VISIT LIBRARY SPONSOR A BOOK HOW IT WORKS NEWSLETTER FEEDBACK

The Essentials Series: Advanced Persistent Threats and Real-Time Threat Management

by Dan Sullivan

SYNOPSIS

Businesses face a constantly evolving threat landscape. Malware is becoming more complex, architectural changes create new vulnerabilities, and attackers are willing to focus their efforts on specific companies. The advanced persistent threat (APT) is a term commonly used to describe some combinations of these new threats. Mitigating the risk of APTs requires advances beyond traditional layered security to include real-time threat management. This Essential Series describes the nature of APTs, the risks they pose to businesses and techniques for blocking, detecting, and containing APTs and other emerging threats.


CHAPTER PREVIEWS

Article 1: Beyond the Hype: Advanced Persistent Threats

Businesses face a constantly evolving threat landscape. Malware is becoming more complex, architectural changes create new vulnerabilities, and attackers are willing to focus their efforts on specific companies. The advanced persistent threat (APT) is a term commonly used to describe some combinations of these new threats. Mitigating the risk of APTs requires advances beyond traditional layered security to include real-time threat management. Businesses face a constantly evolving threat landscape. One of the greatest challenges is presented by advanced persistent threats (APTs), which are sophisticated, multi-faceted attacks targeting a particular organization. Mitigating the risk of APTs requires advances beyond traditional layered security to include real-time threat management. This Essentials Series describes the nature of APTs, the risks they pose to businesses, and techniques for blocking, detecting, and containing APTs and other emerging threats. We begin with a pragmatic assessment of the nature of APTs, specifically:

  • The nature of APTs today
  • The continuously evolving threat landscape
  • Elements of APTs
  • Changing business practices that compound the problem
  • Assessment of potential to control and mitigate the risk from APTs

Clearly, the threat landscape continues to become more challenging. The motivation and means for carrying out attacks on information systems is changing. Determined, committed attackers are employing multiple means to breach security controls. Businesses need to respond in kind with multiple security controls, including real-time monitoring and rapid containment measures.


Article 2: Need for Real-time Management and Responding

Ideally, we can deploy security controls that would prevent a successful attack by an advanced persistent threat (APT), but we should be pragmatic in our assessment. APTs are multifaceted and although one countermeasure, such as an antivirus system, may block one part of an APT, there can be other elements of the attack that do not depend on detectable malware. Just consider a malicious insider who uses social engineering to discover the password to an administration account of a document management system in order to copy the contents of the repository and mine them for intellectual property. When planning a response to the threat of APTs, we should assume there will be a breach at some time. The overall goal of risk management in this case is to minimize the impact of threats by blocking when possible and detecting and containing when not-to do that, we need real-time monitoring and remediation mechanisms.

This article considers the need for real-time threat management and response, specifically:

  • The limits of conventional endpoint and perimeter security controls
  • The stages of a response to a breach by an APT
  • Ideal and realistic assessments of preventing a breach
As in the first article in this series, a dominant theme is the assumption that we should take the threat of APTs seriously and plan for a breach. This is not to say all businesses will be the victims of an APT attack or that all APT attacks will be successful. From a purely pragmatic perspective, it is better to be prepared for a breach and not suffer one than being unprepared if a breach does occur.


Article 3: Planning for Real-time ATP Countermeasures

This article is organized around basic steps to plan for the deployment of real-time threat management to mitigate the risk of APTs:

  • Developing a business case for real-time threat management
  • Assessing the current state of readiness for real-time threat management
  • Developing a deployment plan
Not surprisingly, some of the recommendations that follow would fit equally well when describing other types of countermeasures. APTs are a collection of well-established techniques used for malicious purposes applied in methodical and comprehensive ways. Countermeasures used in the past can still be useful here. The key distinguishing characteristic of APTs is the speed at which they can progress. This, in turn, drives the need for real-time threat management to complement perimeter and endpoint defenses.