Our Viewpoints

Our Viewpoint

ABC’s of Advanced Persistent Threats

May 01, 2013

There has been a lot of news recently about APTs (Advanced Persistent Threats) impacting many organizations, both public and private. These are very serious issues for financial institutions. Most current articles on APTs focus on the “what.”.... What they are and what do they do. Few talk in depth about the “how.”... How they do what they do, as well as how you can protect yourself properly. That will be the focus of this article so you can know how to protect your organization from these very real, and very dangerous threats.

APTs are not a single type of threat, but rather a classification of malicious software.

APTs do not have a single developer and do not come from a single source.

APTs describe a methodology used by most advanced hackers and nefarious organizations.

APT attacks are extremely difficult to detect.

APT attacks are nearly impossible to stop.

APT malware is not always active, but can remain idle and completely undetectable until activated.

APT malware can exist in applications, databases, browsers, and just about anywhere else.

APT attacks are usually NOT detected by intrusion detection and prevention systems.

APT is used by malicious individuals to gain access to sensitive systems, private data, credentials, intellectual property and more.

APT attacks are difficult to detect and stop because the traditional methods we use to do this simply don’t work. A good analogy is how the human body fights off illness. The CDC can determine which strain of flu virus will emerge each year. They use that strain to create a vaccination that, when injected, your body learns about that strain and prepares to fight against it when you are exposed at a later date. Similarly, information security experts take previously seen attacks and create “fingerprints” which are similar to the vaccinations. They can be placed into an IDS database and as traffic enters and exits your network, matching patterns can create an alert or block it.

The problem is that APT attacks are more like a cold virus (but a really bad cold) in the way they behave. We cannot get a cold vaccination because the strain changes so frequently, it is impossible to create. Similarly, the APT attacks are all very different and can morph on demand and therefore, it is very difficult for traditional information security technologies to detect and stop them. APT attacks have no known signature or particular pattern of behavior.

Therefore, we have to rely on behavior based monitoring technologies (which exist in many edge-based security systems like firewalls and IDS/IPS). The problem, however, is that the APT malware uses sophisticated encryption to mask everything it is doing as it enters and exits the network. So it is essentially invisible to those traditional information security solutions.

In fact, banks, credit unions and insurance companies are among the most coveted targets, according to Darin Anderson, general manager of Norman Software NA, a security software company based in Fairfax, VA. According to Mr. Anderson, financial institutions are prime targets for APT attacks. This is true for several reasons:

  1. Financial institutions store a lot of confidential information for users that can be used for identity theft.
  2. Financial institutions store credit card and other account information that can offer malicious people access to money.
  3. APTs can capture credentials and other login information granting access to systems or authorizing transactions such as ACH and wire transfers to be used as another avenue for accessing money.
  4. APTs are used to capture intellectual property and where better to find it than a financial institution.

Hackers take advantage of the traditional perimeter or edge based security most companies use. Unfortunately, most companies still believe that they are protected on the inside of their network and their firewall and IDS protect them from the bad things on the Internet. This simply isn’t the case. APTs can get installed on the inside of the network very easily through any number of methods that completely bypass the firewall and intrusion detection and prevention systems including visiting malicious or compromised websites, and downloaded software.

So what can we do? We aren’t helpless. There are a few things financial institutions can do to ensure they are armed with as much protection as possible. First, it requires a different approach to information security, one that does not assume that your edge security alone will protect you. Second, ensure that you at least have access to tools that create visibility well beyond your traditional scope and third, ensure that your critical systems are managed and monitored by experts. By doing just these few things, you significantly decrease the odds of being attacked and exposed.

The approach we need to take is one that dispels the notion that the edge of our network is where the bad guys are stopped. And yet while the firewall and IDS are still a valuable part of any organization’s overall information security program because they detect and prevent specific types of attacks, additional solutions are needed for protection against these APTs. This requires an IT and executive cultural shift from the way information security used to be viewed, to the way it is today.

