Many organizations focus on perimeter defense, with the assumption that most threats come from the outside. While numerous threats are stopped at the perimeter, advanced persistent threats (APT) often go undetected once they’ve infiltrated your environment. With the proliferation of cloud computing, virtual employees, and BYOD, APT infiltration is on the rise. This makes it critical for security engineers and CISO’s to lead the charge in extending their defenses beyond the traditional perimeter.
A recent Cyber Observer article cites the average time to discover a breach in 2019 as 7 months. This means that for many large and critical environments, including OT, attackers had been inside their networks, undetected, for nearly a year. Not surprising, the same study notes that the longer it takes to detect a breach the more costly it becomes.
A company’s industry and employee size does not always equate to being better protected. In 2015, one of the largest healthcare providers in the US was the focus of a highly targeted attack. The company had over 30 million patient records stolen due to an undetected APT actor that had been inside the network for over a year and had compromised the logon information of several database administrators.
Shining the spotlight on undetected APT’s
There are many methods and tools available to combat the threat of an undetected APT attack which has infiltrated the perimeter. Here are three recommendations that require a lower level of effort, but provide a higher yield for helping to more quickly identify the potential of an undetected APT on the internal network:
Establish a Network Activity BaselineEstablish a baseline of your network environment and monitor it for consistency. It’s not uncommon for APTs to perform activities during off-hours to help conceal their actions. By establishing a baseline of normal day and evening network activities, security personal and administrators can quickly determine if traffic is abnormal and requires investigation.
Consider Deploying Honeypots / HoneytokensAnother simple, but effective, tool is the deployment of honeypots / honeytokens– decoy mechanisms set up on your network to lure cyber attackers and spot and monitor their activity. The mechanisms differ in execution, but both offer the same outcome; alerting security staff when they have been tampered. A honeypot, or decoy system set up on the network, is set up to alert security staff when it has been tampered with or accessed for any reason. The importance of these systems comes from the fact that they are not systems that employees or admins will regularly interact with and often require searching to find. Notification that one has been accessed can mean that there is someone potentially performing nefarious actions. Honeytokens operate with the same premise, however, they are designed to serve as notification on the network when items such as database entries are accessed/moved. The premise of this concept can be applied to items outside of database entries, such as files, etc. Leveraging tagging and the functionality built within many network security appliances, configurations can be made to alert cyber staff when a honeytoken item is being accessed or moved. If these mechanisms notice an event and are properly configured to alert on the abnormal activity, it can significantly help determine if your environment has been compromised.
Use Threat Emulation Testing
Red Teaming, a traditional testing approach, allows an organization to perform a comprehensive test on a portion or the entire enterprise’s reactive and proactive cybersecurity posture through the lens of an adversary. Focus is placed on circumventing detection and identifying/exploiting weaknesses within the environment and has the secondary benefit of testing of the enterprise’s response protocols and processes. This provides a wealth of information from both a management and operational perspective and can help organizations identify gaps and weakness which they would have never considered prior to the engagement.
If Red Teaming is not a viable option, an alternative could be an advanced activities exercise. Here at Revolutionary Security we utilize LiveFire®. LiveFire proactively tests cyber threats to an enterprise across various phases of an adversary’s lifecycle. These types of threat emulation testing methodologies can help you view your environment from an attacker's perspective and gain insight into potential risks and overlooked vulnerabilities. Knowledge gained from these types of simulations can allow mitigations and safeguards to be implemented to prevent a costly and catastrophic breach.
Preventing an intruder from accessing your environment is crucial, however, it should not be your only line of defense. Any security professional will tell you, “no system is 100% fail proof.” Persistent threat actors take their time to study and analyze your environment, which makes it essential that you practice good security hygiene, both externally and internally.
Pivot from “we think” to “we know.”
Investments are being made yet breaches persist. How can you be sure your technical controls, processes, and people are as effective as planned?
We welcome a conversation.