APT and Risks to Internal IT Operations
Cyber crime has become an international threat to networks across the globe. Every minute hundreds of thousands of systems are being hit with some sort of cyber-attack initiated in the form of malicious malware, armored viruses or the most well known DOS, the denial of service attack. Despite huge investments in security area both within private and public sector, cyber-security remains the main threat for every organisation affecting secret agencies, military organisations and even the state-held secret documents that are being stolen by utilizing a concept known as APT. Advanced Persistent threat is referred to as a methodology or organised group of hackers that are state funded and sometimes hired by organisations to cause damage to their competitors brand. Before you even realize they are already in your organisation’s network. Infiltration by APT is based on a campaign against a competitor, whether it is a chain of high street superstore or organisations that provide communications technology services such as telecommunication industry. In most cases elements of APT and their presence often goes undetected for weeks even months in some cases.
Since APT’s are well funded and organised attacks, the attack is focused on damaging the image of an organisation. The word “persistent” side of APT means that the attack will not stop until the desired results are achieved. The attack is often followed by and ‘denial of service’ (DOS) attack that alerts the organisations that a breach has occurred but it is often too late to react. The attacker often uses this as a last resort to bring the network or networks down and take advantage of a ‘backdoor trojan’ to destroy any evidence and gather remaining information at the same time.
In order to implement an active APT detection intense collection and analysis of both quality and quantity of data is required. This is where cyber-security experts are needed to analyse the data as data without adequate knowledge of threats and their behavior is of no use to network administrators who are mainly looking for signature or anomaly based traffic. Sadly, even the traffic management tools are still collecting information using the obsolete (unencrypted) protocols that poses another threat organisations monitoring process. Thus, the whole threat monitoring system fails to detect threats as the infiltrators read and alter the collected data.
As the APT threats are on the rise, both internal and external IT operations and management teams need to adopt a proactive approach to combat any such threats. APT threat mitigation techniques does not require a dedicated team or experts. In fact, training programs on security and educating the IT staff who are often based in network management and monitoring roles can detect any intrusion once they are directed to the right direction. It should be further noted that APT is detectable at all sorts of platform often with the help of fully hardened networking and security appliances. Intrusion detection systems (IDS) and Intrusion prevention systems (IPS) play an important role in threat detection. However, the fact that most organisations still use signature based intrusion detection as a policy for these appliances, an anomaly based setup is required to detect any unusual traffic and stop the infiltrators right at this point of entry. Off course, nature of these attacks are often unknown and a blocked stream of attacks cannot be labeled as APT unless further investigation is carried out.
To recapitulate, lack of visible symptoms does not imply that security loophole does not exist or sensitive data is always secured. Therefore, IT operations and management teams need planning, designing, implementing, and refining detection solutions are just as important and mandatory as the deployment, upgrades and audits of these security appliances that include firewalls, IDS and IPS solutions. The security appliances must be configured in a way that both the internal and external traffic is monitored as APT traffic looks genuine and therefore often leave the networks, undetected with valuable information. Active penetration testing at the external side of network on regular basis, such as Demilitarize zones (DMZ) can deter the infiltrators as ‘active testing’ mostly prove to a great strategy in identifying security loopholes.