Building an Effective Defense Strategy to Combat APTs Delete

By Eric Cole, Principal, Booz Allen Hamilton

Versatile and evolving Advanced Persistent Threats (APTs) aimed at both the private and public sectors are increasingly jeopardizing corporate assets, the U.S. economy and national security. Malevolent APT perpetrators continue to launch stealth, covert cyber attacks, targeting both commercial companies and government agencies, with the intent of economic and/or financial gain. Rather than periodic attacks driven by specific intended outcomes, these cunning and agile cyber criminals continuously exploit inherent weaknesses in order to gain long-term access to the valuable information repositories they infiltrate.

The consequences of these now pandemic and inevitable attacks are becoming more significant as customer/citizen confidence erodes in the face of often irreversible reputational damage and mounting financial losses. As a result, organizations and agencies are scrambling to respond with more aggressive strategies that weave powerful cybersecurity and risk management tactics into the fabric of daily business operations.

A Never-Ending Battle against an Elusive Enemy

Commercial organizations and government agencies are well aware of these menacing APTs and make significant investments in security device and system deployments to protect against them, so why are they still constantly compromised?

First, companies often employ ad hoc or unilateral methodologies and approaches to address cybersecurity threats. What’s needed is a cohesive, integrated business strategy that assesses and prioritizes organizational assets based on risk exposure and value, and then protects them accordingly. Not all assets can or should be protected equally. An institution must focus its limited resources on those problems and threats that will have the greatest organizational impact.
Second, Advanced Persistent Threats live up to their name. They are not the distributive, visible, low-hanging-fruit attacks of five years ago. APTs are a new breed of enemy, requiring a completely different and exceedingly proactive, aggressive response. The familiar reactive, outdated and disconnected defense comprised of traditional firewalls, intrusion detection and prevention, anti-virus, application protection and endpoint security is not the answer for today’s “cyber cancer.” Short-term fixes for visible network security symptoms amount to too little too late. Integrated strategies and practices based on enterprise-wide transparency that enable prevention, early detection and rapid response are fundamental elements of the equation for cost-effective and scalable risk management.
Third, the enemy is within. The primary target for most attacks is the end user who unknowingly grants the hacker access to the organization and thus an opportunity to steal intellectual property and other proprietary data. So, the primary attack vector for most APT perpetrators is not a sophisticated network exploit; instead, these nimble adversaries use social networking and engineering—phishing emails, for example—to lure users into opening malicious attachments or clicking on detrimental links. Once this happens, the organization is compromised, exposing it to both reputational and financial damage.

Executing a Dynamic Defense Posture

While APTs are expected to intensify in both frequency and impact, there are steps organizations and government agencies can take today to reduce their risk of exposure:

Prioritize Assets: Examine the data and information that resides in every department and business unit silo. Who has access to it, and how does it get locked down in the event of a breach? Assess the risk posture and business value of every information asset category. With this comprehensive perspective in hand, prioritize all sensitive information and build a risk management infrastructure that aligns high-risk/high-value business assets with the appropriate defense measures in order to effectively protect them.

Engage Stakeholders: When building an enterprise risk management strategy to effectively combat APTs, all key stakeholders…including the executive suite, business units, and functional groups…must collaborate on specific objectives. In addition to properly aligning security systems with business information assets, this is a cultural transformation that encompasses every facet of the enterprise—all the essential people, process, and technology resources and functions. Stakeholder buy-in and support are mandatory for success.

Increase Awareness: Given that the primary target for most APTs is the end user—the weakest link in the chain of defense—organizations must get much more vigilant about governance in an effort to detect compromises and close the security gaps in the enterprise. While it’s impossible to eliminate all careless employee behavior, information assets can be better protected via network monitoring, awareness campaigns, mandatory training, experience-based learning programs and actionable policies.

Do employees know that spam is responsible for approximately 80 percent of system compromises? In these scenarios, users typically click on seemingly secure links or attachments in email messages and end up infecting their computers. This problem is exacerbated by the fact that more than 70 percent of legitimate websites have been compromised and harbor embedded malware, and banner ads on these trusted sites often carry malicious code that infects vulnerable web browsers. Legitimate-looking emails containing spam attributes or malware can be sent to employees as an educational tool. When the user clicks what could have been an infectious link, an internal website loads, warns of potential consequences of the recent online behavior, and directs the employee to register for an upcoming class.

Regain Control over Critical Assets

Despite general acknowledgment of the fact that all commercial organizations and government agencies now live in a state of constant compromise, taking these critical preparedness steps will measurably reduce the risk of exposure to today’s formidable Advanced Persistent Threats as they continue to gain momentum.