Our security predictions for 2012 forecasted that the class of targeted attacks known at APTs – advanced persistent threats – would trickle down, and begin to affect smaller organizations.
And while it might not make the headlines like the recent story about the data breach at Coca-Cola in 2009 that is still affecting the company three years later, a successful attack can be devastating regardless of the size of the organization or the motive for the attack.
Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended threat malware, but it is only a matter of time before “normal” malware criminals learn from these sophisticated hacks and the evolution of the APT speeds up, making organizations of every size a target.
So let’s revisit this prediction and figure out how to make your organization the smallest target possible with the tools you already have at your disposal.
What’s in an Acronym: APT?
- Advanced – APTs use the most advanced malware and attack techniques available. By the nature of the name, they often leverage techniques such as encrypted communication channels, kernel-level rootkits, and sophisticated evasion capabilities to get past a network’s defenses. More importantly, they often leverage zero-day vulnerabilities – flaws which software vendors haven’t yet discovered or fixed – to gain access to our systems. In short, APTs are Q-level, James Bond malware.
- Persistent – This malware is designed to stick around. It carefully hides its communications, using techniques like stenography. It “lives” in a victim’s network for as long as possible, often cleaning up after itself (deleting logs, using strong encryption, and only reporting back to its controller in small, obfuscated bursts of communication).
- Threat– APTs are extremely blended threats, much like botnets, and very targeted. APT attackers are groups of highly skilled, motivated, and financially-backed attackers with very specific targets and goals in mind. Typically, the often nation-state sponsored attackers have targeted Fortune 500 companies, government-related infrastructure, or the industrial sector – and we anticipate this broadening to organizations of all sizes.
No network security provider can block every APT attack, no matter what they claim. According to Gartner, an estimated $60 billion is invested by corporations and governments in network security systems, yet hackers are still finding ways to sneak past them. By definition, APTs often leverage new techniques, which may not even have a defense yet. However, there are defense strategies that can significantly mitigate the chance of an advanced and persistent infection. WatchGuard supports a variety of reporting and monitoring functions that provide smart and strategic defense against these blended threats.
We’ve outlined a variety of best practices for mitigating risk and monitoring unusual activity across a network that may better detect or stop the next APT, including:
A multi-layered approach to network security is the best protection. When combined together, firewalls, intrusion prevention services, proactive anti-virus (AV) solutions, anti-spam and anti-phishing protection, and cloud-based reputation defenses maximize the chance that one or more security controls will catch part of an APT attack.
- Signature-less malware protection – WatchGuard Proactive Malware Detection
Similar to zero-day attacks, APTs often use malware that has not already been found by AV protection and therefore no signature exists. The only way to catch this kind of APT is to use proactive, non-signature techniques. WatchGuard partners with best-in-class anti-malware and anti-virus service providers such as Kaspersky and AVG Technologies, which both have the capability to detect malware without signatures. Our partners specialize in code emulation, behavior analysis, and sandboxing to determine what a file does and if it may be malware. These techniques can often catch malicious files without actually having reactive signatures for them.
- An evolving defense framework – WatchGuard XTM (eXtensible Threat Management)
APTs are just further proof that hackers and attacks on the Internet are constantly evolving, so naturally, the only way to really protect against evolving threats is to have a defensive platform that can change along with them. WatchGuard’s strategic XTM hardware and platform design lend to a modular framework that is easily adaptable to adding new security layers to WatchGuard appliances – as new technologies are released, we can better protect against APTs as we integrate them into the platform. This allows WatchGuard to incorporate new defense technologies, such as cloud reputation and the use of heuristics to detect malware, much more quickly than other network security providers.
- Better manageability through visibility – WatchGuard Firebox System Manager (FSM) and HostWatch
Often, security practitioners focus on prevention and forget about discovery and response. Tools that help quickly identify anomalies or problems in a network and real-time visibility tools such as HostWatch and FSM help find malware through unique monitors, network traffic reports and administrator access to approved or denied external sites. Some network security companies require the purchase of additional reporting tools or appliances in order to have this important insight into a network. WatchGuard believes that customers should not have to pay for the proof (reporting) that indicates a system is providing internal network protection. Visibility tools like FSM and HostWatch are key for APT defense and these WatchGuard tools come free with the WatchGuard XTM appliance.
- Enforcing Standards – Protocol Anomaly Detection (PAD)
For the most common and important Internet services, such as Web traffic (HTTP), e-mail traffic (SMTP), domain name traffic (DNS), and file transfers (FTP), WatchGuard deploys proxies, or deep application-layer content inspection services. Among other things, these proxy services include our Protocol Anomaly Detection (PAD) feature, which can tell the difference between bad and good traffic by enforcing RFC (request for comment) standards for that particular service. For instance, if the SMTP RFC states that the maximum line length for an email is 1000 bytes; our proxies enforce that standard, and by extension protect you from any attacks (like buffer overflows) that try to leverage overly-long email lines… and that’s just one example. These are “signature-less” protections that can even block zero-day attacks, if they break protocol standards.
- Reputation Services – WatchGuard Reputation Enabled Defense (RED)
WatchGuard RED is a cloud-based reputation authority that aggregates many sources of security intelligence to provide our appliances with a dynamic, real-time view of the internet threat landscape. It proactively monitors and stores the IPs and URLs of known sources of malware, drive-by download sites, and phishing and spam email. It gets its intelligence from aggregating many known lists of malware distributors and mixing that with real-time feedback from the thousands of appliances we have protecting customers’ sites. This real-time feedback gives RED a very accurate and dynamic view of the quickly changing threat landscape
Because APTs are continually evolving and getting more elusive by the day, no network security solution will be able to anticipate or block every attack. Our advice: Always assume that a network is already breached and then build a security vault using the tools and services noted here. We strongly suggest the utilization of more than just preventative tools – strong visibility tools will help recognize threats and ensure that IT administrators are talking all necessary action to help mitigate them. — Corey Nachreiner, CISSP (@SecAdept)