Your firm is not safe from APTs, and what to do about that
One week ago, my most recent prior contribution to Certification Magazine, Two Cybersecurity Questions Most Organizations Aren’t Asking, looked at how the possible shortcomings of two-factor authentication and encryption aren’t on the radar of many enterprise IT leaders. Both of those questions revolved around a single topic — potential flaws in existing security technologies that many IT leaders depend upon as critical components of their security infrastructure.
While questioning the capabilities of security controls is an important matter requiring attention, a review of the cybersecurity landscape is incomplete if it only looks at the defensive side of the equation. Organizations must also keep abreast of changes in the cybersecurity threat landscape and ensure that they are prepare to face evolving threats.
Is Our Organization Prepared for Modern Threats?
Advanced Persistent Threats (APTs) are the most commonly cited example of modern security threats. APTs are well-funded, sophisticated attackers who operate with advanced resources and techniques. Typically funded by governments, organized crime or other institutional sponsors, APTs operate more like military units than the traditional loosely organized confederation of hackers.
In fact, security researchers believe that many APTs are actually military cyberwarfare units operating out of technically advanced nations, including China, Russia and the United States. While APTs often target traditional military targets, such as government systems and businesses in the military-industrial complex, their quest for sensitive information may also extend to non-traditional targets, such as Internet Service Providers, e-mail systems and other non-governmental actors.
Security professionals in many industries may roll their eyes at the idea of an APT targeting their organization and, in some cases, they may be correct — but that doesn’t mean that sophisticated attackers aren’t a threat. In recent years, many hacking groups adopted some of the same techniques as APT attackers, conducting careful research before engaging in a highly targeted attack.
These attacks typically have financial motivations, seeking to compromise systems that allow them to transfer money into their own accounts. A common target of sophisticated attackers are the payroll sites operated by mid-sized businesses. They might spend hours or days developing a fake website that looks identical to the legitimate intranet of an organization and then send phishing emails to employees seeking to steal their passwords.
Once they gain access to an employee’s password, they then use that account to access the payroll system and modify the employee’s Direct Deposit information. These attacks often go unnoticed until the next payroll run when the employee doesn’t receive his or her paycheck and the attacker is long gone.
Ransomware attacks also continue to vex organizations of all sizes. These attacks use specialized malware to infect systems and then encrypt the data stored on their local hard drives and mounted file shares, rendering it inaccessible to legitimate users. The ransomware then displays a message demanding a Bitcoin payment to restore access.
These attacks are particularly dangerous in a healthcare setting, where the inability to access patient data may lead to medical errors with very adverse outcomes. A May 2016 study conducted by the Ponemon Institute identified ransomware as one of the top three cybersecurity threats facing healthcare organizations. An analysis conducted a month earlier by Healthcare IT News found that as many as 75 percent of U.S. hospitals suffered ransomware attacks within the past 12 months.
Defending enterprise systems against these emerging attacks requires a defense-in-depth approach to cybersecurity that uses multiple overlapping controls to protect information and systems. Simply put, there is no silver bullet to enterprise security. Organizations must stay abreast of threats and deploy a well-rounded set of security controls that evolves to meet changing industry standards.
Keeping Abreast of the Threat Landscape
Maintaining a strong working knowledge of the threat landscape can be a daunting task for technology professionals, who often find themselves balancing this need to remain educated against the demands and pressures of implementing new projects and maintaining existing security controls. Fortunately, there are several tools available to assist with this work and help organizations maintain a strong working knowledge of the cybersecurity threat landscape.
Just a few years ago, threat intelligence products found themselves relegated to the back corners of the security industry. That’s changed significantly over the past two years as the emergence of APTs caused threat intelligence solutions to quickly rise on the priority lists of security leaders who found room in their security budgets for some professional threat advice.
Threat intelligence vendors typically perform two important services for their clients. First, they develop cybersecurity research products that keep clients informed about changes in the threat landscape. Second, they develop feeds containing IP addresses and other signatures of malicious activity that security systems may consume in a real-time format.
For example, clients may configure firewalls and intrusion prevention systems to consume threat intelligence feeds and automatically block inbound traffic from newly malicious hosts.
While threat intelligence products may be too costly for some enterprises, that doesn’t mean that threat information is outside of their reach. It just might require a little more effort to obtain and consume. Many industries operate information sharing consortiums that provide a confidential forum for sharing information about threats.
These consortiums may be as simple as a mailing list for threat information, or they may produce their own industry-specific threat intelligence feeds. The National Council of Information Sharing and Analysis Centers serves as a coordinating body for these organizations and can direct technology leaders to the appropriate industry-specific group.
Cybersecurity threats continue to rise and organizations must continue to evolve their defenses to protect the confidentiality, integrity and availability of their information systems. Threat intelligence vendors and information sharing consortiums offer a valuable resource that can jumpstart these efforts by sharing critical information.