11 Steps for Building APT ResilienceExperts Outline Short, Long-Term Plans to Respond to New Threats
This is part two of a series of features on the state of APT defense in Indian organizations.
Advanced persistent threats have been making waves in the security marketplace for the past few years. Initially dismissed as jargon and another attempt by vendors to sell more blinking boxes, the general consensus has sobered on the subject to view APTs as a valid, serious, and immediate threat. [Please read: New APT Threats Target India, SE Asia]
While controls such as firewalls, antivirus solutions and intrusion prevention systems are still essential components in one's security infrastructure, they don't seem to be adding up an effective defense against these kinds of attacks, says Eric Ahlm, Research Director at Gartner, in an interview with ISMG.
"I think why we are seeing the prevalence of these kinds of attacks is that the cost of creating a crafted, advanced attack has gone down to the consumer level," he says. As the ability to launch these kinds of attacks goes down market, we can expect more of these kinds of attacks, he believes.
So, what is to be done? Below, drawing from expert insight, are some actionable recommendations that can help shore up an organization's APT resilience.
Most organizations in India are not geared to counter APT attacks, primarily because they are focused on protection technologies, says Felix Mohan, Chief Knowledge Officer at the CISO Academy and ex-CISO at Bharti Airtel and ex-director for IT at the Indian Navy. "Focusing just on protection is bound to fail, because APTs are persistent to the point that they will find a way in," he says.
"Visibility is another big challenge for Indian organizations today; they have no idea what's happening on their network," he says. All the VA/PT and security testing that you hear about is external. And given the perimeter mindset and infrastructure, "once the attacker is in your environment - which he will eventually penetrate, given his persistent nature - there are no internal defenses, or bulwarks in place to prevent him from doing as he please," Mohan says.
Secondly, the most effective counter to APTs is following a framework that relies on detection, response and recovery - but that framework is not widely embraced, Mohan says. Thirdly, there is purely a lack of end user awareness. "Ninety percent of successful APTs are directly indirectly related to end users," he says. "So much so that Verizon's DBIR report mentions that more than 77 percent cyber espionage attacks have used email attachments as the initial vector." This is a critical component of APT mitigation, Mohan believes.
Bryce Boland, FireEye's CTO APAC, has a counter view. "These targeted attacks are customized to such a great degree that you cannot train a lay user to look at an email or an attachment that he is expecting from a legitimate source, and expect him/her to be able to determine if it is a spear-phish," he says. "Of all the organizations that we have seen institute awareness programs, none have really ever worked - advanced breaches continue."
Organizations need to bring together the technology, threat intelligence and expertise necessary to improve their defensive capabilities, Boland says. This is one reason firms are increasingly moving to adopt security as a service - especially small and mid-size companies, which comprise the majority of organizations in Asia. Tools must be integrated, and there should be a single unified command structure, something that is also lacking in Indian organizations today, experts say.
Short-term, security leaders must look at their technology and programs and ensure they are equipped to detect the indicators of compromise, and not have to depend on the detection capabilities of their preventive systems, says Gartner's Ahlm.
Typically things such as behavioral analysis can really aid organizations to find evidence that there is suspicion that's worthy of investigation, he says.
Mohan says that immediate measures that organizations can take include reducing the attack surface available to a would-be APT attacker. This can be done be following five steps.
- User Awareness: End user awareness is key, Mohan Says. Coach your users to not click on attachments and web links from unknown sources. Even known sources can be dangerous in the era of targeted spear-phishing. This should be a continuous process, so that it becomes a part of the user's behavior, he says.
- Password Policies: Password management is very important. Instituting a firm password policy and good password hygiene goes a long way, Mohan says. Two-factor authentication needs to be de-facto for users that access sensitive information.
- Patching: Patching is not negotiable, Mohan says. According to Gartner, 99 percent of vulnerabilities that have been exploited had updates available.
- Managing Privileged IDs: Managing privileged accounts needs immediate attention. "According to a survey, 90 percent of Microsoft vulnerabilities could be mitigated by removing admin access," Mohan says.
- Network Zoning: This is the last step to focus on, as segmenting the network ensures that even if an attacker is able to breach one network zone, he remains limited to that zone and cannot access other areas, effectively reducing the attack surface, Mohan says.
Longer-Term APT Mitigation
The foremost thing that security owners need to do, is build a threat profile for their organizations. Here are a few recommendations Mohan shares:
- Identify Critical Assets: As it exists today, most organizations do not know what their crown jewels are, or where they are located. Discovery of sensitive assets is a very important task. This needs to be followed up by determining the possible threat vectors to these assets, He says.
- Discovering Security Gaps: Find out the blind spots and security gaps in your existing setup. For example, today, 50-60 percent of an organization's network traffic is encrypted (SSL and others). "Most organizations using firewalls and IPSs are blind to encryption, which is what attacker always use for command and control," he says.
- Discover Ineffective Security Processes: This is another long tail activity. Mohan feels specific attention needs to be paid to: Vulnerability management programs, change management and user management.
One of the first things an attacker does upon entering the network is create new user accounts and change the file system, Mohan says. Strong user management and change management can catch this anomalous behavior.
Once these are addressed, Mohan recommends implementing an incident response process. "While organizations might say they have an incident response process in place, that is limited to IT incidents, not attacks" he says. People are clueless on the immediate remediation process for APT. Attack recovery can become a sub part of the organization's overall business continuity program.
Organizations need to start investing in technologies other than the protection oriented technologies, In addition to the technologies for basic security hygiene tech like firewalls etc. Mohan says. "Gaining situational awareness is key, and a SIEM with an integrated threat intelligence feed is a prerequisite," he says.
One key technology in this respect is analytics, which need to be implemented at three levels, Mohan says.
At the Network: All incoming and outgoing traffic needs to be monitored, performing deep packet inspection. All flow records need to be evaluated. Flow records are the main defining requirement, according to Mohan. APT attackers tend to attack an organization and take over an end user machine or server, Mohan says. "They then escalate privileges and gain admin rights," he says. "When this happens, they disable logging and your SIEM goes blind. This is a typical characteristic of an APT attack."
However, while logging can be stopped, packets will have to flow in the network, he says. Today security intelligence platforms have flow collectors, which are like probes in the network. They pick up packets and get up to layer 7 visibility into it, so that an APT can still be detected.
- At Payload Layer or Sandboxing: When a file effectively enters the network, it is analyzed and detonated within a sandbox. Payload analytics is getting common, says Mohan.
- At the End Point: where a snapshot of the entire file-system on an endpoint can be taken and any changes in the file-system will raise an alert. This kind of analytics becomes part of change management.
Longer term, adding more tools and more visibility - in other words finding evidence of these breaches - has an operational impact, says Gartner's Ahlm. "It's going to take people to do it. So in the long term, organizations need to structure their teams to this monitoring, detecting and hunting mentality," he says. "More so than just a systems operations mentality."
That's going to be the long term challenge for security program owners, he says.
Please find part one of the feature here