Download Rapid Response to the Advanced Persistent Threat (APT)

Whitepaper
Rapid Response to the Advanced
Persistent Threat (APT)
Introduction
Your organisation is exposed to cyber security threats every moment of every day. Broadly, these threats can be classified in the
following ways; they can originate from insiders in an organisation, where employees maliciously or accidentally breach data;
external hackers trying to break into your network; malware
authors writing malicious code used for viruses; or from nation
states and criminal gangs attempting to break into your IT systems in order to steal your critical data for strategic or financial
advantage.
Nation states and criminal gangs with substantial resources utilise an advanced
attack methodology known as Advanced Persistent Threat (APT). This methodology allows them to gain a foothold in, and steal data from, your network without
restriction or detection. APT is adaptive, and provides attackers with a wide range of
different technical, and social, means to reach their objectives.
For example, members of the Elderwood gang, the hackers behind the Aurora attacks that compromised Google, amongst other blue chip and government organisations, have used eight “zero-day” (or previously unknown) vulnerabilities during
the last three years. Flame, another complex targeted cyber-attack, evaded detection for some five years while collecting private from a number of nation states
because the malware continued to evolve to evade detection. Perhaps the most
famous APT, Stuxnet (see below), involved a crafted piece of malicious software to
physically affect an organisation.
Due to the stealth with which these attacks are planned and committed, often over
a number of months or years, the scale of the problem is still not completely understood. Indeed Mandiant, a cyber-security company, reports that only 37% of the
APT’s it investigated on behalf of its customers in 2012 had been identified internally within the organisation, suggesting wide scale weakness in how organisations
are protecting against this form of breach.
The data on your network is essential to your business, whether it be Intellectual
Property (IP) for a next generation product design, or sensitive commercial information. According to the Verizon Report, in 2012, the majority of thefts were due
to criminal gangs (55%) or state-affiliated groups (21%) targeting valuable data for
financial gain, or competitive advantage.
What is clear is that large, well-funded organisations, whether criminal gangs, hacktivists or nation states, are using APT to exploit weaknesses in specific targets and
over a period of time accessing and stealing the most valuable and sensitive information they hold. The key to rooting out and neutralising APT is in a rapid response,
which can only be provided by tools that can provide the correct type of information
in a timely manner. As a result, Gartner predicts that by 2020 75% of an organisation’s security budget will be spent on rapid detection and response.
This whitepaper identifies the key components of an APT, why they are successful
and how Zonefox can augment traditional security controls to provide significantly
enhanced protection against the APT threat.
ZoneFox provides a completely new perspective on tracking activity. ZoneFox is a
patent-pending software solution that simplifies the implementation of proactive
processes and policies to mitigate the APT Threat, meanwhile revealing and reporting on previously hidden behaviours that provide security teams with the information they require to quickly respond to anomalous behaviour. Traditional security
control approaches have focused on protecting at the network or application level,
resulting in minimal effectiveness against the targeted use of APT, particularly once
the APT has breached the network and is ‘live’ within an organisation’s cyber-space.
ZoneFox monitors, with virtually no performance impact, all activity and interaction with an organisation’s data and provides alerts, with clear reports, in real-time
against pre-defined policies or behaviours for any anomalous action or breach that
has occurred, informing about an active APT as soon as an attempt is made to compromise sensitive data. ZoneFox provides the IT team, as well as key business and
owners with advanced, analytics to help them root out potential APT, and prove that
critical information is safe.
Understanding the APT
To first understand how an organisation can defend itself from an APT, we need to
be clear on the definition of such an attack and the behaviours inherent within them.
What distinguishes an APT from other threats is that it is targeted, persistent, evasive and advanced:
Targeted
Stuxnet itself was developed specifically to circumvent Iran’s security and disrupt
the country’s nuclear development programme. It was developed by another nation
state (or states) with this specific purpose and target. This is true of all APT’s, where,
rather than the traditional approach of simply exploiting the weakest defences in
a broad campaign aimed at multiple organisations, the APT developer is looking
to penetrate a specific set of security defences within a specific organisation and
therefore can tailor and fine tune their attack.
Persistent
Given the nature of the targeted approach and the strategic importance of a successful exploit, the APT developer will continue to develop their code or attack
methodology in order to ensure success, often over months or even years. Initial
attempts may not be successful but with each failure comes more knowledge and
experience on which to further develop the exploit. It is this persistence that results
in APT’s being such a core threat to your business.
RAPID RESPONSE TO THE ADVANCED PERSISTENT THREAT (APT)
3
Evasive
Attackers will avoid detection for significant periods of time once they have successfully penetrated an organisation’s network or system. Often this will result in
spike in malware activity, followed by a prolonged quiet period, with the harvesting
of information and data only being initiated once the network and systems are understood. Identities are often cloned or impersonated, trusted user accounts compromised, and key data exposed. Mandiant discovered that the average attacker
had been present on the organisation’s network for 243 days before being detected.
Advanced
APT attacks are initiated by highly motivated and well-resourced attackers who
can afford to invest the time and money required to ensure success. This results
in continual advancement of the technology and threat, to circumvent and render
useless the evolving security controls being deployed.
Most organisation are
Requires major investment and change
trying to make this shift
Relative Effectiveness
DATA CONTROLS
ENDPOINT & APPLICATION CONTROLS
NETWORK CONTROLS
Time
It is this combination of the 4 factors that makes APT attacks so effective, ensuring
success against a specific target through long term development of an attack that
is tailored over a long period of time to overcome the security controls that are
discovered during the process.
