The advanced persistent threats are sophisticated attacks that are comprised of several different components such as spyware, penetration tools, network propagation mechanisms, tools for concealment, and other sophisticated techniques that are designed with one objective: the undetected access to critical information. APTs mainly focus on sensitive data, regardless of whether the data belongs to an individual, a small company, a medium or large organization (Sullivan, 2011). Such sensitive information can be the personal details of clients, credit card details, payment information and any other information that should be kept secret and private. If this information gets into wrong hands, it can result in a great loss to the individual or corporation that has been affected. Every company is vulnerable to these types of attacks and thus, there should be mechanisms that have been put in place to mitigate them.
Just as the organizational use of technology is continually changing, the cyber threats are also evolving in a continuous manner. The APTs is one of the most dangerous threats that have been evolving over the recent past. In these type of attacks, the attackers use complexly crafted techniques to penetrate a particular enterprise or agency for a specific objective. APTs utilize multiple vectors to achieve their goal, combing the custom malware, evasion, denial of service techniques, and spear phishing techniques to avoid or disable the existing security enhancements and steal customer or company critical information (Rhodes-Ousley, 2013). There are four characteristics that make differentiate APTs from earlier generation attacks. For one, they have an objective of stealing information from a particular person or business for cyber espionage purposes instead of vandalism. That means they are spearheaded by competitor businesses or individuals whose aim is to acquire information to use against the company or agency in question.
The second characteristic is that these attacks depend on stealth mechanisms to go unnoticed, and they can continue propagating within the victim’s organization for a relatively long time. They are also customized, and they can defeat the defense strategies that are based on signatures. Lastly, the APTs combine multiple techniques thereby creating multistage attack campaigns capable of evading the detection as they continue and expand their operations once they get hold of the target. The attackers take a relatively long time trying all the alternatives until they finally get the mechanism that can work appropriately or until they find a loophole that they can utilize to accomplish their mission.
Although many organizations are aware of APTs, they still fall, victims of the same, because they have not realized how to detect and mitigate these threats. There is a lack of knowledge on the most suitable ways to detect and mitigate the advanced persistence threats, hence making the organizations vulnerable. During my research, I will comprehensively examine the strategic and tactical bests practices that can help to detect and mitigate the APTs through the use of the existing as well as the emerging security technologies. My research will look into how these best-practice strategies can have an implementation in companies with the aim of detecting and mitigating APTs. The research will focus on how the adoption of those best practices would reduce APTs and the focus on infrastructure strategy towards the malicious content.
Methodology
What is Action Research?
Action Research can be defined as a collective, collaborative, critical, and a self-reflective inquiry that is undertaken by the participants if the investigation (McCutcheon & Jung, 1990). It is also referred to as practitioner research as it entails a reflective investigation of a practitioner’s interest, problem or challenge. Unlike the traditional research, the practitioner is the researcher, and he carries out research about oneself. The research is conducted with the purpose of understanding one’s practice and the problems that are faced in the given work environment with the aim of eradicating them. The process starts with the development of research questions that are then ton be answered via the collection of data. The term ‘action’ here means that the practitioner is the one acting as the collector of data, the analyst and also the interpreter of the findings. AR consists of four steps that are repeated continually until the best solution is reached.
History of Action Research
AR can be said to emanate from various theorists that are scattered throughout the decades as well as locations that range from Marxist feminist to the Aristotelian philosophy and Engels and Gramsci (Coghlan&Brannick, 2014; McNiff& Whitehead, 2011). However, most of the literature designates that the origin of AR centers in the western industrial democracy tradition that acknowledges substantial contributions based on the works of earlier great thinkers such as Kurt Lewin, Paulo Freire, John Dewey, and Eric Trist. The work of Lewin and that of Trist revolved around organizations at the time commonly known as the industrial democracy movement particularly in the countries of the West (Greenwood & Levin, 2007; McNiff& Whitehead, 2011). Those arbiters and others established the diffusion route that started with the Great Britain ahead of its shift to the Scandinavian countries and then spreading to the US and Japan and finally to the whole world.
If the famous Eastern-Western diffusion pattern is put into consideration, AR can be traced back in light of its applications in some knowledge bodies including Education, Action Science and Participatory Action Research. Lewin mainly advocated the AR methodology in a bid to resolve the social problems that were faced by communities and systems. Lewin’s group dynamics movement is the one commonly known to have opened the way for Action Research application in several other fields (Herr & Anderson, 2014). Lewin (1946) is the one that is mostly accredited with the origin of AR theory while he studied and advocated for the resolution of minority discrimination issues within organizations. From Lewin’s work, there has emerged what is being referred to as the Traditional Action Research. Besides the work of Lewin, there were also contributions from the Industrial Democracy as well as the Human Relation Movement following World War II.
