Securing Against Advanced ThreatsExperts Debate Appropriate Defences to Handle Sophisticated Attacks
Security leaders argue that India has witnessed advanced persistent threats for more than a decade now, with exfiltration of data by other nations, as servers of large enterprises and critical sectors reside outside India. This year started with a cyberattack on the Ukrainian power grid, confirming the worst fears about the vulnerability of critical infrastructure (see: New APT Threats Target India, SE Asia ).
CISOs protecting targeted organizations are under increased pressure to identify and stop targeted attacks, and see real-world cases for advanced threat protection.
With such threats becoming epidemic, key issues surface, such as:
- How to recognize and identify APTs when an organization is compromised;
- The standard lifecycle of the APT kill chain;
- The effective response mechanism to tackle APTs.
These were discussed recently at ISMG's Data Breach & Fraud Prevention Summit Asia 2016 in Mumbai.
Bharat Panchal, head, risk management, and CISO, National Payments Corporation of India, was the moderator. The panel included Shivkumar Pandey, CISO, Bombay Stock Exchange; Akshay Amar Garkel, director, enterprise risk services, Deloitte Touche Tohmatsu India; Narayan Neelakantan, co-founder & CEO, Anzen Technologies; Uday Deshpande, CISO, Tata Motors; and Krishnasastry Pendyala, head, fraud and risk management, Tata Consultancy Services.
It's not an overstatement to say that APT is not only misunderstood by many organizations, as they continue to apply traditional techniques and strategies to counter them, but most enterprises don't even consider it the most dangerous threat that could invade them, says NPCI's Panchal.
"While banking and financial sectors are way ahead in tackling APTs and have an understanding of these and try to find the right methods to tackle them, there's much left to be desired in having the right security controls and understanding the attackers' mind-set," says Neelakantan.
Unique APT Challenges
"Although APTs are not new, most organizations fail to follow the pattern of attackers logging into the system and track unauthorised data traverse," says BSE's Pandey. "An effective self-monitoring system - not taken seriously by most organizations - is lacking," he says.
"The primary challenge is identifying advanced threats, as servers communicating with malicious packets which are integrated into the systems can result in vulnerabilities," says Tata Motor's Deshpande.
The irony is that most organizations are oblivious to what they are sitting on, given that the attacker intends to compromise the end point and attempts to enter the network at various levels of infrastructure and across server locations, says Garkel of Deloitte Touche Tohmatsu India.
"Once attackers penetrate into these end points, it's difficult to format: The hacker takes control of the internet-connected PC - any data from it can go out without user knowledge," he says.
Sastry observes that despite enterprises becoming victims for over a decade now, they often have failed to spot the weakest link.
"Practitioners lacked a systematic approach, as they ignored most threat intelligence alerts," says Sastry. Most say that bottlenecks in tackling APTs are due to:
- Lack of visibility into the organization's infrastructure, which could be vulnerable to this malware;
- Challenges in distinguishing between APTs, DDoS and other new forms of attacks;
- Lack of information on new threat vectors and network vulnerabilities that could advent APTs;
- Constraints on dealing with third parties and techniques to prevent such attacks;
- Lack of layered defences to tackle the challenge
The panel observed new methodologies are required to fight APTs through the right metrics, processes and technologies for a scalable enterprise APT framework.
Security leaders believe the entire mitigation technique as a holistic approach relies on people, process and technology in building resilience against APTs.
Experts say the malware gets installed on user PCs while accessing the internet, using un-patched applications such as browsers, acrobat reader or media player. Once installed, it establishes a command and control channel with the hacker system over the HTTPS channel. Firewalls/IDS cannot understand the content of the encrypted channel.
Panchal says a crisis management plan is critical in such a case. "It requires a team or an individual to take the onus on setting up the process and integration of people, process and technology in an appropriate ratio; investment is mandatory to tackle APTs."
Experts recommend five stages of security critical infrastructure to tackle them: predict, detect, respond, recover and mitigate.
Sastry says a centralised SoC and deploying an effective threat intelligence model will address APTs and also thwart them (see: SoCs: Focus on Outcome, Not Process).
Neelakantan says attackers often start at the weakest link, using the spear phishing technique. "It could also be done using social networking sites which trace the IP address of the command and control server," he adds.
While multilayered defense mechanisms are deployed, the challenge lies in integrating them - in this case, experts argue that signature-based detection is almost impossible.
Deshpande says besides having SIEM, IDS and IPS as basic measures of threat protection, deploying analysis network packets to identify the pattern of communication between the system and server is critical.
The panel advocated using the incident response mechanism to stay one step ahead of attackers. For an effective response mechanism, experts suggest:
- Ensuring competent professionals do the APT or zero-day assessment;
- Understanding that APT assessment can find backdoors already planted by hackers into networks;
- Looking at integrated, multilayer defences;
- Using competent internet security technology for desktops (with heuristics, behavior-blocking technologies);
- Detecting, containing it and deciphering the cyber kill chain;
- Always doing mandated cybersecurity drills and table-top exercises for security teams.
"Use of log analytics of data captured containing end point file activity and network traffic will help detect back-door entry into the network," Pandey says.