Page 26 - CDM Cyber Warnings February 2014
P. 26
Advanced Persistent Threats or APTs are nothing new. sophisticated hardware and software but also
They are insidious next generation malware that infiltrate security analysts as well.
organizations, usually through spear phishing, with the
primary goal of stealing information. APTs are not easy to 3. Prevent the data from leaving the organization.
detect, traditional anti-virus software works on heuristics Ultimately, APT� s want to exfiltrated information
and statistics, if they have seen a million instances of an from an organization, Deep Content Inspection
application doing something odd, then it is probably a (DCI) can be used to look for specific pieces of
virus. For the APT, there may only be the one targeted information being communicated and then to stop
instance – so traditional AV solutions won� t pick it up. it if it is found. This is both effective and cost
Furthermore, the APT today is designed to be �low and efficient for organizations of all sizes and skill sets.
slow�. There is a slow but continuous stream of information
being exfiltrated, rather than one big block, which is more DCI is most commonly used in Data Loss Prevention
easily detected. The APT tries to emulate the way a person (DLP) solutions. DLP has been around for several years
works in order to remain below the radar. now and for many organizations, deployment of a DLP
solution has become standard practice for reducing
So the challenge becomes how to outsmart the APT. Good inadvertent data leaks as well as reducing malicious loss as
security has always required the need for a multi-layer well. Typically the policies implemented have been around
approach and defense against APTs is no exception. There financial information such as credit card details or personal
are three key places this can happen: information such as healthcare. Both of these have been
driven by legislation from regulatory bodies as well as
1. Prevent the APT from coming in in the first place. governments. Legislation continues to change and the SEC
Typically this is where application whitelisting introduced new guidelines around other types of
comes to bear. Instead of detecting all the potential information, such as Intellectual Property, which will no
�bad� applications in the environment and doubt move into law over time.
preventing them from running, create a list of
known �good� applications and only allow those on “While DLP solutions
the list to execute. Operationally this can be
challenging, i.e. expensive, as every application are available for
needs to be listed. Including new drivers for the
phone which came out yesterday… or the printer organizations of all
which you� ve had at home for the past 5 years.
Whitelisting is effective, but it is not for the faint sizes, there is one
hearted�
significant challenge
2. Detect the APT when it is in the network. By using
Deep Packet Inspection (DPI) and network they all face – the false
analytics it is possible to analyze what is going on
in the network and decide whether any of the positive”
traffic is suspicious and with further analysis,
malicious. Infected systems can then be traced and While DLP solutions are available for organizations of all
the problems resolved at the root. Once again this sizes, there is one significant challenge they all face – the
is an effective measure, but often beyond the false positive. This is where �good� information is
budget of most SMEs as it not only requires misclassified as breaking the DLP policy and is therefore
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 26