The Participatory Action Research then evolved because of the need to address the social problems in the community like racism and feminism. Although the origin of participatory AR can be traced back to the times of the liberationist writers including Gramsci, Marx, and Engels (Reason, 2001), many theorists accept that the political conservative and the feminist movements in the Latin America gave birth to participatory AR. In the late 19th century, the educational field also embraced AR, and it is the area where AR is widely used currently.
How AR is being used in Various Contexts
AR is being applied in many fields and specifically in the area of continuous professional development. AR has also been taken up on the third level as well as higher education contexts, teacher education, police training, civil service, information technology, and nursing and health care. Responsible professional constantly review their work so as to make sure that they are as effective as possible. Some of the originators of AR said that everyone in a company needs to engage in self-reflective inquiries. In all these fields where AR is applied, all the stakeholders participate in the inquiry process so as to provide the descriptions as well as the explanations for their development and then produces a case study material that demonstrates that development process (Russel&Korthagan, 1995). The democratic nature of AR means that the elitist forms have to be challenged, and all the participants are regarded as being equal in the research (Lomax, 1994).
Justification of AR to my Study
The AR is the research methodology that will be useful in my research while I endeavor to find out the best practices for detecting and mitigating advanced persistence threats. The cyclic nature of this methodology will be helpful to me because I will thoroughly scrutinize the research process and the actions until the desired change is achieved. It will help me to carry out a comprehensive investigation and make sure that the decision that is arrived at is the one that is most appropriate for the issue being addressed. By so doing, the impending problem concerning addressing of the APTs will receive the best solution that is thoroughly tested and reliable.
Literature Review
Advanced Persistent Threats (APTs) is increasingly becoming one of the main concerns of the information technology security professionals all over the world. This has happened for a good reason. The most recent APTs attacks targeted the officials of the Canadian government, Republic of South Africa, French government, and some elements of the European Union. The too much hype has clouded the fact surrounding the APTs fact and danger. But what exactly is APT? The term advanced persistent threat was coined and therefore joined other common vocabularies of the information security profession not long ago. This happened after Google made an announcement that its intellectual property had suffered a targeted attack that whose origin was China according to Tankard (2011).
Google was not alone in this because there were other more than 30 technology companies, large corporations, and defense contractors whose security had been easily penetrated by hackers using some social engineering and targeted malware among other monitoring technologies thus quietly accessing the realms of the sensitive and confidential corporate data. By publicly admitting, Google put a high-profile face on all the targeted attacks and the length the attackers were prepared to go thus gaining access to the proprietary corporate and military data and information. Additionally, this public admission also started a spate of the vendors marketing where they promised counter-APT products and services. However, these counter-APT products and services have only clouded the issue for the organizations’ security manager and operations people.
People have continued to use and misuse the term APT since it was coined over the last few years. Another term with similar meaning as PTA is the advanced targeted attack (ATA). The two terms are used while describing everything from high-profile attacks on enterprises and nation states to hacking techniques, different cybercrime campaigns, to even some individual pieces of malware. Most of the companies have failed to see beyond the hype and gain a comprehensive understanding of the real meaning of APT and some of the techniques of preventing or detecting the attacks (Zhou, Leckie, &Karunasekera, 2010).
Overview of APTs
According to Iguire& Williams (2008), the term APT was coined by the United States Air Force in 2006; the term APT describes complex (advanced) cyber-attacks against particular targets over long periods of time (persistent). The term originally described stealing of data of nation states or damaging other nation-states to gain strategically. The term has since been expanded by the global security vendors and media thus including similar attacks conducted by cyber criminals with the intention of stealing data and information from corporations to make profits. Attackers targeting customer records, source code, product roadmaps, and blueprints among other confidential information have been seen. It is purely a subject of semantics whether the term APT refers to strictly nation state attacks or to cybercriminal efforts thus stealing corporate data and information as shown by Li & Lai (2011).
Looking at the matter practically, what security professionals should comprehensively understand is that cybercriminals and nation states use the same APT techniques to steal data from businesses and corporations to gain financially. A recent breach at Canadian government was one of the various targeted attacks where APT techniques were employed. In this attack, the perpetrator might not have been a nation state. However, the attack was targeted, complex, and happened over a long period. Both government and private agency employees should comprehensively understand and protect against techniques employed by APT.
