It's no secret that IT security threats are on the rise, forcing many organizations to play a game of catchup to keep on top of the latest threats. Nowhere is that trend more troubling than with Advanced Persistent Threats (APTs), a relatively new attack vector that is geared towards stealing valuable information.
APTs work by discovering and then exploiting network security vulnerabilities and then use that identified vulnerability as a launching point for further incursion into a network. Simply put, an APT uses multiple methods that appear disjointed to garner a foothold into what administrators think is a secure system.
The real danger of an APT comes from the fact that successful attacks often go unnoticed until long after information is stolen or other damage is done, making it much more difficult to ascertain what actually happened and the extent of the damage.
Defending against APTs isn't so much a technology problem, but more of a tactical problem, where the tactics of layering defenses prove to be advisable to stop APTs from infiltrating and spreading through an enterprise network. Simply put, APTs may only require a single vulnerability to infiltrate the enterprise, however much of the damage can be averted after the infiltration if the activity is detected and stopped.
However, that can be a difficult process since many APT based attacks are designed to mimic legitimate users' behaviors and gather information via stealthy means. Yet, an ounce of prevention is still worth a pound of cure and by combining some best practices - most, if not all APT based attacks can be prevented from causing any damage by addressing certain security elements:
- Deploy Anti-Virus: Protecting endpoints from malware is a critical element for preventing attacks. However, with the growth in attack vectors and the exponential increase in virus signatures, as well as the evolution of self-mutating viruses, traditional AV packages may not be able to keep up with the demands of protection. That is why it is critical to use multi-layered, threat-based protection, which includes traditional full- and partial-signature matching, as well as the ability to recognize, block, and remove known malware and variants. In addition the AV system should include advanced behavioral analysis, exploit detection and sandboxing. That helps to recognize, block, and remove hidden and unknown malware. What's more, the solution needs on-demand, deep-scan capabilities and should offer automated updating with centralized visibility. Consumer level products often come up short in one or many of those capabilities and network managers should be looking towards enterprise level solutions to achieve maximum protection.
- Leverage Configuration and Patch Management: Software vulnerabilities continue to grow and new vulnerabilities are discovered on a daily basis, making it difficult for even the most proactive network manager to keep security patches in order. Here, automation has become a must, especially as systems grow in complexity and become more distributed. Keeping up with known vulnerabilities requires frequent and vigilant patching. Attackers are taking advantage of the lapses that take place during vulnerability identifications and the patches to fix vulnerabilities. Reports indicate that over 90 percent of cyber-attacks exploit known security flaws for which a remediation is available. Configuration and Patch Management Systems have become a must have for any enterprise, yet some lack all the capabilities that are needed to be successful. The solution should offer central management, the ability to monitor and manage cross platform systems, policy based security configurations for all systems monitored, including endpoints, servers and mobile devices. The solution should also offer full logging, reporting and support for third-party applications, as well as the operating systems in use. What's more, automation is the true key to success with any security solution, the more things that can be accomplished automatically reduces the time for vulnerability.
- Device Management: Most any device used in the enterprise can become the root cause of an APT garnering success. Those devices can range from removable media to smartphones to portable computing products. Simply put, if the device can connect to the enterprise, it can become an agent of data theft or infection. To combat the threats associated with devices, control must be established, which usually comes in the form of a data leakage prevention system, where access is controlled and all information is encrypted. The solution should also offer ways to monitor and limit data transfers, as well as prevent malware from being introduced hidden in removable storage devices.
- Application Control: With the growth in web based applications, cloud services and social networking, it has become very easy for users to launch external applications, download information, launch scripts or install applications - any of which could potentially house malware and bring an APT beyond the corporate firewall. Installing a web filtering system that supports application white (and black) listing can go a long way towards preventing users from accessing sites that may host applications or scripts that can spread malware or launch attacks. Application white listing shows the most promise, since only allows users to access elements that have already earned corporate trust.
- Deploy Memory/Data Injection Prevention Technologies: One of the most common endpoint vulnerabilities comes in the form of a buffer overflow, where a payload is "injected" into system memory. Another injection technique, comes in the form of code being injected into a database input form (Often called SQL injection), which forces the database server to return information that should be protected. Both of those attacks rely on outsiders being able to inject code into systems using sophisticated techniques. Preventing those attacks usually require the configuration of security platforms that can detect and prevent SQL injection, DLL injection, Skape/JT injection and RMI attacks. Some of those capabilities are built into existing solutions - for example Windows Server and Desktop OSes offer native memory security controls, such as DEP and ASLR. Ideally, a centralized solution should be put in place to track those security issues and offer automated responses to remediate and protect systems.
APTs have become an ominous threat to enterprises both large and small. However, the right strategies, best practices and proper security products should go a long way to protecting enterprise systems from compromise.
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.