Defending Against APT

Advanced Persistent Threat (APT) is a cyber attack threat that typically comes from a team of attackers with advanced penetration skills, deep resources, specific target profiles and they tend to be very persistent in their efforts. They often have tools that are capable of circumventing defenses. They use stealthy tactics and show good situational awareness in their evaluation of the state of the defenders they face. They respond quickly to defensive tactics with agility in modifying their attack strategy.

The keys to defending against APT are also found in situational awareness and rapid agile response:

  • AWARENESS
    • Awareness of the threat – this begins with understanding the difference between conventional cyber attacks and the more focused attack method of “Advanced Persistent Threat” (APT). First came the era of grafitti, when the attackers mostly wanted to deface web sites in order to “count coup” or claim credit for being better than the defenders. Then came the era of worms and scanning and automated exploits, when the attackers wanted to shake all the trees and collect whatever fruit fell to the ground. Now, the era of APT involves attackers that are focused on getting your stuff and are determined to do it as quietly as it takes to prevent you from noticing and will spend as long as it takes to get the job done. These are professionals who are most likely better trained and more disciplined than your staff of defenders. They are also highly motivated because they are paid far more than your defenders. The outcome of this mismatch is predictable. It is important to understand the disadvantage that most defenders have as a starting position in this game.

      It is also important to understand the difference between the methods and tactics of APT attackers and those of more conventional attackers. APT attackers have most likely studied your defenses and if possible, the tools you use to protect your network. They understand how the Anti-Virus and Intrusion Detection signatures work in commercial products and how to avoid triggering them. They know which OS your systems run and study the vulnerabilities. They may have run some stealthy evaluations of your response to incidents so they can predict your behavior. They may have some ability to manipulate your behavior by creating scenarios with predictable responses.

    • Awareness of the situation – defenders must cultivate the ability to know what is happening on their network and how to detect anomalies from normal behavior. This begins with knowing what systems and components comprise your network. Any flaw in your inventory represents a potential vulnerability that you may not be protecting because you don’t know about it. You need to know what your network is doing and what it is not doing. This should include a list of protocols, ports and services that are expected, that may appear and that should never be seen. From all of this, you can generate a list of what needs to be monitored and how often. Once you know what is on your network, and what it is doing and what you are monitoring, you can start to develop situational awareness. Define parameters for a normal state, an abnormal state and how you will know what the state is and who else needs to know. Understand that developing situational awareness is an ongoing process that builds upon itself. As you gradually raise your awareness level, the viewpoint will change and you will need to re-frame your monitoring and analysis requirements.
  • RESPONSE
    • Response agility – First and foremost, any response must be precise and accurate. This will depend upon the overall awareness level of situation and knowledge of the nature of the threat. It also depends upon the defenders having a more comprehensive awareness of their own network and components than the attackers. This may sound moot, but in real life, it can be a serious problem. Responses must also be highly adaptable to changing circumstances, and the information system itself must be resilient enough to keep operating during an attack or after being degraded by an attack.
    • Response speed – defenders need to be able to “get inside the OODA loops of attackers”, which means outperforming the attackers in some or all phases of OODA (Observe, Orient, Decide, Act). This is built upon the comprehensive knowledge required for agility and then polished by practice to develop speed. Every step of the process of monitoring, recognizing threats and reacting must be drilled until they become nearly automatic. This is how the advanced attackers practice their craft, this is what you are up against.

The CONTINUOUS MONITORING philosophy being promoted by NIST guidelines goes a long way toward establishing the paradigm laid out above. Implementing a continuous monitoring scheme with a full understanding of both it and the other NIST security controls involved, would require some level of penetration wargaming, where defenses are constantly being probed to find weaknesses and improved by feedback from the results. Once all the knowledge and support are in place to craft a capable and agile defense, much practice and wargaming is the next step toward taking the advantage in OODA loop cycles. The defenders must be able to read and react to the attack faster than the attacker can read and react to the defense.

SEE ALSO:
Advanced Persistent Threat
APT (more)
Agile Defense with NIST Controls
Security Controls – Tools for Your Gameplan
OODA Loops
Cyber Strategy Evolves
Continuous Monitoring
Attack Methodology

Comments are closed.