Characteristics of APTs
Targeted
According to Bencsath, Pek, Buttyan, &Felegyhazi (2012), APTs specifically target organizations with the intention of stealing particular data or causing specific damage to the organization. This differentiates the APTs from most of the historical malware which has no specific target thus randomly infecting systems. The Aurora attack on Google specifically targeted the source code with possibilities of political moves. The attack on Sony targeted personally identifiable information (PII). The RSA was targeting intellectual property. The above attacks did not happen opportunistically target a random organization vulnerable to exploitation.
The attacks were focused campaigns by perpetrators with time and money to invest to achieve certain objectives. It can there be concluded that:
i. Any organization regardless of the size but with some valuable data is subject to APT methods and attacks.
ii. APT targets the more value of the data, the more likely one
The cyber criminals have a well-organized and funded economy with the attackers ready to invest heavily to achieve huge paybacks.
Persistent
APTs play out in several stages over long periods of time. Before the attack, the attackers only have the information of the targeted organization, goal, and objective. They normally have no information of where their target organization stores data, their security controls, and the vulnerabilities that might be possibly exploited. An attacker cannot steal the data without first identifying the vulnerabilities, evaluating the security controls in place, accessing the privileged hosts within the targeted network, locating data, and eventually extracting data from the network. This process could go for months or even years. It is important to note that attack detection only cannot rely on any single event. However, it should look for patterns of events that are similar to the APT methodologies according to Daly (2009).
Evasive
APTs can systematically evade the traditional security products that most of the organizations have been relying on for several years. Below are the examples:
i. To access the hosts within the targeted network while at the same time they avoid network firewalls, the attacker delivers threats within the content conducted over some of the commonly applied protocols such as HTTP, SMTP, and https among others.
ii. The installation of malware on legitimate hosts while avoiding antivirus software, the attacker writes the code intended for a particular target environment. The code is not familiar and no antivirus signatures to provide protection.
iii. To send data from the target network while at the same time avoid firewalls, the attack uses custom-made encryption and channels the content within the protocols permitted outbound by the firewall.
Complex
APTs apply a complex combination of methods of attacks targeting several vulnerabilities identified within the organization. A particular APT may involve:
i. Social engineering based on the telephone thus identifying key individuals within the target organization.
ii. Phishing emails belonging to the key individuals with links to websites capable of executing custom made JavaScript code thus installing a remote access tool.
iii. Binary command and control code
iv. Custom made encryption technology
It is clear that there is no particular security control capable of providing coverage against all the above vectors. Any successful APT defense strategy must consider a multi-layered approach where multiple detection mechanisms collaborate in identifying complex patterns of evasive attacks as Cole (2012) says.
Figure 2: Characteristics of APTs
Besides the above key characteristics of APTs, there are others which have surfaced recently such as goal-oriented. The attackers know what they want before they launch the attack. With adequate intelligence, the attackers have several options to penetrate the network thus getting the information they want. Others are a call where the attackers cannot complete an attack without communicating to the outside world. In some instances, they will call home. They may call home once they have infected the first system, after they have located the data they are targeting, or when the systems they have infected have adequate access to the data they need. The process of communication with the command and control (C&C) host is repeated to enable the attackers receive further instructions or begin the process of data extraction in bite-sized chunks (McGraw & Fick, 2011).
Differences between APT and Traditional Attack
Traditional Attack APT
Reason Financial or personal benefits Economic advantage, strategic benefits, stealing sensitive data and information
Target Not easily determined Targets government institutions, banks, and multinational enterprises
Approach Very aggressive and rapid, smash and grab, attack techniques based on limited time Repeats several times using several other methods, stealth approach, designed to resist defenses, acts slowly thus avoiding being suspected and may involve sleep modes before starting any attack
Attacker Usually done by a single person Systematically organized, complex, determined, sophisticated skills, and immense resources
Table 1: Differences between APT and Traditional Attack
The APT Process
The APT process has three key phases that happen over a period of months. The phases are strategic and systematic.
• Phase 1- Reconnaissance, launch, and infect
The attacker carries out reconnaissance, identifies possible host’s vulnerabilities, launches the attack, and infects the target hosts.
• Phase 2 – Controls, updates, discovers, and persists
The attacker takes control of the infected hosts, updates the hosts’ codes, spreads the code to other machines, and discovers and collects the target data.
• Phase 3 – Extraction and acting
The attacker then extracts the required data from the target network and eventually takes an action such as selling the data.
