APT Security: Protecting Against Advanced Persistent Threats

IT professionals need to know how to respond to advanced persistent threats, which represent major cybersecurity risks for enterprises.

For years, information security teams have built a series of familiar controls designed to protect against familiar threats. Firewalls, anti-malware software and intrusion detection systems all successfully kept most attackers at bay. But the threat landscape has evolved significantly, with sophisticated attackers and attack techniques appearing on the scene. While enterprises should not neglect traditional security controls, they must consider technologies and measures that protect against these more sophisticated threats.

These new attackers, known as advanced persistent threats (APTs), represent a major risk to cybersecurity. APTs earned their name because they leverage advanced attack techniques in a deliberate manner, focused against well-defined targets. Unlike casual attackers who simply seek undefended targets of opportunity, APTs select their targets based on specific intelligence gathering or system disruption objectives. They then conduct reconnaissance against those targets and level precise, targeted attacks designed to achieve their objectives quickly, efficiently and stealthily.

APTs are typically well-funded efforts organized by governments, military organizations and nonstate actors, such as organized crime. They hire talented engineers and cybersecurity experts who develop customized attacks that exploit previously unknown vulnerabilities. Known as zero-day attacks, these are especially insidious for two reasons: First, because they are unknown, vendors have not yet released patches to correct them. Second, signature-based detection systems are powerless to identify them because there are no signatures for these unknown attacks.

A recent study by the Ponemon Institute and the Information Systems Audit and Control Association (ISACA) provided stark statistics about the preparedness of enterprises to respond to APT attacks. While 49 percent of enterprises surveyed considered it “very likely” that they would be the targets of an APT, only 15 percent stated that they were “very prepared” to deal with an APT attack. Organizations seeking to respond to APTs need an effective toolkit in place that will allow them to quickly identify, analyze and respond to sophisticated cyberattacks. These capabilities will limit the disruptions caused by attacks, allowing organizations to get back to business quickly.

The Threat of Stealth

One of the most damaging characteristics of APT attacks is their ability to remain undetected for long periods of time. Media reports abound of large organizations that have suffered sophisticated attacks, but only detected them weeks or months after intruders infiltrated their networks and systems. These attacks are particularly dangerous because they provide the perpetrators with ongoing access to sensitive information as well as the ability to cover their tracks and disrupt security efforts that might detect the infiltration.

In May 2015, the Ponemon Institute released a research report studying APT attacks against the retail and financial services industries. The study revealed that breached retailers took an average of 197 days to identify an APT intrusion, while financial services firms took 98 days to detect an attack. Once they detected attacks, firms in both categories took approximately a month to contain the damage: 26 days for financial services firms and 39 days for retailers. That’s a dangerously long period of time for a network to remain compromised.