There’s hardly a day that goes by without reading about a data breach somewhere in the world. So I thought it would be timely to launch a new blog series about IT security threats. Let's look at an alarming trend, the development of advanced persistent threats (APTs), to kick the series off. I will explore what they are and how they operate. Along the way, I will provide simple advice to help you limit their impact on your enterprise.
In the old days, we mainly dealt with “fly-by” automated attacks. We all recall worms and Trojans and the other little beasts in the menagerie of malware. They were fairly simple at first, but malicious code's degree of sophistication and stealthy behavior has drastically increased as time has moved forward. There are a several reasons why this has happened. First, code naturally evolves as multiple individuals contribute to its evolution over time, growing in feature set or reliability. Even malicious code benefits from collaborative development, which is increasing the case. Second, the design goal has changed from doing immediate damage to remaining hidden and acting over time. Stealth and patience are the goals of advanced persistent threats.
They are advanced. Typically, there’s a sizable group of well-funded and equipped individuals. Most of us first think of China; however, the reality is that groups of bad actors can be and are anywhere. The U.K. is one of the leading nations, and there are also plenty in the United States. They are also given a set of targets or perhaps even a single target. They are persistent; these villainous groups owe their whole existence to penetrating the assigned target. Many times, there are handsome bonuses for success. If necessary, they will persist for months and even years, waiting for the right moment. And while they do not seek to do immediate damage, they are clearly a threat. Their goal is to penetrate and access sensitive information and establish command and control points within the network with devastating results. The recent military assaults on Ukraine are front and center for us all. But there is
You might say, “not in my network.” But research indicates the attacker in most breaches is resident in enterprise networks for an average of 256 days without being discovered. Furthermore, about 81 percent of those breached do not identify the attacks themselves. Instead, they are notified by third parties such as banks, credit card vendors, or law enforcement.
Now don’t get me wrong, we still have plenty of ‘amateur’ malware out there, and it’s growing exponentially every day. For example, there are 25 million new instances of malware that traditional antivirus solutions cannot block. Ransomware as a service such as ‘Conti’, which is coincidentally(?) based in Ukraine, is a great example. This makes it possible for literally anyone to become an attacker just by paying for the service. However, the added venom to the mix is that now there are well-equipped teams using malware in a tightly orchestrated fashion. Seventy percent of known breaches involved the use of malware, but the attacks are well-thought-out and often coordinated. This is the foundation of advanced persistent threats (APTs). The rules have changed, so we had better up our game. In my next blog, we’ll take a closer look at typical methods of APT operations and the concepts of kill chains and attack trees, and how they find their way into your enterprise. I will also introduce you to methods and tools that you can use to get further details and ‘enumerate’ your enemy.
You’re likely wondering what you can do to protect yourself. The NSA and NIST recommend implementing highly granular microsegments with zero trust security practices. This helps prevent lateral movement, which is critical to the attackers’ ability to escalate privilege into the environment. Both organizations also recommend creating stealth or dark networks that yield little or no information to scans and probes. Finally, these secure microsegments should ideally be “ships that pass the night,” with no or at least very constricted communications capability to other segments.
Extreme Networks embraces the philosophy of the Infinite Enterprise. Micro-segmentation provides highly granular partitioning, and stealth networking provides for the dark networking environment. Finally, elasticity provides strong perimeter protection, allowing access to users and devices only once they have been vetted, established as trusted and authenticated, thus implementing a zero-trust practice. We’ll go much deeper on this in further blog installments of in this series about advanced persistent threats.