Why is it so easy for APTs (advanced persistent threats) to move through our networks?
These days all eyes are on cybersecurity; mega hack attacks spike the dial on primetime news, security issues are trumping high on corporate boardroom agendas and security technology companies are the darlings of the investor community.
Given the grim state of global security, organizations are more aware, more prepared and more willing to invest in defence. But although they have drummed up their line of cyber defence and pitched their digital forks, advanced persistent threats (APTs) are having a field day.
The losing battle against Advanced Persistent Threats
It’s mind baffling, when you think of it; how come, despite all the awareness, technology advancements and heavy investment, the fight against APTs is a losing battle? The answer could be lurking in the shadows.
Just so we’re on the same page; APT refers to a network attack by a third party that gains unauthorized access and remains there undetected for a long time. APTs are characterized by their high-level of sophistication, covertness, and use of bespoke software back doors, as well as zero-day vulnerabilities.
A disturbing aspect is the ‘Persistency’ factor, as hackers aim to stay undetected for a lengthy period until they pursue their end goals. They may try to infiltrate hundreds or thousands of times, then learn from their mistakes, modify their behaviour, and finally find a way to go undetected under the radar. Once they’re in, they often remain hidden inside a network, slowly siphoning off data.
APTs continue to move laterally through networks with relative ease
APT’s ease of movement is almost liquid, largely due to a shadow partner. Unassuming, unintentional and underrated, shadow IT has created a parallel world where APTs tend to thrive.
Although largely unauthorized, Shadow IT is common practice and is here to stay. Just clarify what we mean by shadow IT: Shadow IT involves employees using systems and software without authorization by the IT unit. Whether we like it or not, SaaS downloads, the unauthorized use of apps, and the BYOD (Bring Your Own Device) trends are growing, and expanding to the IoT scape, casting an even larger shadow.
In effect, shadow IT is the gap between the IT security status, as perceived by the IT department, and the real picture. Here lies the crux of the matter; hackers often rely on these very network gaps to operate in a stealthy mode and remain undetected under the radar.
Why is it so difficult to detect shadow IT mishaps?
Despite heightened security awareness training, employees are still prone to daily cybersecurity errors; it’s part of human nature. Short-lived errors, even with a lifecycle of only 24 hours, can evade security during these timely, but critical gaps. Even if there was an alert, it’s difficult to pay attention to each event on a specific PC or device in a large network. At the end of the day, it is an inhuman mission for the IT department or assigned penetration tester, or even red teamer, to find all of the problems and recognize their influence on large networks.
How come it’s getting worse?
Shadow IT error still accounts for most of the root causes of security compromises—perhaps as much as 90 percent. The trouble is that although shadow IT is not a new trend, malicious hackers are discovering more ways to exploit it in 2018. The more people who interact with internet-connected endpoints, the more strategies hackers will find to take advantage of them. Now that connected devices are everywhere, the danger is growing.
What can be done to stop APTs in their tracks?
To combat them, security pros should shift their stance to assume APTs are already living in their network. Eventually someone will successfully penetrate a network; maybe by taking advantage of a technological mishap, or maybe through a social engineering loophole.
Secondly, there needs to be a conceptual shift from passive defence to a threat hunting strategy from an attacker’s point-of-view. It is essential to keep a network in a state of perpetual reconnaissance 24×7, because the attackers are using a combination of Advanced Persistent Threats (APT) methods, they can leap frog from one network section to another, completely undetected. They can work this way until they reach their final goal; whether it involves stealing data, or disrupting control systems, with potentially kinetic implications.
Today there’s a new breed of automated attack simulation platforms that prevent APTs from compromising critical organizational assets and provide, actionable remediation in a continuous loop. These platforms can run multi-vector campaigns simultaneously to simulate an APT with 100% reliability.
It’s almost like teaming up with an army of red team attackers that work 24/7, followed by a blue team that responds to actionable and prioritized information in real time. When aptly developed, these platforms can operate in a safe way without affecting the network or the user experience. Maybe there is hope after all.