Phase 1
Reconnaissance, Launch, and Infect (Incursion)
The phase 1 attack of an APT has three sub-phases
1. Reconnaissance: The attackers carry out research points of entry, host’s vulnerabilities, main individuals, and main assets. Among these may be the top ranking organization’s executives, IT administrators, and hosts which can lead to accessing the target resources within the organization.
2. Launch: This sub phase consists of one or several methods intended for accessing the privileged host. Targeted attacks and spear phishing enable the attackers to keep a low profile thus evading detection. Some of the common methods under this are:
i. The lure of emails with embedded links to the sites having zero-day malware downloads
ii. Emails attached with files in some formats such as PDF or Microsoft Office. Some of these attachments may include zero-day attack code with a previously unknown vulnerability.
iii. Infected websites identified by social media profiles in which key individuals are interested in.
iv. Social engineering to access the privileged credentials of the user accounts.
3. Infect: Custom made code is installed onto a legitimate host. The installed code reports back to the command and control location with the network and data other data that may be of help to the attackers in the second phase.
Control, Discover, Persist (Discovery)
The attack phase 2 can also be divided into three sub-phases of
1. Control: The attacker remotely starts to control the already infected hosts using a command-and-control (C&C) service. There are some cases where the service may be located on a host that has been compromised within the attack targeted network. However, it is found on the Internet mostly on a dynamic DNS host. The C&C control gives the attacker an opportunity to update the malware remotely, add new malware such as encryption tools, and eventually send the commands to the host. The original malware infection mostly involves custom made (zero-day) attack code. However, it is frequently seen commonly and easily available toolkits being applied for command and control.
2. Discover: At Discover stage, the infected hosts download the additional components hence gaining the ability to discover the data targeted by the attacker and within the infected hosts and in the locations of another network. Some of the main targets might include Active Directory (AD) and certificate performance key indicators (PKI) servers thus establishing the accounts and accessing privileges to the confidential organization’s data within the network or the cloud-based storage. Another discovery used is the monitoring data-in-use immediately the users have used their credentials to access it. Along with it is the breaking into the systems where the users have been granted administration rights. Additionally, the attacker might want to have exclusive control by making a discovery of more hosts within the targeted network and at the same time using network or various system-level vulnerabilities thus infecting the hosts. The attackers used standard network tools like the gsecdump, SSH, RDP, and Cain & Abel (for cracking passwords) to gain more control of the host network.
3. Persist: Traditional malware and APT are differentiated by the ability of the APT to persist. A traditional malware is removed from the network by antivirus software or removes itself once it has been known and identified. An APT is intended to go unnoticed. Furthermore, an APT has been designed in such a way that it can persist by calling back to the C&C centers to gain updates and download new undetected codes thus avoiding detection by immediately updating the antivirus software.
Extract, Take Action (Capture)
At the third stage, the attackers have taken full control of one of the several hosts within the targeted network. Additionally, they start establishing access credentials with which they expand their reach and have already identified the target data assuming they were the targeting the data. The last thing remaining is sending the data from the network to either their C&C server or a previously unused server. The server in which they send the data may be located in the same place as the attacker or a far country. If new data such as new customer records or business plan updates continues availing itself and proves to be valuable to the attacker, the third phase can continue forever. However, the attacker eventually stops either because they have attained their goal or because the victim notices thus dismantling the attack. Some consequences may result at that point:
i. Ransom: The attacker gives the victim threats to disclose the data theft in the public if the victim fails to pay the demanded ransom. The victim may be forced to pay the ransom to avoid damaging their brand, losing customers, and regulatory fines among others. This one of the ways in which the attackers convert the stolen data into money they want.
ii. Shared or sell methods of attacks: If the victim did not thwart the attack, the attacker shares or sells the methodologies to other attackers who attack the organization again or other targets.
iii. Sell information: If the attacker managed to steal information such as names, credit card numbers, and email addresses, they might sell the information to other criminals who commit downstream crimes against the owners of the information. One example is whereby an illegitimate person uses a stolen credit card to purchase.
iv. Public disclosure: The attacks may eventually disclosure the data to the media publicly. Most of the time, the victim discloses the attacker once they know that it has occurred. However, the attackers may make an announcement of what they have achieved before the victim knows anything like that.
APT Adoption Lifecycle
The methods adopted by the APT do not always end after one attack. Other attackers always copy these techniques and apply them to other targets and organizations regardless of their size. Eventually, these attack techniques may become a commodity and turned into malware kits and sold to common hackers. In this respect, the lifecycle may continue for manyyears beyond its originally intended target and victimize many targets.
The above Aurora APT code has continued to be detected on many other infected sites around the world since it was first announced in 2010.
