In the recent past, advanced persistent threats (APTs) were designed by nation states to spy on adversaries for strategic advantage, but today many cybercriminals are using the same techniques to steal data from businesses for financial gain.
The key paradigm shift has been the threat actor’s evolution from ‘opportunistic’ to ‘targeted’ techniques. A few years ago, threat actors would move on when encountering a secure network that was hard to break into, but today they target specific networks for specific purposes, and are very persistent.
Once inside the network, they maintain their malicious presence for months and even years. Advanced threat actors explore the organisation’s data, intellectual property and other assets, determine their location and set up a back door to exfiltrate the most valuable data.
>See also: No one-size-fits-all approach to APTs
Traditional antivirus software was conceived to combat opportunistic attacks through the use of signatures, but because targeted attacks are selective and focus on one objective, they compromise a much smaller number of hosts.
This means that their activity is insufficient to trigger antivirus alerts. In addition, advanced threat actors continuously modify their malicious code so that signatures are no longer effective.
If the code looks different, the signature for the code will also be different, rendering signature-based defences, such as those often included in antivirus solutions, ineffective.
Threat actors use zero-day malware that evades traditional intrusion prevention systems such as firewalls. Zero-day malware is malicious software created to exploit a vulnerability that has yet to be fixed by the developer – the threat actor has discovered the flaw before the person who developed the software, and has had zero days to fix it.
Overall, although traditional perimeter-based defences such as antivirus and firewalls fulfil an essential role in securing networks, they must be augmented with other technologies for organisations to stand a chance against the new breed of APTs.
On best behaviour
In response to the limitations of traditional security tools, other technologies have been brought to market that take a behavioural approach to detecting malware. Instead of trying to detect malware based on what it is, behavioural malware detection relies on what the malware does.
Sandboxing, a secure virtual analysis environment in which suspicious software can be run and tested, has become one of the most popular technologies against APTs. The sandbox is isolated from the production environment, making it safe as a repository to observe and analyse the behaviour of the malware. This is a more effective method than just looking at the malware’s appearance, and is included in the ‘behavioural approach’ in the array of APT technologies.
But as sandboxing grew in popularity, cybercriminals started creating evasive malware able to detect whether it is being run in this protected environment. Some companies have created proprietary virtualisation technology because non-proprietary sandboxing technologies – which have not been specifically designed to combat APTs – sometimes lack specific capabilities, making it easier for advanced threat actors to identify that their malware is being run in a test environment, and to deploy countermeasures.
Other technologies use behavioural modelling and advanced analytics, also based on the premise of how the malware behaves rather than what it is or looks like. Advanced data analytics detects malicious activity through analysis of network traffic.
Researchers analyse massive data sets during the activity of monitoring global network traffic. After continuous observation, they are able to recognise behavioural patterns and detect suspicious activity that deviates from the norm.
Advanced analytics is the most effective strategy against APTs, but it is tremendously resource-intensive in terms of time and expert personnel, as it is crucial to have very experienced professionals capable of detecting patterns correctly in an intuitive fashion. That is why the lack of skilled personnel is fast becoming the most critical issue in tackling cyber threats.
There is growing demand for advanced analytics research and behavioural modelling to respond to APTs. Intelligence and forensics will become the most important differentiator for companies in the APT market because understanding how threat actors work is vital to identifying indicators of compromise during the very early stages of an attack.
Greater cooperation between organisations will be key going forward. Cyber security’s growing strategic importance is already having an impact on legislation. In the best-case scenario, this could herald greater transparency among nation states.
As the Edward Snowden affair laid bare, private companies can be forced to share information with government, which in turn continues to be very secretive. For example, Australia’s Cyber Security Review, an initiative to address cyber security risks to the national critical infrastructure through tighter collaboration between government and industry, is now facing delays.
The rise of technology trends such as the Internet of Things (IoT) is going to make the cyber space more insecure. The risks associated with IoT are expected to increase due to the exponential growth in the number of connected objects, poor security hygiene and the high value of data on IoT devices. Many expect that a major attack in the near future will be directly related to vulnerabilities in IoT devices.