Imagine the following Security Operations (SecOps) scenario. A large organization conducts regular audits of its security controls. It monitors a collection of intrusion detection appliances and uses Artificial Intelligence (AI) tools to search for anomalies in network traffic. After six months, during which nothing significant appears to have happened, the organization becomes aware of a massive breach that has been taking place the whole time.
Actually, we don’t have to imagine. As we know, attacks like this have been going on for years. Everything looks normal, but traditional detection methods aren’t working. At least, it’s not working well enough. Sophisticated cyber security teams find themselves taken by total surprise. What is going on? Much of the time, the culprit is what we know as an Advanced Persistent Threat, or APT.
What are APTs (Advanced Persistent Threats)?
The term “APT” describes a variety of cyber-attack techniques that have two key commonalities. They are “advanced” and “persistent.” Let’s break those down. Most cyber threats are not advanced. They may seem sophisticated, but existing filters and SecOps can catch most of them if everyone is doing their job. An advanced threat is one that’s been designed for stealth. APTs often emerge from the world’s most sophisticated cyber war entities, the national intelligence services from countries like Russia, China, Iran and North Korea. They are the products of some of the best minds in technology.
What makes such threats advanced? For one thing, they are designed to penetrate networks in non-obvious ways. Hackers build them with evasion of security controls in mind. Then, there is “persistence.” Unlike most threats, APTs do not activate right away. In contrast, when you click on a ransomware link, your files are going to get locked up pretty quickly. An APT does not work this way.
APTs lurk. They sit inside networks for extended periods of time, undetected. The move laterally across networks and take their time. They look for critical digital assets to compromise. They might enter through a server with cached login credentials, but then proceed to search for other servers with cached login credentials. Over a period of months, the APT could compromise hundreds of servers—all before it’s really done anything harmful and certainly before anyone has noticed.
Challenges in Advanced Persistent Threat Defense
As you might imagine, defending against Advanced Persistent Threats can be quite challenging. By design, they are extremely hard to detect. And, their dormant, persistent nature makes them difficult to stop once they’ve taken root. You might think you’ve quarantined it, but it’s already replicated and hidden itself elsewhere.
They are even able to elude AI-driven anomaly detection. Indeed, APTs may mimic the behaviors of real users and appliances, so they don’t trigger alerts. To defend against an APT, you need countermeasures that are themselves advanced and persistent. It won’t work to use legacy security tools that are episodic and reactive in nature. You have to go hunting the problem. Then, once you start, you cannot stop hunting because the hackers create a continuous threat.
Countermeasures for APT Security
XM Cyber has brought to market a patented platform called HaXM which has proven to be an effective approach to mitigating APTs. Our answer is to engage in cyber attack simulation. In other words, we instrument environments with advanced techniques that act and think like APTs. Think of it as a never-ending, automated “Red Team.” Our solution constantly searches for blind spots and holes in your network and infrastructure security posture.
It is necessary to perform these identification of weaknesses on a non-stop basis because vulnerabilities surface open up all the time in unexpected ways. Missing security patches that are on the critical path to your crown jewels is one example. APTs know how to spot them. So does the HaXM advanced persistent threat protection platform.
There are hundreds of other possible vulnerabilities that can appear without anyone noticing. These include server admin sessions that were started but never ended, exploits in Linux and Windows Server, application-level vulnerabilities, errors in network appliance configuration and so forth. No number of human eyes will ever keep up. Only an automated penetration test will suffice.
Our solution is able identify attack vectors working against critical assets on a 24/7 basis. It maps them visually so SecOps teams can see where they are exposed in real-time. Then, with data-driven insights, we offer an automated “Blue Team” that provides a prioritized actionable remediation of vulnerabilities as they are discovered. HaXM keeps you one step ahead of the hackers to identify and remediate jump points and kill lateral movement that can prove detrimental to your critical assets.