RiskUKNovember2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cyber Security: Advanced Persistent Threats<br />
network and having the right tools to pinpoint<br />
the signal from within the network noise. It’s<br />
therefore unlikely that you’ll be able to identify<br />
the APT by performing simple host-based<br />
analysis, since that’s the sort of security APT<br />
attacks are specifically designed to bypass.<br />
Neither may a standard firewall at the<br />
perimeter and anti-virus software on the<br />
endpoint be sufficient to detect APT activity,<br />
especially so if these are threats that haven’t<br />
been seen before. The addition of network<br />
behavioural monitoring to complement these<br />
more traditional security tools provides a<br />
means for detecting ongoing behaviours, even<br />
if they’ve bypassed these other defences.<br />
Blended security architecture<br />
Having a blended security architecture such as<br />
this ensures that, even in the event some<br />
security layers are subverted, a backstop is in<br />
place to prevent ongoing damage. No network<br />
will be 100% secure. It’s vital that, in the event<br />
an APT is present on your network, you’re able<br />
to clearly see when and where it’s active such<br />
that you can take the necessary remedial steps<br />
with the minimum amount of disruption.<br />
Given that APTs are designed to be<br />
persistent, if you’re performing long-term<br />
analysis and correlation it’s possible to identify<br />
the behaviours associated with the APT in order<br />
to prevent it from causing real damage.<br />
Defences should be regularly tested to<br />
ensure that an attacker cannot gain access and<br />
also to make certain that the security tools<br />
employed are identifying the attack in progress.<br />
Business continuity procedures should also be<br />
regularly reviewed and exercised. Consider all<br />
options of an attack and have measures in<br />
place to identify, limit and remove the threat,<br />
recover quickly from the episode and limit<br />
service interruption for the business overall.<br />
APTs are evolving to become more stealthy,<br />
for example by cleaning up any event logs that<br />
have been made by operations performed.<br />
They’re also often aware of virtual machines, so<br />
sandboxing techniques are now proving to be<br />
less effective. APTs tend to use any resources<br />
that they have available on the exploited host<br />
in order to reduce the ability of detection.<br />
This applies to any attack, whether it be from<br />
an APT or mainstream malware, as they’re<br />
always developing to ensure they remain<br />
undetected on a network or device for as long<br />
as possible. File-less malware has become<br />
more prevalent of late, meaning that existing<br />
security solutions watching for evidence of<br />
exploit from activities such as malware<br />
installation on to the hard drive and/or registry<br />
changes are no longer detecting occurrences.<br />
“Defences should be regularly tested to ensure that an<br />
attacker cannot gain access and also to make certain that<br />
the security tools are identifying the attack in progress”<br />
Many APTs are aimed at highly sophisticated<br />
organisations with advanced security, meaning<br />
that gaining ‘legitimate’ access through<br />
techniques such as social engineering or<br />
credential theft are a ‘must’ for them. For<br />
example, it’s often the case that users re-use<br />
passwords which may be exposed in unrelated<br />
data breaches. Attackers can then employ them<br />
to gain access to the network.<br />
There’s no magic trick to shortcut the<br />
detection of APTs, and don’t assume that APTs<br />
are going to be detected in a short timeframe,<br />
either. It can often take a significant amount of<br />
time, resources and tooling to identify the<br />
threat and then perform the forensics needed<br />
to understand what actually happened.<br />
Technology developments such as the Cloud<br />
and BYOD add convenience to an organisation,<br />
but at the potential risk of security. Steps can<br />
be taken to secure sensitive data such as<br />
issuing secured devices and making sure some<br />
areas of the network are ‘air-gapped’.<br />
Some enterprises react to the threat by<br />
installing the most advanced and expensive<br />
tools, without fully understanding what they<br />
offer and how to use them effectively. Equally,<br />
enterprises may install tools simply to meet<br />
policies and ‘tick the box’. It’s always the case<br />
that an organisation should implement a<br />
strategic and measured approach to security.<br />
Persistence can pay off when trying to gain<br />
access to a network, and it’s likely that<br />
someone who’s determined to break in will<br />
almost certainly be successful in doing so.<br />
Organisations must architect a network to<br />
minimise the impact should a breach occur.<br />
Have a backstop in place. Should the APT<br />
make it through your primary and secondary<br />
security defences, its time on the network and<br />
resulting damage can be limited. Network<br />
behavioural monitoring can play a vital role<br />
here. The staged and covert nature of APTs<br />
means correlation of behaviours over time is<br />
critical in their identification and isolation.<br />
Using more traditional network security tools to<br />
deliver anomaly detection or using the latest<br />
reputation feeds are helpful, but they will<br />
certainly not be enough to allow you to identify<br />
the threat and reduce your exposure.<br />
An educated approach to security is crucial,<br />
ensuring Best Practice is in place such that all<br />
networks, endpoints and services are secure<br />
and all end users suitably trained.<br />
Daniel Driver:<br />
Head of Perception Cyber<br />
Security at Chemring<br />
Technology Solutions<br />
65<br />
www.risk-uk.com