Defensive approaches for APTs

The best defence

Matt Jonkman, president of the Open Information Security Foundation (OISF), an open source-focused, nonprofit foundation that is building a next-generation intrusion detection system/intrusion prevention system (IDS/IPS) engine, uses a popular security industry chestnut to describe corporate network environments.

There are two kinds of companies, the saying goes: those that have been compromised and those that don't know they've been compromised. Using this truism as a baseline, Jonkman stresses the importance of using layered security technologies in conjunction with effective user training and education.

What is clear is that from an organisational level, “we're leaking information like a sieve,” he says. “It used to be that we had a crunchy exterior perimeter [protection] with a soft inside. There's no crunchy exterior perimeter anymore.”

Jeff Horne, practice manager of malware solutions for Denver-based Accuvant Labs, says companies need to recognize that either they have been compromised or they will be. Today's attackers have sophisticated ways of bypassing perimeter protections, so Horne says organisations should focus on outgoing communications. There is little value to a hacker if they are able to compromise data on a server, but cannot transfer it off the network, he says.

Horne recommends a two-pronged defense against malware. The first is to use a combination of network best practices to keep data secure. Next, is to ensure that compromised assets cannot leave the network.

Malware has become a commodity easily purchased over the internet, he says. This malware can be customised for a specific target so that it can bypass security protections. Companies must ensure that they have layered defenses and do not rely just on their firewalls or anti-virus software, Horne says.

Defensive approaches, such as segregating mission-critical systems on protected virtual LANs (VLANs) or simply keeping some systems physically separated from the corporate network, can prevent access to certain machines if the network is attacked.

Additionally, network managers can remove the ability for PCs in a network to talk directly to each other, requiring all file-sharing to instead be done via servers that can be better protected. By barring peer-to-peer communications, Horne says, a number of exploits can be stopped in their tracks.

Most important, however, security and network managers must stop unauthorized data from being sent off the network. This is more complicated, he says, because exploits can use innocuous coding holes to transfer data out.

If the network infrastructure was not built with security embedded into the underlying technology, then additional defenses will have to be tacked on to make up for the deficiencies, he says. One such weakness is allowing users to turn off automatic updates. While some users might have a valid reason for stopping updates, most employees need to have these updates turned on, even if they do cause a performance hit on their systems, Horne adds.

Proprietary software and Windows service packs also need to be updated on a regular basis, but for these applications a process is necessary to ensure that the upgrades do not crash the existing applications.

Sometimes, he says, this process can take up to a year, depending on the type of update and the requirements of the network. Despite these delays, Horne says, major updates must be tested before they are installed. “You have to have a vetting process,” he says, “not an elimination process.”

Next: Steep rise in attacks