Once the mental shift has been made, organizations need tools to be able to protect their systems. Anti-virus software is the first small step in the process. Ensuring that your AV is installed and up-to-date with frequent updates is important. From a prevention standpoint, the best thing you can do is to keep your systems patched. While this sounds simple, it isn’t as easy as using Windows System Update Service (WSUS) because the most frequently compromised applications are not Microsoft apps (despite popular belief). Third party applications such as Adobe are actually more commonly exploited which most traditional patching services neglect. Patching is extremely important because if a vulnerability has been fixed, it can no longer be exploited, but patching must be timely which is difficult for most community financial institutions to keep up with. Often hackers will take advantage of new vulnerabilities prior to system administrators getting patches applied.

Financial institutions also need complete visibility into their network. This visibility needs to go far beyond the traditional uptime monitoring of days long gone by. Availability monitoring is just the first step. Performance monitoring, change control monitoring, and security monitoring data should all be collected and correlated to create a complete view of your network at all times. Then, strange behavior not normally seen on your network can be more easily captured and alerted on. These anomalies in your network should be analyzed by information security, networking, and systems experts to determine if something bad is happening like an APT attack. Many large financial institutions have the scale and access to funds in order to utilize properly trained experts, but small and medium sized banks and credit unions will almost always need to outsource this expertise.

Visibility is so important because it allows you to create baselines so you know what is normal vs. abnormal behavior. Getting as many critical systems reporting is key. Every system on your network can and should act as “eyes and ears” looking for strange events. Then with correlation between events, you can determine when something is behaving strangely and react to it. It is kind of like those signs you see on the subway that say “See Something? Say Something!” and then give you a number to call if you see something strange. But you might see someone or something that just looks suspicious. Someone else might see a concealed weapon. Someone else might capture an activity in a picture they take with their phone. Someone else might get a video of someone stealing a purse showing the direction they ran. When all this information gets correlated by police, a full description, photo, video, etc. of the perpetrator is analyzed and a much clearer picture of the activity is identified and now everyone can be put on full alert that this particular person is dangerous.

The same is true for designing a system that creates full visibility across your network. Once the system can identify the abnormal behavior (APT attack), it can more easily identify the source, destination, and what is being done. Then experts can stop the behavior quickly before any major damage or theft occurs.

There are companies that offer cost effective solutions that give financial institutions a way to protect themselves from APT attacks. D+H is a technology management provider for financial institutions across the nation and provides two services, as an example, used by hundreds of small and medium sized banks and credit unions. The first is Total Desktop Management (TDM). This service puts the management of all those pesky desktops into someone else’s capable hands to ensure anti-virus is always installed and up-to-date. Action can be taken if viruses or malware is detected. But more importantly for APT attacks, patching is performed on a regular basis and as needed to ensure vulnerabilities and bugs are being removed from the operating system as well as popular third party applications.

But desktops are only part of the solution needed to address APTs. Organizations also need Critical Systems Management (CSM) which is a solution that performs availability, performance, security, and change control monitoring on all critical devices including servers, routers, switches, firewalls, and any other device deemed critical by your organization. The events from all of these devices are captured, correlated and analyzed. When APTs are discovered through behavioral analysis, immediate action can be taken. CSM also includes anti-virus and patching for servers. So between D+H’s CSM and TDM, your network will have the very best chance of keeping APTs out. CSM and TDM are affordable and very cost effective for even small financial institutions, so there is no excuse not to reduce the burden from your internal IT staffs and others and let the professionals keep you protected from APTs and many other attacks and threats to your organization.


Kevin Prince
Principal Technology Strategist

Kevin Prince leads product development in building and designing the most innovative solutions for D+H’s Compushare suite of products. Prince has more than 24 years of information technology experience, 16 of which have been focused specifically on information security for the financial services market and even served as a former trainer to FDIC and NCUA Examiners.