How security teams can prepare for advanced persistent threats

Creating a security strategy to include APTs

When organizations of any size in any market sit down to devise their security strategy, it is important to start by answering three critical questions:

1. Who might attack us, and why?
2. How might they attack us?
3. What capabilities will we need in place to mitigate those attacks?

In the past, question one and question two naturally followed each other because groups operated in certain ways with their own set of tactics, techniques and procedures. From a cybersecurity standpoint, understanding an APT's modus operandi was crucial and enabled defenders to focus resources on building capabilities to defend only those attacks that they were most susceptible to, meaning most organizations -- especially smaller ones -- could calculate APT risk rather accurately. Sadly, in today's global economy, that is no longer the case.

It has always been true that smaller companies present a beachhead for nation-state threat actors to launch attacks against larger businesses or government organizations. Recent public breach events, however, have spotlighted the seriousness of the sprawling and interconnected nature that the supply chain presents. The relationship among who might attack us, why and by what means has largely been broken.

In late 2016 and early 2017, the Shadow Brokers group dropped a cache of cyber tools on the internet, purportedly stolen from the National Security Agency. These tool dumps and others like them -- both on the clear and dark web -- have made resources and technologies that had previously only been available to nation-state-backed threat groups available to much less sophisticated and resourced attackers.

In addition -- and, in many ways, even more worrisome -- security researchers have recently reported examples of "hackers for hire" or "APT as a service" types of attacks. Both Kaspersky Labs and Bitdefender have recently released reports that document attacks that appear to show sophisticated APT groups used as digital assassins to mount attacks against smaller commercial organizations with no indication that attacks fulfilled the objectives normally associated with this type of enemy. This attacker-for-hire model would be largely for monetary purposes.

Understanding the current threat landscape

Today's threat landscape requires that companies -- large and small -- be prepared to defend against more sophisticated and persistent attacks. By understanding and incorporating best practices and measures on how the world's largest organizations and government agencies protect themselves, cybersecurity programs at any level of maturity can benefit.

Here are some things to consider:

• Assume compromise. As far back as 2014, then-FBI Director James Comey said: "There are two types of American companies: those that have been hacked and those that just don't know it yet." This was probably true then and is even more likely to be true today. APTs have made social engineering an art form. Consequently, credential theft is associated with 67% of breaches. Attacks will happen; hackers will find their way onto the network. Accept it. Assume it will happen, and go look for them.
• Proactive not reactive. Assuming compromise means that we know our tools will fail to prevent every attack. Adopting a reactive posture and waiting for tools to tell us when to act is an obsolete operating model. Proactive analysis, commonly referred to as cyber threat hunting, is a critical component of all modern security programs. A threat hunting team executes contextualized hunts, steered by threat intelligence and built on data-driven analytics, to root out hidden intruders -- a seek-and-destroy exercise.
• Rapid response capabilities. In the past, security teams performed a graduated response to events. An alert triggers an investigation, which triggers more information gathering, often requiring the deployment of more tools, triggering further monitoring; from there, a containment and eradication plan is executed. This approach is too slow and gives time for a sophisticated attacker to understand the target environment and deploy persistence mechanisms making remediation much harder. Effective security teams know immediate actions that need to happen in given situations, including incident validation and appropriate responses, and what areas benefit from automation.
• Defeat expertise with expertise. Technology alone, no matter how sophisticated, will never replace the intangible intuition that a highly skilled, motivated and supported human team can provide. Without trained, equipped and experienced security analysts to take on the APT actor, internal security teams will lose more often than they win.

Learn how to protect against the advanced persistent threats of today

As we watch the evidence mount that APT attacks are becoming productized, it is increasingly clear that all companies are potentially at risk to more persistent and sophisticated attacks than in the past. Accordingly, it is important for security teams to recognize that an effective security program in today's threat landscape incorporates prevention technology with 24-hour continuous monitoring as enemies operate in multiple time zones. Effective and proactive threat detection and a defined set of rapid response actions are all equally important if security teams are to succeed in protecting businesses they are charged to defend.

About the author

Daniel Clayton is vice president of global services and support at Bitdefender. His responsibilities include managing all aspects of customer security environments from the company's security operation center. Clayton possesses over 30 years of technical operations experience and has lead security teams for the National Security Agency and British intelligence.