Requirements for APT Defense
Conducting a comprehensive analysis of an APT according to the above descriptions, some key requirements of an efficient and effective security solution can be described.
Aware of the content
APTs are known to penetrate a network firewall uniformly by embedding some of the exploits within the content carried within some of the commonly allowed protocols. Therefore, defense against the APTs requires deep and comprehensive awareness of the content.
Aware of the context
According to Juels& Yen (2012), most of the APTs use custom developed code. Additionally, they target zero-day vulnerabilities. Therefore, they cannot be identified by any single IPS or an antivirus signature. There is a need for definitive attack signatures to rely on more definitive indicators. A single suspicious indicator may also not be enough in identifying an APT attack. What should be done is the evaluation of each suspicious indicator in the context of other APT indicators. This is the only way in which enough evidence can be amassed thus reliably identifying malicious APT activity.
Aware of the data
There are chances that targeted organizations may not be aware of exactly how an individual APT looks like. However, most of these organizations can identify their sensitive data. Therefore, they can apply data loss prevention (DLP) technology as a layer of defense to help to identify sensitive data thus preventing transfers of this data from the organization. It is also important that organizations identify the use of proprietary encryption on the web traffic moving out of the organization as a form of defense against APT
Common APT Tools
Tool Name Tool Description
Least Significant Bit (LSB) Steganography Refers to the scientific method of hiding information. The tool is applied to hide files into images. This perfectly covers the APT thus extracting data as well as infiltration.
Net box Net box tool provides the APT with RAT services. Also legally used by organizations while supporting their branch offices
TruesecLslsass Used in cracking of the passwords. Additionally, attackers may utilize it in passing the hash attack because it enables the attacker to move freely over the network without being suspected once it has acquired the password from the logon sessions
GETMAIL Used in retrieving the email. However, the tools can be modified thus being used as an escape route or extract data from the network.
LZ77 Data Compression The tool is a data compression algorithm and compresses image. It focuses on saving space or hides original data by encrypting or compressing it.
Secure Delete (Sdelete) Deleting files securely by overwriting the deleted files with data patterns. The tool allows the standard DOD 5220.22-M thus making its discovery difficult
HUC Packet Transmit Tool (HTran) The tool allows reverse proxy server thus allowing masking or redirection of the TCP movement to a desired host thus confusing the host address.
Signs of APT Attack
Hackers employing APTs are different from the normal ones who employ common hacking techniques. As has been discussed in the preceding discussion, APT is a real and constant threat to the global networks and organizations. Most of the APT attackers are well organized and work collaboratively and professionally with a team. Their main goal and objective are stealing valuable intellectual property like descriptions of a confidential project, contracts, and pattern information. APT attackers are known to employ familiar hacking methods using phishing emails among other tricks to fool users to download malware. The eventual objective of these attacks is very ambitious. The attackers dealing with APT try to be the company which they hack (Felt, Finifter, Chin, & Wagner, 2011).
APT hackers employ different hacking techniques from the ordinary hackers. Therefore, they leave behind very different signs. There are signs that indicate that an APT has compromised a company's network security. Each of the signs could form part of legitimate actions within the company. However, their unexpected nature and volume of activity could be the witnesses of exploit by an APT. Below are some of the signs of an attack by an APT:
i. Increase of elevated log-ons late at night
APTs increase rapidly from an attack of a single host to taking over the whole environment setting. They achieve this by reading from an authentication database, stealing credentials, and reusing the credentials. The APT learns the user of service accounts contain elevated permissions and privileges after which they go through the accounts and in the process they compromise the accounts within the environment. Most of the times a high volume of elevated log-ons happen at night since the attackers are on the other side of the world. If there is a sudden increase in the volume of elevated log-ons while the legitimate workers are not in the workplace, there is a need to worry.
ii. Availability of widespread backdoor Trojans
Among the things APT hackers do is the installation of backdoor Trojan programs on the compromised hosts within the attacked environment. Backdoor Trojans are installed thus ensuring they can always get back even if the owners change the captured log-on credentials.
iii. Information flowing unexpectedly
This is the best way through which one can detect APT activities. APT activities cause large information flowing unexpectedly from the internal points of origin to the internal or external computers. It could happen from one server to another, server to the client, or from one network to another. However, to easily detect possible APT activities, the organizations should comprehensively understand how and what their data flows before attacks compromise the environment.
iv. Making discovery of unexpected data bundles
APTs collect stolen data to the internal points of the collection before moving the data outside. The availability of large volume of data in gigabytes in places where it should not be especially if the data is compressed in archive formats that the company does not normally use.
v. Detection of the pass-the-hash hacking tools
It is known that APTs do not use the pass-the-hash hacking tools. However, these tools pop up frequently after they have been used because hackers forget to delete them. If the network has these hacking tools detected, there should be a further investigation because they are evidence of an APT attack.
