No one really knows where the term APT orginated. Advanced Persistent Threats, or APT, can likely be traced back to the United States government, as the term originated about the time our federal government started to acknowledge the infiltration of foreign adversaries into government networks, and when several major U.S. corporations were hit with "low and slow" style attacks. The break in at RSA in 2011, was one of the first highly publicized hacks that referred to APT as the means. Once out of the bag, security product vendors picked up on the term APT to coax customers into reactionary purchases to help defend against the new threat.
APT is aptly named, as this type of attack is characterized by sophisticated (advanced) attack activity that typically involves both human and automated means over a long period of time (persistent). The goal is not necessarily the rapid infection of machines with malware, rather is the implementation of exploits (threats) that can remain available and useful to the cybercriminal over a period of time. A clear difference in APT versus malware is that APT is targeted against a specific entity rather than the traditional notion of malware, which uses broad infection rates to sow itself. However, many APT attacks absolutely use focused malware attacks as part of its insertion method. Also, since APT is not broad in its delivery, it tends to be especially hard to detect, often exploiting zero-day vulnerabilities.
Currently, there is no single control capable of defending against and noticing APT attacks; therefore, the implementation of layered controls is necessary. Below are my top six controls to stay ahead of APTs:
- Deploy devices and software products capable of detecting and/or blocking anomalous activity at the host and network levels. This is advisable since signature-based technology is not a very good platform to protect against APT, due to the use of zero-day exploits by cyber criminals. Installation of network anomaly detection devices should focus on all perimeter points and on the internal network. Host-based controls should focus on critical network or sensitive corporate data. Host-based controls would include notification of changes to administrative access or even the implementation of software that has the capability to automatically remove unauthorized accounts. And, please don't make the common and egregious mistake of installing these systems and not paying attention to them.
- Implement an application control or whitelisting software product that will allow only "whitelisted" applications on specific systems. This process limits the running of programs (including malware) that have not been previously authorized by administrators.
- Monitor, monitor and monitor some more. While not a preventative control, monitoring is often ignored because it's time consuming, expensive, and still hard to detect and qualify anomalous activity. It's not enough to simply have logging enabled on critical devices, but there needs to be the capability to consume log data efficiently by a human and take action must exist. This requires a logging system capable of alerting on anomalous activity. Otherwise, the activity will likely go unnoticed due to the extensive amount of logs and lack of time generally apportioned to this important task.
- Tirelessly patch systems. While this will not help block zero-day attacks, it will help block attacks against known vulnerabilities and make it harder for a cyber-criminal to gain a foothold. Like most professions, cyber-criminals have a "tool bag" that contains an assortment of tools to help them compromise a system. Patching systems effectively negates part of the cyber-criminal's tool bag.
- Block unnecessary egress traffic by default. While inbound traffic is blocked by default on most firewalls, out bound traffic typically is not. Thus, rules should be implemented that allow only business related traffic, and disallow all ports/services not normally associated with the corporation's traffic. This filtering will help block control communication or exfiltration conduits used by cyber criminals.
- Limit employee participation in cybercriminal advances through relentless training on social engineering techniques. Still, many times, the entryway into private networks is employees responding to various social engineering attacks (i.e., phishing, phone calls, etc.).