Advanced Persistent Threat (APT) & Data Centric Audit and Protection (DACP)

Advanced Persistent Threat (APT) &
Data Centric Audit and Protection (DACP)
Background
The contexts of the Defense and Security Sector around the world are becoming increasingly diverse.
Developments in technology and science, demographic trends and the changing character of conflict
imply that achieving required levels of security will become more complex, and adversaries will
change and diversify. In many cases, adversaries have access to better skills and tools than the
majority of us.
Today, data security breaches are at an all-time high with no end in sight. In such an environment, it
is clear that to continue founding Cyberdefense on the protection of our communications systems,
networks and perimeter are not working.
DCAP focus on protecting the Data itself not the data’s access or where the data is located. Utilizing
strong user certificates and enforcing central security policies consistently across all applications,
DCAP enables all authenticated users to create, exchange and consume data on any device,
connected to any network, using on-premise and cloud based applications, with complete assurance
of data protection against unauthorized users.
DCAP should be included as an integral part of the total “Defense in Depth” strategy to act as the
“Data last line of defense.”
Introduction
It is undeniable that the high-value target sectors, such as Defense and the Security sector, face
targeted and focused threats that no other sector faces. These sectors affect the livelihood of
millions, and any breach can have a major impact on National Security. In this high-level discussion,
we focus on ‘Advanced Persistent Threat’ (APT). APT is one of the most sophisticated threats to highvalue
defense and security systems. Our discussion of APT will be based on Lockheed Martin and its
Cyber Kill Chain.
Advanced Persistent Threat (APT)
NIST defines APT as “An adversary that possesses sophisticated levels of expertise and significant
resources which allow it to create opportunities to achieve its objectives by using multiple attack
vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and
extending footholds within the information technology infrastructure of the targeted organizations
for purposes of exfiltrating information, undermining or impeding critical aspects of a mission,
program, or organization; or positioning itself to car wry out these objectives in the future. The
advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii)
adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction
needed to execute its objectives.”
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
APTs differ significantly from traditional threats, yet they leverage many of the same attack vectors.
APTs are often aimed at Cyberespionage as opposed to achieving immediate financial gain.
Page 1 of 3

Stealthiness, adaptability, and persistence characterize this class of threat. For example, traditional
cyber threats often try to exploit a vulnerability but will move right on to something less secure if
they cannot penetrate their initial target, whereas the APT does not stop. The people and groups
behind APT attacks are determined and have the resources to be able to launch zero-day attacks on
enterprises. This makes it hard to defend against them.
It is important to recognize that the people and groups behind APT attacks have a specific target.
They are determined to penetrate target defenses and have the resources to be able to launch zeroday
attacks on enterprises. This makes it hard to defend against them.
Lockheed Martin Cyber Kill Chain Model
“The Lockheed Martin Cyber Kill Chain® method is the core of our Intelligence Driven Defense —our
differentiator in the battle against advanced persistent threats.” LM – Cyber Kill Chain
1. Reconnaissance; the attacker finds a
gap in security of the social network
2. Weaponization; builds a
malicious attachment
3. Delivery; delivers the attachment
using social media or email targeting
an employee
4. Exploitation; the employee, opens
the file, and the vulnerability is
exposed
5. Installation; Malware immediately
installs on the client
6. Command & Control; the attacker,
takes control of the system
7. Actions on Objectives; pinpoint and
access critical data
Cyber Kill Chain model reinforces
perimeter-focused, malware-prevention
thinking.
The hard fact is, intrusion prevention
solutions cannot provide 100%
protection.
A persistent, highly determined, and
highly skilled adversary will always find a way in. And once the adversary is crossed the network
perimeter, traditional Cyber Kill Chain-style prevention solutions like firewalls, sandboxes, and
antivirus can’t help. Once they’ve bypassed these boundaries, adversaries are free to operate in the
network unobstructed.
Page 2 of 3

CloudMask an DACP Solution
CloudMask is a DACP security platform. Using patent methods, CloudMask, running on end devices,
transparently intercepts and analyzes data to identify, tokenize, and encrypt sensitive information.
The intercepted data may belong to a variety of applications, such as Google, SalesForce, Box, etc.,
and/or any other on-premises applications.
CloudMask converts sensitive data into tokens that have the same structure as the original data but
are meaningless, jumbled texts bearing no relation to the original data. As a result, the application
receives meaningless tokens, instead of the original private data. These tokens do not break the
application’s functionality. Accordingly, the application continues to function as before, without
requiring any changes to existing applications. This allows data to be safe even in the face of APT. We
assume that the attackers will breach defenses but ensure that they will not be able to find any
meaningful data.
These techniques also apply to on-premise applications, and accordingly CloudMask mitigates insider
threats by utilizing user-owned keys (asymmetric key pair). These keys are never shared or
transmitted over the network. Only users/systems explicitly authorized by the data owner may use
their personal keys to restoring tokens back to their meaningful data.
DACP protects critical data even when the “Kill Chain” will compromise
With CloudMask’s data protection under breach, infrastructure breaches no longer mean data
breaches. Insecure clouds and mobile devices no longer mean insecure enterprise data. An insider
possessing application and system access no longer means seeing the data.
Page 3 of 3