Strategies and Tactical Defenses against APT
In most of the organization's world over, IT security budgets and spending are consumed largely by the installation of antivirus, firewall, and IDS/IPS products. Despite that fact, most of these organizations are victims of targeted attacks such as APT capable of eluding these security defenses. Traditional security measures have not sufficiently addressed the current threats. Most of the APT attacks are bound to succeed in victimizing their targets if there will not be a new security posture. A successful defense against APT attack techniques should have the capability of monitoring both inbound and outbound network traffic for data, content, and context preferably for web and email communications. The defense layer of the defense mechanism should always monitor outbound communications to detect behavior related to data theft. Below are some examples of outbound behavior (Deibert&Rohozinski, 2009):
• Command and control (C&C) traffic
• Requests are targeting the dynamic DNS hosts
• Requests to the known unsuitable web locations
• Movement of data-sensitive files such as SAM database that should never leave the organization
• Application of the proprietary encryption
Organizations implemented with defenses such as firewalls, antivirus, and IDS/IPS concentrate on the protection of inbound threat. These defenses use signatures and analytics of individual defense. However, they ignore outbound communications. They miss analysis of the behavioral context and threat scoring from various defense analytics and analysis of the outbound traffic for theft of data. Traditional defenses like firewall and antivirus are required because they are capable of blocking known threat vectors. However, they are inadequate, and their inadequacy against APT attack techniques and targeted attacks must be known and addressed.
Davis &Clarck (2011) say that secure Web gateways provide the network with additional defense layer because the URL can filter while the antivirus scans. They also have the ability to analyze the SSL traffic. Organizations cannot be protected holistically without them adopting a layered defense solution for the outbound theft of data and inbound protection if security will be compromised.
First, an organization should secure its email gateway that can check and inspect for malicious web links and attachments thus preventing initial infection by malware. Second, the organization should choose a secure gateway that incorporates more than traditional URL filtering and antivirus. The solution cannot be effective without having an analysis of the real-time threat thus detecting zero-day malware as well as another non-binary-based malware such as JavaScript. This is a way to which they will have prevented compromise of the clients. The third strategy is that the solution implemented by the organization should have strong capabilities of outbound web detection to help and detect malicious behaviors that indicate theft of data operation in progress (Binde et al., 2011).
The above solutions should be complemented by ensuring the gateway can clearly see inside encrypted or SSL traffic and attachments so that they will be inspected in the best way possible for potential malware or sensitive data. The solution should also have strengthened DLP capabilities thus being able to see when the organization’s most valuable and sensitive data is leaving the organization. DLP has the immense capability of plugging into a secure email and web gateways. However, this solution does not share information about context and content to enable it to create a strong defense. Organizations are recommended that they implement a unified defense solution capable of analyzing content, data, and context for the inbound and outbound traffic that pass through the web and email entry points thus providing the defense required against APT techniques and targeted attacks as shown by Tavallaee, Stakhanova, &Ghorbani (2010).
Business Practices Compounding the APT Problem
Technology changes and attack motivations are some of the reasons APT are increasingly becoming a significant threat. The way systems are architected also allows attackers to access business applications thus worsening the problem. Consider de-parameterization where sometimes ago, firewalls had the capability of blocking traffic that was particularly not allowed. Due to the advancement of applications, there is a need for flexibility in the movement of network traffic. Outsiders are one of the parties that need to access the internal resources. Application developers are writing applications to enable them tunnel blocked traffic over protocols allowed to pass through the HTTP. Instead of having a single boundary surrounding all network assets, organizations have opened access to more servers while also depending on controls based on the device and monitoring of network traffic (Iheagwara, Blyth, Kevin, &Kinn, 2004).
Another factor which can be easily exploited by the APTs is the increased use of the mobile computing devices and other devices which are unmanaged. Most IT departments in organizations are not in a position to dictate the kind of anti-malware programs or access controls that the organization needs before the device is put into use with the organization’s internal services. These mobile computing devices can be utilized by the APTs to help conduct part of the attack on the business or network of a government institution.
