If we can’t agree on the definition of the threat, how can we defend against it? Actually, there is a way…
What is APT? It seems like a simple question, and certainly one that many people are asking. In fact, if you Google “advanced persistent threat,” you get over 430,000 hits. And many of these definitions overlap and even contradict each other.
But like Fred Astaire and Ginger Rogers’ famous conundrum (to-mai-to versus to-maa-to, etc…) – we can’t just shelve the argument and call the whole thing off. APTs are real, and they’re a threat, and we need to address them.
But first, we need to figure out what they are.
You Say Tomato…I Say APT…
I met with a group of CISOs recently to discuss APTs and the various ways that organizations can prepare themselves to defend against them. I was surprised to find that the CISOs did not have a clear collective definition of APT. Each individual I spoke to had a different definition, and some just said “all of the above” when I laid out a list of options.
It turns out that each individual CISO’s definition of APT depends on the information the organization has to protect. Each definition, quite legitimately, reflects a different concern. Here’s what I heard and how I responded:
#1 “An APT is any attack that is more sophisticated than a regular attack”
True indeed. Yet one must ask what a “regular attack” consists of? And how specifically can we defend against “irregular” attacks? Attack methods have grown geometrically in their sophistication over the past five years. Which of the new generation of security solutions in the CISO toolbox is most suitable? My answer is, you should use intelligent deception solutions. Because this defense paradigm is completely attack-agnostic, there’s no need to define which specific “irregular” attack is underway and you are not bombarded by false alarms.
#2 “An APT is an attack that does not have a signature and that my current defense tools, which are based on signatures, cannot prevent”
Also true. And this is one of the primary limitations of existing prevention and detection paradigms. These are extremely efficient against known threats (“yesterday’s threats”) but are powerless against any attack that is even slightly different from what they “know”. Moreover, organizations that rely on prevention have no way to deal with attacks that have slipped by their defenses.
Deception-based solutions, on the other hand, are completely agnostic to the form, type or pattern of the attack. Because deception systems are not approached by legitimate users or software tools unless they’re doing something that they shouldn’t be doing, any access of the decoy is suspicious and sends out an alert. Security teams can then inspect the threat, and quickly resolve the issue and even prioritize events coming from other security tools based on the events triggered by the intelligent deception.
#3 “An APT is when the attacker has more talent than the attacked organization”
I disagreed with this, because the sad truth is that attackers don’t have to be that talented to prevail. Think about it. It’s the defender that needs to be successful every single time to prevent a breach. The attacker only needs to succeed once.
So in fact, it’s not a matter of talent, but rather of odds.
One way of turning the odds in favor of the defender is to go on the offensive. Deception captures the attackers when they are most vulnerable – at the point of entry to the organization. An attacker who has just entered your network is operating in the dark. He starts to explore your organization in search of valuable data, using various commands to check the registry for trails of applications, dump accounts and passwords, open ports, applications, file names, directory names, accessible network drives, credentials in memory and more. At this stage, the attacker is focusing on finding as many potential attack routes as possible.
Knowing this pattern of behavior, defenders can use it to their advantage. Since we know what type of information the attacker is looking for and what tools he is likely to employ, we can plant realistic – yet fake – references on organizational assets and have them point in the direction of the decoy systems. This way we can turn the tables on the attackers and use their greed against them.
#4 “An APT is any hostile activity in the organization that I am not aware of and I don’t know what it will do next”
This definition comprises two assumptions. First, that attackers will always find a hole through which to enter or exit, without setting off any alarm. Second, that once inside the organization, attackers will roam freely without being caught. While I fully subscribe to the first assumption, I cannot agree with the second. Just because they’re in, doesn’t mean that all is lost. Quite the contrary actually.
As discussed above, an information security scheme based on deception makes possible the accurate detection of attacks in their early stages. This takes care of assumption number one.
Regarding the second assumption, one way to gain better understanding of the attacker’s next step is to use a sophisticated deception-based approach known as “black hole” or “sinkhole”. These tools are designed to not only draw in attackers, but also to help defenders discover more about them. In a black hole scenario, when suspicious activity is detected, the deception layer opens an application session with the requesting process, interacts with it and collects information on its operation. The goal is to gather intelligence and clarify the actual intentions of the attackers.
I wrote about black holes and sinkholes in one of my earlier blogs.
#5 “APTs are attacks we are not prepared for, attacks we don’t know how to handle and that go beyond our expertise”
Anyone who works in information security knows to expect the unexpected. Still, when a new threat appears, it can be scary. When facing a new threat, keep in mind that:
- Detection is 80% of the solution. The sooner an attack is detected, the faster you can start working towards a successful resolution.
- Use all the tools at your disposal. Security is built in a multi-layer/multi-platform architecture using many tools and applications. Correlating data from multiple tools helps to bolster threat intelligence and lower the level of uncertainty.
- Share information with your peers. Collaboration between tools and applications is important. Collaboration between humans is even more important. Work and collaborate with other security professionals to exchange knowledge and experience.
- Don’t be afraid to use external help: a good IT security partner makes all the difference.
The Bottom Line
Whether you pronounce “neither” as nee-ther or nie-ther – there’s still no other option but to deal with the bigger picture of APT threats. To cast the widest net possible, and provide the most comprehensive coverage for all possible APT permutations, consider leveraging advanced deception-based solutions. When the very definition of the threat is unclear to most, only a truly attack-agnostic paradigm can provide an effective response.
Doron Kolton is Founder & CEO of TopSpin Security