CIOIN

Advanced Persistent Threat (APT): A three-letter acronym that security professionals love to hate; that vendors love to spout; and, which has aspects of a shape-shifting beast of myth—no one is certain what shape it might take, or even when an attack might begin. 

Yet, this much is certain, the last year saw the defences of major corporations crumble before it—RSA, Citibank, Gmail, Sony—all victims in the APT war. 

CSO magazine’s Global Information Security Survey 2011 reveals that APTs will drive security spends this year in 64 percent of Indian organizations—a clear indication that the threat is getting bigger. At present, only 35 percent of organizations in India have a strategy to combat APTs, 85 percent of which rely on traditional intrusion detection or intrusion prevention systems. 

But these outdated systems aren’t capable of standing up to new-age threats from emerging technologies like mobiles, social networks, and strategies like BYOD.

Organized Crime

Be warned, you aren’t dealing with everyday thugs that hack for the heck of it. APT hackers are sophisticated and innovative, like Ethan Hunt in the Mission Impossible series.  

“The entire approach to an attack has moved from infrastructure to intelligence, and that’s what makes the situation scary,” says Sunil Varkey, head-information security at Idea Cellular. The enemy now is a well organized, innovative, and highly skilled group of individuals.

It’s not the evil genius behind these advanced attacks, but its relentless nature that makes it a nightmare. “The masters of such attacks now work like an intelligence unit. Their objectives require them to be long-term, operate in stealth mode, and constantly change tactics,” says Satish Das, CSO and VP-ERM, Cognizant Technology Solutions. And that makes APT’s modus operandi unpredictable and hard to detect. 

Experts are beginning to see some patterns in APT attacks. One telltale sign is a 1-2-3 approach. For example, hackers first broke into RSA, stole security token of Lockheed Martin and then breached that company. Though APT is like a knife constantly hanging over their heads, security, admits Sameer Ratolikar, CISO, Bank of India, is still an afterthought in most organizations.  “Over the years, as new applications and systems were built, the primary concerns have always been performance and downtime—not security,” he says. 

But with social networks gaining official entry into enterprises, security can no longer be on the back burner. Because APTs piggyback on social media’s reach. Varkey dubs it the ‘trust exploit’ phenomenon. “Earlier hackers had to do vulnerability scanning on a particular server to figure out the weakest link. Now all they need to do is exploit the blind trust we exhibit on social networks.” 

Defense Mechanism

Like an eye-for-an-eye, Varkey believes that the only way to combat APT’s 1-2-3 attack approach is a 1-2-3 security strategy: 1 for people, 2 for processes and 3 for technology.

“A behavior-based detection model is useless in a social engineering scenario as attackers have the ability to copy a regular user’s behavior,” he says. Varkey emphasizes on a risk assessment methodology based on a repository built on past experiences. “I also keep a check on my reverse traffic—if I know that I don’t have business in a suspected geographical territory, I would be wary of any traffic which is directed from or toward that place.”

Das suggests that organizations should polish their monitoring techniques to protect mail servers. This might sound like a negligible component, but this is where it all begins—from spear phishing to malicious links. Also, Das says, privileged accounts or profiles (such as that of your CXOs or system admins) need special attention as they are hot targets. Having admin rights opens up a window of possibilities for attackers.

But there’s only so much you can do. “The most important thing is to come to terms with the fact that you can’t keep out every single attack. The bad guys have gotten too fast for you to keep up with them,” says Bill Brenner, managing editor, CSO magazine (CIO’s sister publication). The key, therefore, is to determine where the acceptable risks are and plan accordingly. “Gunning after everything leads nowhere. As the attacks are getting more targeted so should the approach,” says Varkey.

But no strategy is fool-proof without the people factor. Of the three components of the 1-2-3 strategy, educating employees is the hardest. “The onus of guarding information should be a business imperative and the business users should take responsibility. Get the management to drive the change,” says Ratolikar.

New, Improved, and Dangerous 

It’s like playing a video game with multiple levels: Every level you advance, you are forced to tackle a new, more powerful, more dangerous enemy.

“There are almost no reference points for defending attacks on clouds and mobiles. It is easy for attackers to escalate to any level as they can use proxy to cover their identities,” says Das.

It’s the classic catch 22 situation: On the one hand you can’t say no to emerging technologies like social media and the cloud that provide a competitive edge, and on the other, you can’t leave a new door open for infiltrators. Nor can you deny access to your dealers or business partners as that will adversely affect business.

How then should CIOs guard their organizations? Varkey says continuous monitoring and a DR plan are the only precautions one can take at this moment when it comes to social media and the cloud. Ratolikar believes that CIOs have—more or less—figured out how to handle mobility and BYOD. Solutions like access management, DLP, data classification and digital rights management have proved to be effective. However, CIOs still need to devise new methods to fight threats from emerging technologies. 

“When it comes to security, there can never be a day when I can say ‘I am done’. Somehow it reminds me of watching Tom and Jerry,” says Varkey.