The increase in the use of the Web applications available publicly has provided another potential dimension and method of launching an attack. For instance, attackers could use injection attack on a Web application to collect intelligence about what is contained in the databases as well as the structure of the application. Businesses need to expand their employees’ access to infrastructure holding critical information. This is one of the ways they will be able to make it easier and efficient for their employees to perform all the necessary tasks. However, this expansion of the access to critical information infrastructure also increases the potential points through which the attackers can attack the infrastructure.
Technical and organizational factors are working to the potential for execution of an APT attack. Most of the above factors like enabling employees to access the critical information infrastructure and accessing the organization’s applications from mobile computing devices are beneficial to the organization and the employees that it would be difficult to curtail them. The risks associated with APTs can be mitigated without necessarily having to sacrifice these among other technological advances (Virvilis&Gritzalis, 2013).
Proposal
During my research, I will comprehensively examine the strategic and tactical best practices that can help to detect and mitigate the APTs through the use of the existing as well as the emerging security technologies. My research will look into how these best-practice strategies can be implemented in companies with the aim of detecting and mitigating the APTs. The research will focus on how the adoption of those best practices would reduce APTs and the focus on infrastructure strategy towards the malicious content. However, this will not be possible without employing an iterative and tactical approach. The approach will comprise of four iterations through which I am going to learn. Below is the diagrammatical representation of the iterations.
Iteration 1: Collecting study and research materials related to APT and preparing for research
It will be right that before I start the research, I collect the study materials related to APT. Therefore, I will be visiting the library to collect the books, journals, magazines, publications, and any other material that is related to APT. I am also going to consult widely before I collect any material so that the materials from which I will be researching will be relevant to my study. Additionally, I will talk to the librarian to guide me into selecting the best materials from where I will be researching. After collecting the study materials, I will start preparing for the research my ensuring that I have other materials and a quiet place from where I will be researching.
Iteration 2: Analysis and comparison of different APT mitigation techniques
APT is not a new IT threat. It has been there since it was first discovered. Therefore, from the study materials, I will have collected from the library, I will analyze and compare the different mitigation techniques of APT. Additionally, I will learn new mitigation techniques and also compare them with what I will have learned previously. I will also look into how these best-practice strategies and mitigation techniques can be implemented in companies with the aim of detecting and mitigating the APT.
Iteration 3: Further consultation with an IT security personnel and recording the findings
I will not be in a position to share my findings before I consult IT security personnel. Therefore, I will look for some IT security personnel with who I will share my findings and do further analysis. I will consider whatever I am going to learn from the IT security personnel and add it to what I will have learned. Additionally, this is the moment I will take to learn further about APT security mitigations. I will eventually record my findings.
Iteration 4: Sharing and making known the findings
My research will be meaningless if I will not share what I will have learned with the people who need them. Therefore, after analysis and consultation with the IT security personnel, I will prepare a platform on how I am going to share my findings so that they can be put into practice by the people who need them and especially the public and private agencies where APT are proving to be a threat. I am going to share the findings I will have recorded after the consultation with the IT security personnel.
Iteration 1: Collecting Study and Research Materials Related to APT and Preparing for Research
Planning
The first iteration will be kind of qualitative research or a qualitative study. Although I will be required to collect materials from where I am going to learn detection and mitigation techniques of advanced persistent threats (APT), I will be the main instrument. In a bid to get the latest and most relevant research materials, I will visit the library from where I am likely to get study such materials as books, journals, magazines, and other publications. However, I will have to ensure that these materials are related to the topic of APT. I should not be in a situation to differentiate the most relevant and the irrelevant materials. In this case, I will have to carry out a wide consultation with the librarian for guidance. I will also have to learn the skills of observation and taking note as well as talking to people who may be knowledgeable in the area of APT.
This library research will not be easy. I might, along with the way, find the research frustrating and difficult. However, as much as I will experience some difficulties and frustrations along the way I will ensure that I have not left out critical preparation steps which as a skilled researcher I ought to routinely do before I begin the research the topic detection and mitigation techniques of APT. Besides collecting study materials from the library, I will also do other preparations which include ensuring that I have comprehensively understood the research topic. The research question here is the detection and mitigation techniques of APT. I will also have to define the research question in details and ensure that I have room for research. I will also ensure that I have as much time as possible to complete the research.
Action
I did not start collecting the study materials until I had comprehensively defined the research topic. Additionally, I had to ensure that I had understood it in the best way possible. I did not want a scenario where I would be confused on the study materials I was required to collect from the library (Richardson, 1994). Although I knew my research topic, I had to define the research question to narrow the line of materials I would have to select from. I was interested in researching on detection and mitigation techniques of APT. Therefore, my research question was, “What are some of the ways through which organizations and individual users can detect and mitigate APTs?”
