Defending against the Hype of Advanced Persistent Threat (APT)

René Pfeiffer/ October 31, 2011/ Security

Many articles like to mention Advanced Persistent Threat (APT), point out that 0-day attacks are extremely dangerous, and that anyone and your neighbour might already be compromised, but doesn’t know about it. So APT casts a long shadow even when not having arrived yet. This is exactly why we used the word „hype“ in the title. If you are not feeling very well and you look up symptoms in popular search engines, then you suddenly end up with lots of diseases that might fit. Doing this won’t change anything, you still got the symptoms and you still got no idea what’s going on. Reading information on security breaches alone won’t alone won’t get you anywhere (currently you can find some news on the RSA hack online). Exchanging ideas and hearing about stories is fine, but you need to connect this information with your own infrastructure.

It’s naive to assume that you can detect APT with a click of your mouse or catching a glimpse of data on your monitoring systems. If it’s advanced and if it’s persistent, then you have to expect a greater effort to detect it. Your best bet is to look for the command & control channels (C&C) or other ways the intruder’s software uses to phone home. Your Data Loss Prevention (DLP) software might be a good start, too. Defending against APT might not be as high-tech as you think. Many attacks used for „APTing out“ company secrets involve social engineering. Why spend time on developing a super-virus that enter the target network undetected when you can simply talk your victim into installing it? So what can you do to defend yourself?

  • Assume that you have been compromised. Whenever reviewing or designing security measures, act as though these measures have already been breached. This gives you a fresh perspective and influences the design choice you make. Plus you cannot rule out that an attacker gains a foothold in your network or on some system.
  • Retreat to using „defence in depth“ and the „principle of least privilege“. There is no such thing as a secure local network. There will never be trusted clients. Build compartments in case your users hit icebergs. Have life rafts ready and make sure your users know what to do in case of emergency or suspicious behaviour of applications and humans alike.
  • Know where your assets are! This is a crucial point. Just as you do not mail-order an alarm system for your house and drop it in the hallway, you do not simply „secure everything“. It wouldn’t work, and your comptroller would certainly stop following you on Twitter. Find where your assets are, chart them on your network plan (or wherever you keep track of data), and then apply your security plan.
  • Always examine events. If something breaks or shows signs of aberrant behaviour, make sure you know why. You do not always have to use full-forced forensics in your analysis, but you should always investigate. If you do not have enough information to decide on the reason, make sure you adjust your systems to produce sufficient information when the next event strikes.
  • Verify that your tools do what you need. Don’t rely on vendor marketing. There is no such thing as a magical log collector that can be queried like HAL 9000. Automation is fine, every systems administrator will confirm this, but make sure you have designed, implemented or at least approved the automation process.
  • Educate your staff. This starts with social engineering tactics (you have to know from what to defend) and possibly ends with tools of the trade, latest security risks and more. If an APT hits your fan, you want well educated and smart people on your side.

At last there’s penetration testing. It ranks next to other drills you should plan for and put on a regular schedule. Treat your IT infrastructure just like any other crucial infrastructure. If you can do fire practice, regularly check your power supply and refresh your first aid skills, then you can do the same with your IT infrastructure, too. Don’t be a sitting duck. You can do a lot in advance. Once you are compromised you don’t have the luxury any more.

Some of the point in the list above stem from an article by Brian Krebs. We’ve added some points on our own. We gladly add more items to the strategy, if you have some feedback or „war stories“ to tell.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.