By Keith McCammon, Red Canary
First things first: This advice is for 95 percent of organizations in the world. If you are one of the 5 percent of organizations that adjusts your information security posture based on your adversaries' tactics, techniques and procedures, parts of this article will not be fully relevant.
The diluted usage of the term advanced persistent threat (APT) across the media, marketing and industry conversations continues to amaze us. Too many organizations are now distracted by the hype surrounding APTs instead of focusing on foundational security principles. This is an attempt to recognize what the term APT has come to represent, and how the majority of organizations should approach defending against them.
Defining Advanced Persistent Threats
The definition of APT depends on who is defining it. The term APT was always intended to describe a "who" and not a "what." Originally coined as a "polite" means of describing Chinese hackers, it is now used in those same circles to describe a determined, capable and deep-pocketed adversary. Note that evidence of an active, human adversary is a requirement; APT is not and has never been a malware classification.
For the rest of the market, the definition of APT has been broadening over the past few years to include a larger subset of attackers. As the tactics, techniques and procedures (TTPs) of the "true APT" have proliferated, there are now many groups around the world that resemble an APT. It is becoming increasingly difficult to tell whether an attack is perpetrated by a national actor, organized crime or an individual.
This is expected, given that describing and correlating TTPs will always be order of magnitude easier than proving attribution. We use the term "nation state-grade attacker" to delineate between the two.
First Step in Fighting APTs
Most organizations would do well to focus less on what are statistically lower likelihood attacks and start improving their security policies, procedures and configurations. If your organization cannot defend against low-grade attackers and commodity malware (which most cannot), trying to defend against advanced attackers is a misguided use of limited resources. This is equivalent to trying to master differential equations with large gaps in your understanding of algebra and foundational calculus.
The TTPs employed by the overwhelming majority of attackers are fairly simple compared to the elaborate tactics many people envision. Attackers simply do not need to be that clever to successfully reach their objectives because most organizations are not covering the basics.
This is actually a hallmark of highly effective offensive teams: The most expensive people and tools are used as a last resort. The result is that inexpensive phishing and watering hole attacks abound, despite the availability of reliable defenses. These methods are crude, and often times the tools used are in the public domain. But these methods work, and so they continue to appear.
Tightening up your policies and improving your configuration controls is not sexy. Improving security procedures is not "cutting edge." And the newest bright, shiny security tools rarely focus on foundational security.
But if you want to take large strides forward in your defense against an increasing number of ever-advancing attackers, getting the basics right is essential. Here are three quick pulse points:
- Do your users have local administrator rights?
- Can users install unwanted software like browser toolbars?
- Can applications execute out of a user’s temporary directory?
In the words of an old Jeff Foxworthy joke, "If you answered yes to any of the above, you might have a basic security problem."
Fighting APTs: The Human Touch
A final recommendation: Stop relying so much on technology and not enough on human expertise. Your security posture requires both talented humans and the right technology to contend with advanced attacks. No product - yet - can replace the ingenuity and insight of a human.
Attackers are humans. You must fight humans with humans. Even when it is increasingly difficult to find security talent, you cannot reallocate those dollars toward technology and get the same results.
In closing, don't get too spun up on APTs until you have a system in place to mature your security policies, procedures and configurations. Ensure you are investing in your team first and the right technology next, because technology alone will fail against a human attacker. And if you cannot do this, partner with solutions that deliver both.
As director of Detection Operations for Red Canary, Keith McCammon runs Red Canary's Security Operations Center and leads a group of expert analysts that monitor a continuous stream of potential attacks detected in our customers' environments. Keith is a known expert in offensive cyber computing and defensive IT security from his background as director of Commercial Security at Kyrus and executive director of Information Technology at ManTech. He has over 15 years of telecommunications and information technology experience, a dozen of which are security specific.