Taking Advanced Persistent Threats seriously

Posted by Alan Earls on Nov 11, 2014 12:05:00 PM

According to a recent report from the Internet Security Alliance (ISA), the intellectual property of small and medium-sized businesses (SMBs) has never been more at risk from “Advanced Persistent Threats” (APTs). APTs are stealthy and continuous computer hacking processes targeting a specific entity. The attacks are hard to detect and even harder to protect against. 

Cyber-Security-image-1The report notes that despite a common perception that APTs have been focused just on large companies and governments, thanks to more active mitigation among those targets, hackers are now aiming their APTs at smaller and usually less well-defended targets. In fact, ISA cites a Symantec report, “Internet Security Threat Report 2013,” which notes that the largest growth area for attacks was companies with fewer than 250 employees.

Although SMB customers of MSPs are a now a prime target, there’s no reason why attackers would not also focus on compromising the security of MSPs themselves. And that means, it’s time to gear up a defense strategy.

Dave Pack, Labs Director for LogRhythm, a security intelligence company in Colorado, says that due to the nature of APTs, identifying warning signs that an organization might be targeted and implementing effective response steps is extremely difficult. Pack explained to me that APTs ultimately will utilize custom malware with an aim to compromise various accounts within an organization and then utilize those valid credentials to maintain access and find and exfiltrate data of interest. “The best response to this type of threat is for an organization to develop behavioral-based techniques to understand when a valid user account has been compromised,” he says. For instance, he explains, if a user in IT is observed attempting to access a source code repository, that is a behavioral change that the security organization might want to look into. Likewise, if an employee is observed VPNing in from an unusual location, or if a user is accessing shared drives that they don’t normally access, it also might be worth investigating. 

Among other things, ISA also recommends that medium-sized companies consider requiring two-factor authentication and restricting server access to the Internet for non-customer facing servers.

In short, businesses need a way to broadly strengthen their network while preparing an in-depth defense. Solutions have to block known APTs, malware, etc., while resolving any problems they create. Additional means of protecting data such as encryption also need to be considered.

Of course, it's still better to be able to detect an APT from the start, before malware is in place or has caused problems. That requires early warning notices of an attack or potential attack. In general, this is a matter of combining lots of operational data with good analytics so you can have a current and ever-evolving view of what’s “normal.”  The good news is that these efforts can get smarter over time and can help further refine security efforts in general by clarifying who should be doing what, and when.


Topics: Cyber Security

Which Data Loss Gremlin Is Targeting You
MSP Health Check
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment