Couple of years ago, very few organizations were aware of APT (Advanced Persistent Threat) but now it seems a topic of debate and conversation. Many organizations have admitted that they are vulnerable to such attack and have to find its solution. Due to the nature of being isolated on the networks, APT attack had been remained secluded for months or even for years. According to Verizon Data breach Investigation report, 66% of data breaches were remained undetected in 2013. A network endpoint believes to be an entry level of Advanced Persistent Threat attack. Most enterprises consider that they learned about APT attack when they found the abnormal activity of traffic exfiltration on the network. We should leave traditional security practices and adopt advance way to protect our self.
Overview of Advanced Persistent Threat:
APT or Advanced Persistent Threat covers three major distinctions like advanced features, complicated, and unified attack with sophisticated techniques. This type of attack uses several techniques ranging from spear phishing mail, web-based click jacking, fraudulent signed certificate, memory based attack, SQL injection code, USB key delivery etc. After Web borne malware attacks, APT comes on the second position that is seen frequently in major organizations. This type of attack also refers to state-sponsored attack that includes military intelligence, economic damage, technical spying, financial extortion, and political manipulation.
How Advanced Persistent Threat works?
Well, APT works on a particular methodology, which can be divided into four steps:
- Reconnaissance: An attacker investigates into the enterprise’s weakness like domain port, queries, vulnerability scans to insert malware in system.
- Initial Entry: After finding a weakness, the attacker uses sophisticated method or social engineering technique to grip the targeted network.
- Escalation of Privileges: After the early infiltration, the attacker tries to gain maximum advantage and rights of the system and install a backdoor for potential access.
- Continual Exploitation: when an attacker acquired the control, the system will be exploited and the attacker can identify and compromise the data.
Steps to Mitigate Advanced Persistent Threat Attack:
There is no magic behind the mitigation strategy for APTs; it involves a fervor and prudence for the rising threats. A protective strategy must be applied across the network and data security.
- Keep a secured password for shared account management capacities.
- Think of threat mitigation techniques that alert enterprises about the attack.
- The organization should follow the strict BYOD policy to prevent outsider intrusion and educate employees about social engineering attacks.
- The organization should implement event detection, log analysis, and complex correlation with automatic alerts.
- A quick incident response system could help to mitigate the malware infection in the absence of failure of security controls.
- System and security administrator should have enough assigned access to complete their tasks like changing security settings, installing software, or any system setting.
- The Server that hosts confidential information should have enough protection like firewall, application whitelisting, observing key files, and forbidding changes in log files.
- In the case of employee leaves the company, his/her identity should be renounced. Remove all unused identities from the identity management functionality.
- Two-factor authentication and other risk based evaluation helps system from APT’s initial entrance.
- Since, the main object of such attack is to steal the data; therefore, the data should be controlled and classified in a well manner.
Five Steps to Extenuate the Advanced Persistent Threat:
Lack of awareness or outdated software or any loophole can welcome Advanced Persistent Threat attack. Whenever an attacker finds a loophole in the network system, attackers tries to make the system vulnerable. In this case, the best and quick way should be used to identify and remove threats. An organization should immediately act on identifying the APT attack.
Detect and Identify:
When security or IT department finds an error message, suspicious log events, reduced performance, or unusual bandwidth usage, they should immediately set up a team to check the response process. This team should include IT department, physical security, human resource, legal, and the finance team. It depends upon the severity of the attack. After setting up the team, locate the compromised device and examine it. The team should try to analyze the malware with required security and penetration tools. Always try to gather as many log data from the available resources like firewall logs, IPS logs. If it is required, then hire professional service or technical experts to help the organizational team.
Disable the System Access:
Once the severity of an attack is identified, the compromised hosts and systems should be closed off by disabling some functions of it. Always put limit the user access to such system, decide the access point, and block it immediately to prevent the attack. However, an attacker could alter the technique that are undetectable for months and continue on mission therefore, merely quarantine the system or blocking the access could not completely mitigate the attack. For that, IT or security experts have to think for a complete removal of the persistent threat.
Removal and Recover:
To prevent further move of an attacker, the IT team should comprehensively think for removal of a threat. However, the cost and time to mitigate and recover the system at its normal condition is huge. It is believed that organizations require 30 days to reestablish the system at normal condition also needs to spend $3000 cost per day. To remove complete form of malware, check all infected hosts and stop all running processes of the attacker. The team should wreck all malicious codes, files, programs created by the attacker. Keep sensitive data aside from the infected system or network and run software patches to fix vulnerabilities and reset the configuration of software. If possible, then assess the caused damage. At this stage, financial audits, formal communications, third party disclosure (customers, shareholders, and media) should be included.
Proactive Measures:
After performing the above steps, the security team has to be proactive for potential attack and they have to gauge about known and unknown malware via behavior detection algorithms. They should deploy latest threat intelligence and measures within the environment of an organization. Educating employees on various APT attacks is also a good option. The team can encourage their staff about the ongoing development of IT and security standards.
Automation of Incident Response:
Automatic incident response helps to get rid of time-consuming manual arrangement by offering a proactive approach. Automation process can search and kill suspicious processes or remove files on endpoints. Security staff can concentrate on other security matters due to the automation of an incident response plan.
Conclusion:
Once an Advanced Persistent Threat happen, the organization should implement a methodical approach to get the system back at its normal stage. Security and IT teams have to come up withcreative ideas to identify and eliminate the rising security incidents in organizations. To get a better future, security team should have to accept proactive measures with policy based automation in organizations.
Photo By: Siemond Chan
