Advanced Persistent Threats (APTs) continue to create significant challenges for companies and their IT departments. From South Korean banks and broadcasters, to high-profile retailers and technology companies, APT attacks are increasingly common, allowing cyber criminals to infiltrate computer systems for financial, technical or political gain.
By their very nature, such threats are designed to entrench and resist removal, which can make traditional security measures less effective and the reaction to such incidents altogether harder. In response, organisations must plan for the eventuality of a complex APT attack on their systems. That planning will help minimise the impact of a future incident.
APT attacks commonly target particular organisations for specific purposes, relentlessly searching for any points of weakness. Their attacks are closely geared to how a company does business, in contrast to the sledgehammer approach sometimes deployed by less sophisticated hackers intent merely on defacing websites or grabbing whatever they can easily find in an effort to demonstrate their hacking prowess.
A common misconception is that APTs are only about advanced technical attacks. In fact, the perpetrators of APTs are not only good at finding and exploiting technical vulnerabilities, they exploit human weaknesses as well. APTs often start with sophisticated spear phishing emails based on research on a few specific individuals within a company.
Once the hackers find their mark, the phishing attack becomes an initial point of entry through which more sophisticated techniques are deployed to increase penetration and find data the hackers wish to exfiltrate. An attack like this can continue undetected for months and sometimes for years.
Given this heightened risk, what can a company do? First, computer security needs to be a conversation happening at executive and board level, not only the provenance of the CIO. All too often executives think signing-off the IT budget, is the extent of their responsibility for protecting the organisation from APTs. Yet, even in the context of an IT spend running into millions of pounds, security budgets are often inadequate to tackle today’s emerging threats.
Moreover, the problem is not one that IT alone can solve. User awareness of the threat is important, as individuals are commonly the weakest link. Phishing attacks can only succeed if users click on the link they are sent in a rogue email. IT alone cannot prevent such attacks.
Culture changes to aid detection
Many organisations need to develop a culture change, so that if something suspicious has happened, users are empowered to respond. There needs to be better dialogue between the IT department and users – starting with simply acknowledging reports of possible threats or attacks. Users need to have a clear understanding that they are expected to report any concerns and how to do so.
IT professionals have, not always unfairly, gained a reputation for blaming users when something goes wrong – that perception needs to be addressed. This is important because although APTs are subtle, there are sometimes signs that can be spotted if people are paying attention. The IT department may notice an increase in log-ins or network traffic that, if compared with what the business is actually doing would clearly be suspicious. Even non-technical users may see things that suggest a problem – a computer that has suddenly become very slow or abnormally warm can be a sign that it is running rogue code in the background.
Organisations need a response plan
Despite best efforts, APTs continue to be successful against all types of organization. Good governance requires that every organisation assume that at some point it will be subject to an APT attack and plan accordingly. Figuring out how to respond to an attack after it has happened is too late – the longer it takes to respond, the longer the hackers have access to the system. It is vital to prepare for the eventuality of an attack and to plan who is responsible for taking actions, who to call in and what decisions will need to be made.
Once an APT is identified, one of the threshold questions is whether you should immediately shut it down, or monitor the hackers’ activity for a period of time before you alert them to the fact that they have been discovered. The first instinct might be to close down the attack as quickly as possible. But it may not be as simple as that and in haste you may have cut off just one of the many heads of Hydra, leaving the APT to do its work elsewhere, while alerting the attackers that you have spotted one part of the attack.
Some IT departments will share any malware they find with fellow web users in an attempt to identify the threat before responding. However, this risks alerting attackers who are monitoring activity and can now figure out how to respond, in order to maintain their stranglehold on corporate systems.
If an organisation allows the attack to continue, without taking action and issuing any alerts, it can work to establish the extent of the attack and how best to cut it off at source.
What can be done long-term?
Once the incident is under control, the next step is to plan how to address the likely longer-term impact on the business. The legal and reputational risks are prominent and can even threaten the viability of the business. Reputational damage may have a knock-on effect beyond affecting sales or customer loyalty into other areas, such as recruiting good employees.
Even organisations who are taking the APT threat seriously may not be doing so in the most effective way. Often new security efforts result in multiple layers of security on some parts of the system and inadequate security elsewhere. Security standards can be a useful starting point to make sure that all bases have been covered but there is a danger that organisations will fall victim to security standard checklist syndrome, where they address the demands of the standard, without applying it their particular set-up.
There needs to be a holistic view to addressing such threats, backed by individuals tasked with planning security specific to an organisation and establishing the costs of mitigating risk. One thing is certain – there is no such thing as a one-size-fits-all approach to APTs.