Tip

Advanced persistent threat (APT) defense; best practices

Advanced persistent threats (or APTs) have become the new catchphrase in the global infosec community. This tag refers to new age threats, orchestrated to persistently target a designated entity, as with worms like Stuxnet. An advanced persistent threat has a specific objective, and is executed by skilled, organized as well as well-funded operators.

It’s important to note that not all threats are advanced persistent threats. While threats may be advanced in nature with respect to the usage of vectors and range of exploited vulnerabilities, they may not be necessarily persistent.

Within the anatomy of an attack – from insertion and incubation to execution and exfiltration — an advanced persistent

Requires Free Membership to View

threat tends to take much longer to infect target systems than other threats. It’s estimated that it could have taken Stuxnet around eight months to infiltrate Iran’s uranium enrichment facility.

Identifying weaknesses

Organizations need to gain insight into which information assets are most likely to be targeted, as well as which need most protection if an environment is targeted by an advanced persistent threat. Within an environment, a particular application and its associated data might be operation critical. Asset awareness, thus, is the first step to defending against an advanced persistent threat.

To illustrate this point, take a company’s quarterly financial data. This data is critical in the period between the end of a quarter and before the quarterly results announcement. Beyond this time frame, this data diminishes in value.

Advanced persistent threats are usually targeted against organizations having strategic value. Given the resources involved in launching a persistent attack, apart from the requisite expertise, APTs are usually backed by state agents and may be used for espionage or cyber-warfare.

The impact of an advanced persistent threat on entities such as governments, or strategic installations such as power grids, research centers, oil platforms or arsenals, could be disastrous in terms of disruption of services and theft of classified information. An instance would be that of a private operator in power generation getting targeted by an advanced persistent threat. This could potentially bring entire grids — and everything connected to them — to a standstill.

Tackling advanced persistent threats

Any threat must be identified before it can be tackled. Organizations need to be aware not only of threats at large, but also threats specifically targeted at them. There are several things to consider:-

  • Comprehensive polices and governance mechanisms: The first line of defense against an advanced persistent threat is the information security policy. Policies define access controls and the security posture of an enterprise. A robust information security policy has no substitute.

    Governance framework is another important aspect. Factors such as planning for remediation and eradication are an intrinsic part of defending against loss from an advanced persistent threat attack. These two factors are critical to address this problem in the long term.

    Note that the framework that applies to physical infrastructure may not work for a cloud or virtual setup.
  • Correlation and threat management: Correlation mechanisms should be available in real time for threats to be identified as soon as a compromise is initiated. This is essential to leveraging any existing global information to protect against the advanced persistent threat entering your environment.

    Identifying the sources of your advanced persistent threat is an important factor. For example, if evidence suggests that assets in country X keep getting targeted by attacks originating from country Y, it makes sense to be extra cautious and screen all connections to and from that geographic location.

Most major security vendors have global intelligence networks providing reputation databases and live feeds for emerging threats. However, unless there is a proper governance and correlation mechanism in place, a security feed would merely generate false positives. These two aspects in conjunction provide an effective means to leverage threat intelligence and provide actionable data against an advanced persistent threat, while reducing the incidence of false positives.

There are also sophisticated technologies available from major vendors today that use various ways of analyzing data through layered defense mechanisms. Even in such cases, these technologies are only relevant if the environment in question has an existing correlation and threat management mechanism to be effective against an advanced persistent threat.


About the author: Anand Naik heads technology sales for Symantec in India and SAARC. He has over 17 years of experience in the IT industry, in the areas of strategic planning and consulting. Prior to Symantec, he was with IBM, heading a team of solutions architects.  

(As told to Varun Haran)

Please send your feedback and/or comments to vharan at techtarget dot com. You can also subscribe to our twitter feed at @SearchSecIN

This was first published in August 2011

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.