With the rapid development of newer technologies relevant for corporate network expansion and data transfer, the cyber security landscape needs to transform itself in order to counter a new breed of online malicious entities being identified in India as well as globally.
By Ambarish Deshpande
Today it is not just governments and large organisations that fall victim to cyber attacks, but also specific individuals within organisations. The nature of attacks is swiftly becoming more targeted towards the individual. As these attacks become more targeted, they are also becoming more personalised. Further, security today is not just about tackling a breach after it has already happened, but preventing an attack or breach before it actually happens.
More importantly, IT security for business has moved from just being the prime focus of CIOs and CTOs to now reaching the purview of business leaders, including the C-suite executives such as the CEO and the MD. They now have the task of taking decisions that include what sort of IT infrastructure the organisations should have in place, as well as which IT vendor a company should choose in order to best suit their company requirements, among others.
Understanding APTs: The challenge
One of the biggest concerns that confront large and small enterprises alike is what is known as Advanced Persistent Threats (APTs). An APT is a network attack in which an unauthorised person gains access to a network and stays there undetected for a long period of time. Unlike the basic or mass-market threats that everyone should be blocking, APTs are unknown threats that cannot be detected by traditional signature-based defences such as firewalls, IPSs and secure web and e-mail gateways.
According to a recently released report by Verizon, in the year 2013, 92 percent of data- breaches were perpetrated by outsiders while 84 percent of attackers were able to compromise their targets in seconds, minutes or hours; however 78 percent of data-breach incidents took weeks, months or years to discover. This leaves a significant window that is used by the attackers leaving the organisations vulnerable during this period which can be several years.
APTs have both the capability and the intent to persistently and effectively target a specific entity. The motive behind such threats is to steal confidential data and information from a specific person. For instance this person could be an employee of a large organisation be it a bank or a government body. APT attacks target organisations in sectors with high-value information, such as national defence, aerospace, oil and gas, manufacturing, banking, financial services and insurance, among others.
In a simple attack, the intruder tries to get in and out as quickly as possible in order to avoid detection by the network’s Intrusion Detection System (IDS). However, in an APT attack, the goal is not to get in and out, but rather to achieve ongoing access to sensitive data and information. Developers of APTs firstly look for vulnerabilities within the system. Post that, APTs evaluate the security controls protecting the system and try to come up with a plan in order to exploit this vulnerability. This entire process takes an incredible amount of time and research and the entire activity can take months if not years to develop.
APTs vs traditional defence system
Before trying to get into the aspect of understanding how to detect and counter an APT effectively, one must first fully understand their own business as well.
Some of the fundamental questions that one should ask are: What are the entry and exit points of your business that could make your organisation vulnerable to an attack from an unknown entity? Or what are the areas of your business that could come under attack? Asking these fundamental questions enables an organisation to better prepare for such an attack and thereby have the right IT infrastructure put in place, so that an APT is stopped before it actually penetrates through the system and retrieves confidential company data and information.
The main goal of an anti-APT operation should be to make it as difficult as possible for an adversary to steal intellectual property of an organisation. Hence, security defences have traditionally been built with standalone products that protect against known threats. However, with today’s increasingly sophisticated hackers and advanced threats, these traditionally solutions lack the potency to tackle highly advanced threats. In order to counter these threats, what’s needed is a way to get the silos of security solutions working together, sharing intelligence and analysis so that they can adapt, scale, and extend protection to unknown threats as well.
As a step forward what is needed is a “lifecycle approach” to implementing a complete, multi-layered defence. The three core capabilities of the lifecycle defence include ongoing operations, incident containment and incident resolution.
The lifecycle begins with detection and blocking of all known threats while unknown threats are moved to the incident containment stage. At this stage, threats are carefully analysed and mitigated via closed-loop feedback through which threat intelligence is automatically shared with other security systems to inoculate the organisation from future attacks. In addition threat information is shared in real time among millions of users in thousands of organisations via a global intelligence network, so the defence system can learn, adapt and evolve to stay a step ahead of advanced threats.
Finally, at the incident resolution stage, breaches that do occur are investigated, analysed and quickly remediated, and the resulting intelligence is shared via the global intelligence network, which in turn helps convert unknown threats into known threats.
This lifecycle approach can help organisations better prepare for advanced and unknown attacks that might occur so as to completely mitigate the damage, resolve the issue quickly, learn from incidents, and apply new intelligence so that future attacks do not succeed.
Ambarish Deshpande is Managing Director, India and SAARC, Blue Coat.
