The ABCs of APT

Advanced persistent threats are difficult to detect and nearly impossible to stop.

May 18, 2013

There has been a lot of news recently about advanced persistent threats (APT) affecting many organizations, both public and private. They can create serious issues for financial institutions.

Most current articles on APTs, however, focus on the “what” and few talk in depth about the “how,” as in how they do what they do—and how to protect your credit union.

What are they?

APTs aren’t a single type of threat, but rather a classification of malicious software. They don’t have a single developer and they don’t come from a single source.

Attacks are extremely difficult to detect, and nearly impossible to stop.

Malware isn’t always active, but it can remain idle and undetectable until activated. It can exist in applications, databases, browsers—and just about anywhere else.

Intrusion detection and prevention systems typically don’t detect attacks, which generally are used by malicious individuals to gain access to sensitive systems, private data, credentials, intellectual property, and more.

APT attacks are difficult to detect and stop because the traditional methods of prevention simply don’t work. To ward off these threats, information security experts take previously seen attacks and create “fingerprints.”

Such results can be placed into a database and as traffic enters and exits your network, matching patterns can create an alert or block it.

The problem is that APT attacks are all very different and can morph on demand—making it difficult for traditional information security technologies to detect and stop them. APT attacks have no known signature or particular pattern of behavior.

Therefore, we have to rely on behavior-based monitoring technologies (which exist in many edge-based security systems such as firewalls) for protection.

The problem, however, is that the APT malware uses sophisticated encryption to mask everything it is doing as it enters and exits the network. So it is essentially invisible to those traditional information security solutions.

In fact, credit unions and other financial institutions are among the most coveted targets because they store a lot of confidential consumer information that can be used for identity theft.

APTs can capture credentials and other login information, granting access to systems or authorizing transactions such as automated clearinghouse and wire transfers. They also capture intellectual property, and they could be used to systematically take an entire network offline.

Hackers take advantage of the traditional perimeter or edge-based security most companies use. Unfortunately, APTs can be installed on the inside of the network through any number of methods that bypass the firewall and intrusion detection and prevention systems, such as by visiting malicious or compromised websites and downloaded software.

What can we do?

We’re not helpless. There are several things financial institutions can do to ensure as much protection as possible:

  1. Take a different approach to information security; one that doesn’t assume that your edge security alone will protect you.
  2. Ensure that you have access to tools that create visibility well beyond your traditional scope.
  3. Ensure that your critical systems are managed and monitored by experts.

Just by doing these things you’ll significantly decrease the odds of being attacked and exposed.

We need to dispel the notion that the edge of our network is where the bad guys are stopped. Organizations need the right tools to protect their systems.

Anti-virus software is the first small step in the process. It’s important to ensure that your anti-virus software is installed and up-to-date with frequent updates.

From a prevention standpoint, the best thing you can do is to keep your systems patched. Patching is extremely important because if a vulnerability has been fixed, it can no longer be exploited.

But patching must be timely, which is difficult for many community financial institutions to keep up with. Often, hackers will take advantage of new vulnerabilities prior to system administrators getting patches applied.

Financial institutions also need complete visibility into their network, going far beyond the traditional uptime monitoring of days long gone by.

Availability monitoring is just the first step. Performance monitoring, change-control monitoring, and security monitoring data should all be collected and correlated to create a complete view of your network at all times.

Then, behavior not normally seen on your network can be more easily captured and brought to your attention. These anomalies in your network should be analyzed by information security, networking, and systems experts to determine if something bad is happening—such as an APT attack.

Many large financial institutions have the resources to have properly trained experts on staff, but small and medium-sized credit unions will almost always need to outsource this expertise.

Visibility is important because it allows you to create baselines so you know what behavior is normal and what isn’t.

Every system on your network can and should act as your “eyes and ears,” looking for strange events. Then, with correlation between events, you can determine when something is behaving strangely and react to it.

The same is true for designing a system that creates full visibility across your network. Once the system can identify the abnormal behavior—the APT attack—it can more easily identify the source, destination, and what is being done.

Then the experts can stop the behavior quickly before any major damage or theft occurs.

KEVIN PRINCE is chief technology officer for Compushare Inc., a CUNA Strategic Services alliance provider.