Rise In Advanced Persistent Threats Calls For Tighter Security Focus

While RSA Security, a division of EMC Corporation, is remaining silent about exactly what attackers got away with last month, the provider of its SecurID authentication devices has released details about the nature of the breach.

RSA last month disclosed that its two-factor SecureID tokens had suffered a sophisticated cyber-attack that extracted information about the authentication devices. In RSA's official blog, the company detailed how targeted spear-phishing e-mails successfully lured one employee to open an Excel file tainted with an Adobe Flash zero-day flaw that was used to plant a backdoor.

Once on the infected system of the employee, the attackers then weaved their way through the inner RSA Security network until they were able to find what they sought: information about its SecurID authenticators.

That's all it takes to successfully violate one of the world's leading information security vendors.

The incident is reminiscent of a number of recent attacks, widely known as Advanced Persistent Threats (APTs), against Google early last year, and operations launched against a number of unnamed energy companies in McAfee's report Global Energy Cyberattacks: Night Dragon.

What does all this mean for the future of information security, and how can solution providers help customers better secure their systems from attack? Security specialists say it underscores the challenges ahead to protect confidential and proprietary information, and that it calls for not necessarily new approaches to security, but for enterprises to be smarter and more effective at what they currently should be doing.

"We work with some companies that have the best security controls in place, and they spend a significant amount of money on security, and yet they are targeted and their security defenses are regularly breached," says Robbie Higgins, VP of security services at Framingham, MA-based solutions provider GlassHouse Technologies, Inc. "These new attacks mean that more organizations need help tightening their existing security and risk management programs, and they need to fill any gaps they may have in place," Higgins says.

NEXT: Advanced Persistent Threats: New Threat Or Just New Name?

While the APT acronym has taken root, and many contend that it is a new breed of attacker, others assert that the APT is just a new label for what has existed for decades now: a skilled and determined attacker.

"When people say APT, what do they mean? Is it some type of malware? Is it an attack technique? Does it have to be an attack from a nation state? Is it always over the Internet? Everyone uses the term so differently that it doesn't have much meaning," argues Bryan Sartin, director of investigative response for New York, NY-based Verizon Business Security Solutions.

While debate remains over the term APT, this is certain: attacks have increased in intensity and have shifted to target intellectual property more often. And attackers will use whatever means – however unconventional at times – to breach organizations' defenses. Specifically, most experts agree that APT attacks are those that target a specific person or organization for particular information. The tactics used vary, but often will include spear-phishing, social engineering, zero-day exploits on end point applications, the depositing of backdoors, and stealing credentials on the inside of the network to escalate access levels.

Joe Stewart, director of malware research for Atlanta, GA-based Dell SecureWorks’ Counter Threat Unit describes the common attack pattern – a pattern that closely resembles what happened to RSA Security. ’The familiar attack technique is to use a common file of some sort, armed with a zero-day exploit. The attacker e-mails a subset of targets in that company, and the message is tailored specifically for the target. Once it’s opened, the attackers then have a way to probe the network further,’ explains Stewart. ’With that foothold, they will then reach out over time and spread themselves far and wide through network probing databases, applications, vulnerable web servers, anything they think they can push themselves into.’

That leaves the question: how can solution providers help their customers prepare for such attacks? To succeed at building viable defenses, experts agree, means more than customers investing in traditional anti-malware, firewalls, intrusion detection/prevention systems, and vulnerability management – it requires real-life security assessments and making sure all of their defenses are in place and working.

Prepare For The Reality Of The Threat

It's not simply about buying and installing strings of siloed technology, solution providers say. "How much money somebody spends on security actually has very little to do with how good their security is. I've seen some companies that have older technology and not as advanced technology in place, but they've got very robust policies and procedures in place and they manage their environment on a continual basis – and they do far better than others who have managed to stay up with the latest security capabilities, but when you look at the operation they have running, it's kind of almost ad hoc," says Higgins.

"The point that I always make is that companies have tunnel vision when it comes to security," explains Moyer. "They think about securing their e-mail, their end points, their network. But they miss the bigger picture. The security posture in aggregation, and how one system becomes a pivot point to another system, and that eventually becomes a path you can use to take over an entire network."

Transforming their ad hoc security efforts into a cohesive, ongoing risk management program is an area where many companies are in need of significant help. "Companies can't tell you where their critical information resides," says Rafal Los, security evangelist at Palo Alto, CA-based HP Software. "They need help identifying and classifying their critical information," Los explains, so companies can better limit and protect the number of systems where such information resides. "Security is never done," says Los, "and they need help putting in place the policies and procedures needed to remain secure, such as securing applications, vulnerability management, and employee awareness training."

The need to take such a systematic approach to security is one of the reasons why Security Information and Event Management (SIEM) systems sales, a market segment that has floundered for a decade, is finally set to take off, some analysts say. Market research firm Frost & Sullivan expects SIEM to grow from $678.1 million in 2009 to $1.3 billion in 2015. "The goal is to be able to better correlate events across the various defensive stovepipes so that you can find the needle in the haystack," says Pete Lindstrom, research director at market research firm Spire Security.

Preparing For Failure

Despite its best efforts, if an organization is targeted by a skilled and determined hacker, there's little guarantee every attack will be stopped. This is another area where solution providers can lend their expertise: establishing an incident response plan. "The reality is that most companies don't have adequate incident response plans in place," says David Mortman, contributing analyst at the security analyst firm Securosis. "When a breach does occur, the way many companies respond makes the incident quickly go from bad to worse," Mortman says.

That leaves the last layer of defense a strong incident response plan: the ability to quickly determine the nature of the breach, mitigate its impact, and notify any necessary stakeholders, if needed, such as partners and customers. "Breach responses go right when the business is prepared; they have the right people and processes in place. People aren't running around wondering what are they are going to do next," says Brian Honan, founder and owner of Dublin, Ireland-based BH Consulting and head of Ireland's first CERT (Computer Emergency Response) team. That includes helping to align IT and security teams with business managers so that all parties can act cohesively.

Finally, advises Mortman, don’t just put a plan on paper to be forgotten until needed. Instead, test the plan by contriving a hypothetical incident and make sure participants react the way they should. The test needs to be realistic. "Make it so that one or more of the stakeholders are sick, or the CISO is unable to be reached, and determine how the team responds," Mortman advises.

While none of this advice is new, it spotlights the challenge that solution providers face when helping enterprises better defend themselves against the APT and other attacks: it's about doing security smarter. "The thing about the APT is that companies shouldn’t be doing anything new, except for one thing," says Lindstrom. ’They have to try to be better at what they should have been doing to begin with.’