The solution therefore is not to replace the security processes in place already, but
to augment them by applying monitoring and protection to the assets that the organisation is trying to protect – the core data itself.
RAPID RESPONSE TO THE ADVANCED PERSISTENT THREAT (APT)
4
Data Security approach
While perimeter defences remain essential, they can no longer operate in isolation.
For example, in many cases, APT developers use previously unknown software
vulnerabilities (known as zero-day exploits). These have no antivirus signatures
available to provide detection, and the attacker can infiltrate a network with no indication from an anti-virus product. In other circumstances, poorly configured security
controls are exploited to allow an attacker a foothold they can use to gain further
access.
This weakness in the traditional network based approach was articulated by Gartner in 2011, who forecast an evolution to data centric security, not simply due to the
evolving APT threat, but evidencing the overloading of the network with complex
protocols, encryption, and a high volume of data.
Although products exist that consume and correlate security events from traditional controls and monitoring systems, these data types represent information only
about systems, and not critical data.
Unlike these existing systems, ZoneFox monitors critical data, and not the computer
systems. By doing so, there is no need for complex correlation techniques or the
need to painstakingly piece together pieces of evidence. Therefore, ZoneFox provides a rapid insight into the behaviours that are indicative of an APT.
ZoneFox as the Solution; Visibility of critical
assets is the key
ZoneFox protects organisations key data assets from security breaches by monitoring all data interactions with low performance impact, providing immediate alerts
and full user activity monitoring with advanced analytics and reporting functionality
to highlight trends and anomalies. It protects reputation as well as critical business
data, significantly reducing the cost and impact of any breach.
Through the deployment of ZoneFox, activity that has previously been hidden from
security teams and that breaches company policy or expected behaviour on the
access or manipulation of data can be detected, flagged and investigated in real
time, providing the organisation with protection of all sensitive data, identifying
malicious behaviour before damage can be done, protecting against the APT at the
most important level – access to key data. ZoneFox also provides the forensic information needed for any subsequent action by law enforcement agencies or litigation
process.
RAPID RESPONSE TO THE ADVANCED PERSISTENT THREAT (APT)
5
How ZoneFox Protects
Through its constant monitoring capability, ZoneFox provides a unique perspective
on user activity tracking. This lightweight software agent, resident on each machine
under surveillance, monitors user behaviour as a series of fine-grained events in
real-time. This provides timely detection of data breaches, informing and facilitating
a relevant response.
Rapid Deployment for instant protection
A lightweight agent securely streams continuous sequences of activity
from the monitored end point
Flexibility of web-based UI
A centralised server-component analyses all activity using advanced,
patent-pending, foxDNA™ activity fingerprinting technology. Highly scalable, implementation of this solution as a stand-alone solution or easily
integrated with the leading commercial off-the-shelf security products,
allows it to form part of a comprehensive security posture.
Full forensic record of user behaviour
Activity analysis, measured against an organisation’s defined security
policy, provides alerts to immediate breaches, enabling a swift response.
Security Assurance through Real-time alerting
ZoneFox can be utilised across multiple device types, including mobile
devices, with alerting, reporting, investigative and management activities
achieved through a web-based GUI.
Flexibility of web-based UI
All activity is recorded and auditable for future forensic requirements.
RAPID RESPONSE TO THE ADVANCED PERSISTENT THREAT (APT)
6
ZoneFox takes a radically different approach to the software-agent model. The
agent installed on each system performs no analysis or preventative actions on the
endpoint but instead simply gathers and sends data for alerting or investigation.
This ‘dumb agent’ approach has significant advantages as it; presents a smaller
attack surface to sophisticated attackers; reduces performance drain on the endpoint; and each agent can be configured to send its data to a cloud based service. By
analysing all data centrally, ZoneFox can harness powerful data analytics to give you
an insight into your data. ZoneFox supplies reporting capabilities on all events, not
just those triggered by a breach in an organisation’s policies or standard practices,
which means that it is able to report on anomalous behaviour that may be indicative
of an attacker.
In addressing the Advance Persistent Threat, the Zonefox approach provides an
additional dimension by monitoring the key asset of data not the computer or
network. Any attack that has successfully breached perimeter security controls,
will at some point attempt to access the target data, whether this is immediately
or a period of time after the initial breach has occurred. By performing lightweight
recording of all interaction with the data and measuring this against expected policy
or behaviour, ZoneFox immediately provides a deeper level of visibility and therefore
security than traditional controls can offer, allowing any attempted data access to
be alerted and effective response to be initiated. This negates the continued evolution of the APT approach and protects organisations from the loss of key data
assets, loss of business and the reputational impact that comes with exposure to a
successful APT attack.
RAPID RESPONSE TO THE ADVANCED PERSISTENT THREAT (APT)
7
About ZoneFox
ZoneFox is a highly innovative Endpoint Monitoring & Threat Detection solution
that helps our customers protect their business-critical assets: data and intellectual
property (IP) from malicious and accidental insider threats. ZoneFox has a proven
track record of protecting reputation, sales revenue, and competitive advantage by
providing next generation data monitoring, security analytics and endpoint security.
Through its continuous monitoring capability, ZoneFox provides a unique perspective on user activity tracking. Our lightweight software agent, resident on each machine under surveillance, monitors user behaviour as a series of fine-grained events
in real-time. This provides timely threat detection of data breaches, informing and
facilitating a relevant response and enabling:
• Policy compliance monitoring
• Monitoring the effectiveness of security controls
• Protective monitoring of user risk
• Data and IP Protection