APT silver bullet there is much an organization can do with a well-designed and managed defensible posture to Protect, Detect, Contain, Eradicate and, Recover to minimize impact and cost.

Situational Awareness

Attackers are continuously evolving and becoming smarter, the largest looming threat to an organization is always that which it does not know or cannot detect. What is changing is that perpetrators understand that their victims can’t cover all their bases all the time. So DDoS attacks can be used as decoys to divert attention. This way, attackers can subsequently move to sectors that are more vulnerable.

Situational Awareness

But coming up with a standardized means of defending against these attacks presents a paradoxical challenge: while the ever-expanding risk footprints and evolving foes calls for more regulation in security, increased regulation effectively provides cybercriminals with a handbook on how to circumvent an organization’s security.

In an ideal world, every security manager would be able to assess their organization’s security ecosystem at any given time and be able articulate the current security posture. But for that to happen, risks must be known and acted upon with speed and intelligence, incoming events must be logged and scrutinized in real-time, and threats must be identified and anticipated before they become full-blown attacks.

Security Operations

Unfortunately, we do not live in an ideal world and we cannot obtain “situational awareness” and reap its benefits without the right security architecture, technology solutions and operational practices. Overall, it is imperative for organizations to integrate a well designed architectural blueprint with capable security technologies together with security intelligence and resource skills/expertise in order to achieve a more comprehensive threat perspective and informed risk management.

Recent Trends Increase Stakes

Business is about managing risk. Every business decision has inherent risk. It is essential to understand and make decisions based on the cost and benefit of that risk. CISOs no longer lay awake at night just worrying about defending their organization’s perimeters and the latest malware infection. The challenges facing security leaders today are far more complex and challenging.


The following are examples of recent trends with a significant impact on risk:

  • BYOD
  • Cloud
  • Cyber Threats
  • Mobility
  • Social Media

It is time to rethink security in a broader holistic context and integrate across silos and functional roles so that organizations can protect what really matters: intellectual property and critical data. The challenge is to create an integrated ecosystem that is fully prepared to provide situational awareness visibility, detect any anomaly, investigate it to verify and, remove threats in a defensible posture.

Traditional technologies are still needed to catch vulnerability-based attacks, these technologies need to be layered to enable the organization to detect, monitor and stop an attack at each stage of the kill chain. Our goals are to:

  • Evaluate and Manage Threat/Risk
  • Establish Defensible Security Posture
  • Develop Skills and Expertise
  • Defend against Advanced Threats
  • Improve Detection and Reaction time
  • Manage Operational Costs

Distributed Defense Ecosystem

The goal in a Distributed Defense Ecosystem is to align detection and mitigation technologies with earlier phases of the intrusion kill chain (see: Defensible Security Posture) to stop persistent threats. Defensive measures at each stage of the kill chain help ensure resiliency, particularly when faced with adapting threats. When one defense fails to stop or detect an attack, hopefully one of the others will succeed. This is the modern approach to defense in depth – intelligence-driven detection and mitigation aligned with the intrusion kill chain.

APT Defense Flow

  • Layer 1: Protect – Defensible Architecture Foundation
    • Identity and Role-Based Access (Who)
    • Asset Inventory Classification (What)
    • Application & System Zoning/Controls
    • Application Connectivity Management
    • Activity Logging and Monitoring
      • Instrumentation and Telemetry
      • Data Collection and Mining
  • Layer 2: Detect – Security Operations
    • Calibration & Validation
    • Threat Intelligence/Indicators
    • Situational Awareness
      • Behavior Baseline
      • Anomaly Detection
      • Attack Patterns
  • Layer 3: Contain – Incident Response
    • Anomaly Verification
    • Damage Assessment/Containment
    • Incident Response
  • Layer 4: Investigate – Lessons Learned
    • Root Cause Analysis
    • Break the Kill Chain
    • Remediate and Recovery

In Advanced Threat Defense – Part 2 we will further develop this initial foundation and strategy to discuss the various defense-in-depth, situational awareness, containment and, response layers in more detail to begin to define the framework, technology and, practices for a Defensible Security Posture.

Threat Indicators


Dealing with advanced attackers is not for immature security organizations. Organizations need to master security fundamentals and have good security practices in place. Our Security Architecture Series (see links below) takes readers Back to Basics to assemble and align the pieces necessary to develop, update, or validate a modular and flexible security architecture that forms the basis for Advanced Threat Defense.

As discussed in our Threat & Vulnerability Management blog, organizations need to have already hardened key devices and implemented a strong device hygiene (patch and configuration management) program. It is also necessary to properly segment the network to make it difficult for attackers to get at important data, which will be discussed more fully in the Application & System Zoning blog (aka Adaptive Zone Defense) and Service Communication Management (aka Application Architecture Taxonomy) blog which profiles applications based on classification and risk, determines zone placement and, defines policy and controls.

While traditional endpoint protection is not ‘the’ sole solution organizations do still need some level of protection on key devices with access to sensitive data.

To help improve security posture, penetration testing and security validation testing is key. There is a lot to be learned from these tests, (also see: Vulnerability Assessment Remediation) regardless of whether they are required or not. The penetration testing exercise can be used to validate security operations / monitoring visibility and detection as a real-world attack scenario, as well as a training tool for the forensic team to provide lessons learned regarding overall security issues.

Security Architecture Series

Thanks for your interest!

Nige the Security Guy.