Gartner last month released its “Five styles of Advanced Threat Defense” framework which attempts to update a layered defence model for enterprises to be able to protect against APTs (Advanced Persistent Threats) or ATAs (Advanced Targeted Attacks because, it says, “traditional defence tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware. In 2013, enterprises will spend more than $13 billion on firewalls, intrusion prevention systems (IPSs), endpoint protection platforms and secure web gateways. Yet, advanced targeted attacks (ATAs) and advanced malware continue to plague enterprises.”
Commenting on this, TK Keanini CTO of network visibility and security intelligence company Lancope, said: “Good bank robbers are skilled at breaking in to banks, great bank robbers are skilled at making it out undetected. The key issue here is advanced persistence and the cost-effective detection of such a threat. This threat is highly skilled at going undetected and a well implemented defense is one where they have nowhere to hide. Essentially, you have to make this hiding expensive to them. Once detected, they have to go back and retool, they have to switch from automated to manual; all of these steps raise their cost of doing business and that is a good thing. ”
TK’s colleague and director of security research for Lancope, Tom Cross, added: ” Sophisticated attackers are able to evade many traditional defences. They are able to obfuscate malware so that it is not detected by anti-virus and they target 0-day vulnerabilities for which there is no patch and no IDS signature. Defending a network against these attackers requires having a holistic view of all of the attackers behaviour, before, during, and post compromise, and it involves being able to find things when you’re not exactly sure what you are looking for. Strategies based on white-listing known good activity and looking for behavioural anomalies are going to be more effective than strategies that focus on blacklisting known bad behaviours. In addition, enterprises need to go beyond monitoring their perimeter for attacks coming into their network and develop visibility inside their networks that allows them to hunt for compromises in progress. They also need audit trails that enable them to rewind the clock once they’ve discovered evidence of an attack and develop a complete picture of how it unfolded.”
Gartner says by combining the styles diagonally through its framework, enterprises can create the most effective APT defense technology strategy.
Conrad Constantine, research team engineer for security information and event management firm AlienVault suggests that we also need to look beyond technology and look internally to get a more holistic approach:
“My “Power 3” for making life difficult for the bad guys is completely technology-agnostic:
#1 Employ System administrators who actually reads their system’s log files!
You can hire 100 security analysts to look over your centralised log storage of every system in your infrastructure – but they will never know those systems as well as the person who administrates them on a day to day basis. The diligent sys-admin who reads the logs and can come to the security team and easily point to events, saying “This shouldn’t happen normally” can be the most powerful detection control you have.
#2 Compartmentalise and Define your Administrative Activities.
Defining what is and what is not normal within the complexities of modern computing systems can be like emptying the ocean with a cup. Instead, define what is normal for /your business procedures/ and alert on anything divergent from that. If you know that all remote desktop sessions using administrative credentials must originate from a trusted admin-only terminal server, locating the potentially malicious sessions becomes a simple process of elimination.
#3 Don’t leave instructions for an intruder!
As any professional pen-tester will tell you, the best source of information about what to attack next (and how to attack it) are often provided to them by system administrators leaving notes for themselves in ‘temporary’ documents on systems – lists of system information, plain text credentials, notes about the account they’ve just reset to a default password ‘temporarily’, while they debug a problem. An administrator’s home directory on a system is often the very first place an attacker will examine once they have control of a system – and that goes for metadata documents as well – an administrator’s command line history is an open book about the layout of the system and the other systems they work on.
