APTs: The Newer, Smarter, and Actually Successful Wile E. CoyoteAPT tools and methodologies

Remember the old Looney Tunes cartoons where Wile E. Coyote nearly destroys himself in attempt after fruitless attempt to capture the Road Runner? The Road Runner seems to have a sixth sense when a trap is sprung across his path and always escapes unscathed.

Well, when it comes to cyber attacks, threat actors are far more successful than Wile E. Coyote. This success may be due, in part, to an insidious danger known as advanced persistent threats (APTs)—and a business’s inability to manage these threats. While the Road Runner seems to have an innate sense of when and how danger lurks, businesses are not so sanguine.

In its 2015 Advanced Persistent Threat Awareness Study of more than 660 cybersecurity professionals, the Information Systems Audit and Control Association (ISACA) found that while businesses are aware of and are increasing their protection against APTs, the nature of these threats is not clearly understood. “A gap in the understanding of what APTs are and how to defend against them remains,” the survey report notes.

Yet businesses must have this understanding in order to properly protect their information assets. “Advanced persistent threats have become the norm. Many major breaches are connected to APT tools and methodologies,” says Christos Dimitriadis, international president of ISACA. “As a result, it is more critical than ever for cybersecurity leaders and professionals to have a thorough understanding of these threats, and to be prepared to quickly and effectively respond.”

Understanding APTs

So, just what is an advanced persistent threat—and how is it different than a “traditional” threat?

In a “simple” attack, TechTarget says that an intruder will try to get in and out of a system as quickly as possible to avoid detection. An APT, on the other hand is “a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.”

In the survey report, ISACA says that APTs are not random, that “someone is specifically targeting the enterprise. The primary purpose of most APTs is to extract information from systems—critical research, enterprise intellectual property, government information or other data.”

Anonymity is a byword among threat actors behind the APTs. Cybersecurity firm FireEye dissects the anatomy of an APT into six steps, saying that “a skilled and determined cyber criminal can use multiple vectors and entry points to navigate around defenses, breach your network in minutes and evade detection for months.” Ironically, these “stealthy attacks” often rely on the illegal activities of others to remain anonymous.

Protecting Your Business against the Stealth

Both ISACA and FireEye note that traditional cyber security measures such as firewalls and anti-malware do not protect a business against APTs. This is because “APTs exploit zero-day threats, which leverage unknown vulnerabilities, and many APTs enter the enterprise through well- designed spear phishing attacks,” the ISACA report notes.

ISACA say these findings indicate that additional controls and a greater focus on email security and user education may be helpful. In the recent article in Healthcare IT News, Rick Kam and I shared some basic tips that every user and employee should know to protect against phishing tactics.

  • Don’t open unsolicited emails, click on links, or open attachments in unsolicited emails.
  • Be suspicious of claims that are too good to be true. Typical examples are weight loss claims, sexual enhancement claims, and people claiming to want to give away large sums of money. These are often easy to spot because of poor spelling, wrongly used legal terms, and other mistakes.
  • Be careful in responding to or providing information in response to unsolicited emails from banks, the IRS, or other organizations, and don’t fall for scare tactics. Anyone you deal with already knows your name, your bank account number, your medical ID number, etc. They won’t call asking you to “confirm” it. If users aren’t sure about an email, they can call the organization directly to check whether the email is legit.

To protect against phishing campaigns on social media, it’s important to warn users not to share personal information with someone they don’t know in real life, and if they receive an unusual communication that seems to be from someone they know, call that person and check it out.

Beyond Phishing

ISACA’s Montana Williams Sr. notes that social engineering is the primary means by which attackers gain access to targeted information system. At first, he says, attackers used tactics like phishing, spear phishing, and whaling. “However, over the past three years,” he says, “APTs have moved on to the Internet as the main attack vector (e.g., web sites, social media and mobile applications).”
In fact, the ISACA survey cites recent reports, which found that “web-based attacks outnumber email-based attacks nearly five to one, and web applications and point-of-sale systems are leading hacker targets.”

The shift in attack strategies suggests that businesses need to move fast to keep ahead of determined cyber criminals. Wile E. Coyote will never catch the Road Runner, but unless businesses understand and effectively protect their information systems against evolving threats, they will almost certainly become a victim of a cyber attack—if they haven’t already.

As chief strategy and marketing officer, Doug Pollack, ID Experts, is responsible for the strategic direction and marketing of our innovative software and services. He has over 25 years of experience in the technology industry, having held senior management and marketing roles with Apple, Inc., 3Com Corporation as well as several venture-backed enterprise software startups. He holds a BS in Electrical Engineering from Cornell University and an MBA from the Stanford Graduate School of Business.

Originally posted by ID Experts Blog. Reposted with permission.