Who is behind an APT?
Like all cyber attacks, it is very difficult to pinpoint the origin and attribution of an APT. For example, a piece of malware could be developed by an European citizen using a Chinese language software development kit and including text references to particular Chinese military organisations, but having it hosted on a Website in Russia and route the attack so that it looks like it is originating from China.
There are only a few groups globally that have the capability, skills, funding and infrastructure to launch an APT. They generally target foreign corporations and governments in order to exfiltrate both state and trade secrets. Media outlets may also be targeted to track down dissidents. For example, in January of 2013, the New York Times published a report claiming that Chinese hackers, who were suspected to be state-sponsored, had infiltrated their network. The attack was designed to search emails and documents related to a story the NYT had written about relatives of China's then Prime Minister Wen Jiabao.
Russia also maintains the ability to launch sophisticated attacks, but as of yet, there has been no evidence linking the Russian government with a specific attack. Knowing Russia's abilities to produce some of the world's best computer crackers, one may assume that Russia's Federal Security Service (FSB) has a team or teams in place to monitor and infiltrate organisations and nations.
The United States, on its side, has an extensive "cyber army." For instance, one of the most famous attacks named Stuxnet was successfully used by US working in partnership with Israel to disrupt Iran's nuclear enrichment facilitates.
Other countries may also have developed their own cyber armies and APT groups. Little is known about the capabilities of the rest of the G20 nations and states such as Syria, North Korea, Iran and other nations in the Middle East. It is safe to say that most of these nations have at least researched the option of leveraging an APT.
How can organisations reduce the APT risk?
In order to protect themselves from APTs, organisations must implement a defence strategy based on multiple layers of protection. It is important to understand that no single network security feature can stop an APT.
There are specific methods to reduce the APT risk. These include:
- Security Partnerships: Having a strong partnership with a security provider, which can provide up-to-date information and threat intelligence to the security to IT staff as well as clearly-defined escalation path when an incident is detected.
- Multi-Layered Defence: Such defence requires the implementation of key security features such as Web filtering/IP reputation, whitelisting/blacklisting, application control based on users and devices, DLP, IPS/IDS, cloud-based sandboxing and endpoint control or AV. All those features are essential to stop potential malicious applications, malware, suspicious activities and prevent sensitive information from leaving the network.
- End-User Education: It is crucial to educate employees on cyber threats and the proper use of social media. Employees with access to sensitive information have to be specially trained to know how to deal with that data. Also, limiting USB drive access to employees on an as-needed and justified basis is a good option to protect a network.
- Network Segregation: Basic network segregation can help prevent the propagation of an APT inside the network. It is not necessary for every employee to have access to particular resources that may contain sensitive data. By limiting access whenever possible, an organisation may be able to mitigate many attacks.
- Proactive Patching: A computer is only as secure as the software on it. It is essential for companies to deploy patches to their systems as quickly as possible.
- Two-Factor Authentication: By implementing two-factor authentication for remote users or users that require access to sensitive information, an organisation makes it more difficult for an attacker to take advantage of lost or stolen credentials.
- BYOD policies: It is important to have a strict BYOD policy in place as attackers may easily compromise a personal laptop, a smartphone or a tablet and move malware into the corporate network.
Sign up for CIO Asia eNewsletters.