OSHEAN eCurrent - Page 10

3. EXPLORATION / EXPANSION OF THE ATTACK was buried in the millions of files on the server, Now that the attacker has successfully gained ered security is so critical, as is the audit of that control of a system in the target environment, security on a regular basis.” the infected system can be used as a conduit into the target network and as a deployment it would be very hard to find. This is why lay- Reducing the APT Risk thought were protecting you • Install a Security Information Event Management (SIEM) system to provide a However, the best defensive tactics require holistic view of the organization’s IT security. going beyond the implementation of common Having one single point for the collection, security solutions and necessitate developing review and notification of security alerts, as a thorough situational awareness and under- well as the audit information related to standing. mechanism for additional tools. An attempt is Organizations should already have a strong in- also often made to exploit vulnerabilities on formation security strategy in place. By ensur- “Ensure that your organization has and under- spot trends and see patterns that are out of other internal systems to gain further access ing that standard best practices are stringently stands ‘separation of duties.’ This is a difficult the ordinary. and move deeper into the target’s network to followed, some APT threats can be avoided. component for many organizations as it costs expand control. During this next phase of the These measures include: money and adds staff,” White stated. “The prob- attack: • The compromised system is used to gain • • access into the target network • Information is captured over an extended Additional tools may be deployed that help to click on attachments or links received from contacts that are unknown or suspicious) • fulfill the attack objective 4. DATA THEFT / EXTRACTION Once network access has been achieved, data Install comprehensive security on all devices – particularly as malware is a key component in successful APT attacks • Use a firewall to limit access to the network and monitor network traffic to stop malware such as passwords, files, databases, email ac- from communicating. This will not stop all counts and other potentially valuable data can be easily stolen and sent back to the attacker for analysis and further exploitations — or worse. • Even after data has been stolen, an attacker may decide to remain present on the target Implement an email and social networking usage policy (including training employees not period of time • Use strong passwords • network. This requires the attacker to cover regular basis. Organize internal security staff lem I have seen in many organizations is that that are specifically trained in the tasks of the IT function is also often the security func- monitoring the network, gathering intelligence tion – this leads to the problem of ‘who’s watch- and recognizing the signs of suspected APT ing the watchers.’ There must be separation — absolute power cannot be allowed to settle in IT. Even when organizations do this, they need to be careful. All too often we see the security officer for the network getting absorbed back Scan for security vulnerabilities on a very attacks. • Implement Data Leak Prevention/Data Loss Prevention (DLP) technologies designed to: • Use business rules to classify and protect confidential information so that into IT when things get tight, and suddenly the unauthorized users cannot accidentally network administrator is also the security of- or maliciously share data whose disclosure ficer and the reporting officer for the network.” could put the organization at risk attacks as many APTs know how to bypass this protection, but it will make it more difficult for separation is to not allow one individual to against a dynamic set of rules to prevent potential attackers become the single point of failure. I have dealt unauthorized data from leaving the Use spam filtering technologies (many attacks with several cases where a single individual had organization start from spam messages) all the root passwords, logins, etc. If this person Use anti-virus software. Half of nondiscovered vulnerabilities and older tools. maintain access for future initiatives. • White continued, “The other component of sophisticated attacks use previously their tracks in order to evade detection and sensitive data access, will make it easier to Furthermore, look for an anti-virus solution is compromised, they can access/destroy/reveal everything. It would be a lot easier and less expensive to just target personnel with traditional espionage approaches or extortion than to develop advanced worms, etc.” • • Scan outbound email and web traffic Increase traffic monitoring for malicious outbound activity such as requests to malicious websites, dynamic DNS servers and sensitive file transfers “Be aware, APTs can be insidious. I wouldn’t that includes a Host Intrusion Prevention expect it to happen quickly nor to be one di- System component that can spot exploits Specific methods your organization can take ing” is the only successful way to prevent APTs mensional,” added White. “If I was designing an before they trigger, as well as blocks the to further reduce the APT risk include: from happening. “You can patch, firewall, lock attack on an organization, the idea of a Trojan malware that those exploits might implant. • hidden in servers for a long time that suddenly springs to life is very appealing. If this Trojan 10 | CURRENT 2015-2016 • Dr. White adds that “advanced persistent train- Update/upgrade computers to newer, down, etc., until you have exhausted the budget Maintain a solid patch management process. supported versions. Older software is often — and the weak link can still be the person who Make sure that you aren’t missing updates you easier to exploit. brings in a flash drive found in the parking lot.” Stronger Together | 11