Curing APTs: the cancer of the business world

'Are these technologies are actually not up to the job, or is it more likely that those making the selection don’t understand what APTs are?'

 Curing APTs: the cancer of the business world


It is generally acknowledged that advanced persistent threats (APTs) represent the biggest concern for companies today when it comes to the use of cyber space. No company can function without internet access, and virtually all information is in digital format.

Like cancer, APTs tend to go for the proverbial jugular. You never hear of someone suffering from cancer of the big toe; it’s always a major organ that gets targeted. And how or where the seeds are sown is virtually impossible to detect.

Certainly there are preventative measures that can be taken, but that will not guarantee that someone will not be infected. APTs similarly are not about targeting irrelevant or invaluable data.

For example surely those who breached Target, Tesco, Orange, etc., could have stolen details that had little or no commercial value. It seems fairly obvious that if they can access the most confidential data, then they can probably access anything they wish.

>See also: The 2014 cyber security roadmap

APTs are advanced because they know what they are looking for. And this becomes the immediate root of the problem when trying to deal with them. APTs have changed the target from technology to humans. Attacks used to focus on trying to break into servers, firewalls or applications by trying to find a weakness.

Today’s attacks are targeted. They are not simply trying to cause some havoc; they are trying to steal valuable information. And fundamental to the success of APTs is their ability to identify the weak link in the human chain. That’s what makes them “advanced” – it is social engineering on a scale never imagined.

And they are persistent. They don’t simply try once and move one. Once an APT has decided to target your organisation, they have done their research, are specifically targeting an organisation, and know exactly what they want to achieve. So APTs will persist until they eventually succeed.

And like cancer, by the time IT detects the APT, the damage has frequently already been done, and can be terminal. The APT will start with the simple email, or the visit to what may appear to a genuine website. And of course APTs love encryption since very often they can use this to hide from anything that maybe looking for unusual behaviour.

Also like cancer, APTs have two interesting characteristics. Firstly, it is unlikely the business will be the first to discover it has been infected, and secondly the infection has usually happened several months earlier.

All of which calls into question all the technology that is claiming to protect organisations against APTs.

It would be interesting to do an analysis of all the products that have won awards as the best APT protection and see how many of the organisations that we know have been victims of APTs were already using these technologies. Does it mean that these technologies are actually not up to the job, or is it more likely that those making the selection don’t understand what APTs are?

One could argue that aspirin is a cure for cancer on the basis that 75% of all those who take aspirin do not contract cancer. On the same basis you could argue that not all companies that use a certain technology are victims of APTs, but, in reality, in both cases you could only say that neither the cancer nor the APT has been detected.

Are these technologies useless? That is not the suggestion here. It makes sense to take preventative measures, and it is important to be informed of the risks and to try and protect the business, but to put hope in technology to protect from APTs is ill advised.

>See also: Cyber security: the solutions aren't working?

One of the symptoms often associated with cancer is weight loss, and one of the major symptoms associated with APTs is data extraction. APTs are not simply interested in hacking servers; they are all about stealing assets. So it’s not what comes in that is going to help businesses know they’re infected, but rather what’s going out.


Sourced from Calum McLeod, VP of EMEA, Lieberman Software

Comments (0)