Demystifying APTs: From ID to mitigation
A multi-staged approach is required to protect from advanced persistent threats, says Websense's Gerry Tucker.
In a recent Ponemon Institute study, IT security professionals across the ditch placed being hit by an advanced persistent threat (APT) as their number one fear.
With 58% admitting that they do not have the defences in place to stop cybercriminals stealing their data and only 42% believing they are protected from advanced cyber-attacks, it’s no wonder they fear the worse. In fact, 33% would completely overhaul their current enterprise security given the resources and opportunity.
The myriad of reports of customer records, blueprints, product roadmaps, source code and other confidential information being stolen may heighten their fears. Cybercriminals using APTs want data; the more valuable, the more likely it is to be targeted. Organisations require a heightened level of protection to meet cybercriminals head-on and thwart inbound and outbound data theft attempts.
And while APTs don’t target everyone, everyone should understand how they work because the same techniques will be used in targeted attacks designed to steal sensitive data from all kinds of organisations.
APTs exploit the full spectrum of attack methods and bypass traditional defences. Defending against APTs requires a new approach, with enhancements that include advanced threat protection with expanded inline sandboxing, malware isolation to heighten data loss prevention, end-user phishing education and new platform support. Organisations relying on security solutions such as antivirus, firewall and IDS/IPS products, that only address a part of the advanced threat kill chain, are vulnerable.
As different attack vectors are used, a multi-staged approach to preventing (or at least minimising the impact of an APT) is required. By shifting the paradigm from prevention to detection, organisations can take focused, intelligent action to stay safe.
APTs typically consist of seven customary attack stages to enhance cybercriminals theft success rate, including: recon, lure, redirect, exploit kit, dropper file, call-home and data theft. For the best defence, companies need to be able to stop threats across the entire threat kill chain.
Five strategies
APTs typically play out in multiple phases. In some cases, they may take months or even years to fully execute and successfully extract data from a network. To sufficiently prepare your organisation for these vicious and effective cybercrime techniques, we recommend you speak to your security vendor or partner on the following five strategies:
• Real-time threat analysis Organisations must employ more than traditional defenses. Real-time analysis provides security teams with a constant stream of data, which can be used to make vital and immediate decisions about an organisation's security posture.
• Global threat awareness Simply put, organisations benefit from large threat detection networks. The larger the network, the greater the threat awareness.
• DLP capabilities A fully contextually aware DLP solution must be deployed to protect sensitive data against exfiltration.
• SandboxingEffective analysis and reporting has become crucial for security professionals to make informed decisions about their organisation's security posture.
• Forensic and behavioural reporting A successful security deployment will include forensic and behavioral analysis and yield actionable reports. The more actionable the report, the more valuable it is to the organisation.
Gerry Tucker is ANZ country manager for Websense, a global leader in protecting organisations from cyber attacks and data theft.