I visited the library with the question I was going to type on the library catalog so that I would locate the materials. However, I did not go immediately into the library catalog. I consulted the librarian with whom we logged in into one of the computers from where we were able to locate the materials. Below are the materials I found in the library according to the recommendations of the librarian (Bordens& Abbott, 2002):
(i) Persistent threats and how to monitor them (Network Security Journal)
(ii) The big four: What we did wrong in advanced persistent threat detection (Conference Proceedings)
(iii) A practical study on Advanced Persistent Threats (Book)
(iv) Advanced Persistent Threat (Book)
I went through the books while taking notes to ensure the materials were relevant to the topic of detection and mitigation techniques of APT. Having done that I collected the materials and left ready to research on the topic (Fink, 2013).
Observation
I had anticipated collecting study materials from the library to be difficult and frustrating. However, it proved to me that it was one of the easiest things I would have to in the iteration. It was not easy by default but because of the preparation I had gone through before I engaged myself into visiting the library and collecting the study materials. According to the observations, I made one of the reasons I was successful was because of ensuring that I had not left the important preparation steps which as a skilled researcher I was supposed to do before I started the iteration routinely. Analyzing the preparation I undertook before visiting the library I can say they were as comprehensive as they would be.
There are many ways in which a researcher can prepare for research, but as much as they need preparation on themselves, they also need other people to guide them through. It is not possible for a person, researchers included, to have a knowledge of everything that is required during the research process. I also think this is the reason why I had to consult the librarian once I visited the library. According to my observations, there are many materials from which I would have learned detection and mitigation techniques on APT. Making a close observation, I concluded that some of them were outdated and could not be relevant to the APTs of today. That is why I, therefore, required the services of the librarian to guide me through.
I observed and acknowledged the importance of good preparation. The good preparation was the key to success I had in collecting the materials I required to do the research. Additionally, together with collaboration and realizing the importance of other people I was able to go through the iteration without major issues. I also observed how the library was stocked with all the materials required to carry out any research.
Reflection
I had imagined that the process of preparing for the research and collecting study materials would be difficult. As it sounds it would have been difficult were it not for the preparation I took before the actual process of visiting the library and ensuring that I have all the study materials I required. Additionally, one other thing that helped me was remaining positive about everything that I was supposed to do. I can also attribute my success in the iteration to the consultation and collaboration I had made before I visited the library. My experience with APTs was not as detailed in such a way that I would have said that I would think of ways of detecting and mitigating them. I needed to learn as much as possible, and there was no better platform through which I was going to learn detection and mitigating techniques than collecting the study materials from the library doing the research myself.
This process was hectic and required as many preparations as possible. The outcomes of the research would have been used in securing the system and network of an organization. Therefore, I had to approach it in the best way possible and along the way ensure that I was as comprehensive as possible. The way in which I approached the problem was commendable. When I look at the way I did it, there is no better way I would have approached the iteration and get the same result according to the outcomes I wanted. Most of the things from the iteration were successful. However, there some instances of the activities in the iteration that I have a feeling that if done in the best way possible they would have led to even better results. I believe that it would have been greater if I got an expert in APTs who would have shed more light on the issue. However, this does not mean that I was not successful and that I did not like my achievement in the iteration.
Iteration 2: Analysis and comparison of different APT mitigation techniques
Plan
In my plan to prepare for the analysis as well as the comparison of various APT mitigation techniques, my objective would be the collection of as much information as possible so as to validate the findings and have a comprehensive knowledge of the APT threats detection and mitigation. I plan to leverage the study materials that I collected from the library and meet a security expert who would help to clarify any information I collect from the sources and also provide me with additional knowledge on the mitigation of the APT attacks. However, these tasks would not have accomplishment minus listing the objectives and contacting the resource person in good time so as to prepare her psychologically.
I came up with the iteration objectives and contacted the resource person, Mrs. Munuve on the phone so as to prepare her. I planned to have a good time with the resource person in the morning hours, between 9 am and 11.30 am for one week and then in the afternoon I planned to carry my research to acquire more information and to recap on the things I learn during the day. The deliverable of this research and iteration would be a list and a comprehensive explanation of the techniques that organizations should implement so as to detect and mitigate APT effectively.
Action
Before embarking on a thorough research into the techniques of APT detection and mitigation using books and learning from my resource person, I had to document the objectives of the session and contact my resource person. I then arranged the topics according to their importance and technicality in such a manner that we began with the easier ones as we advanced to the more technical ones. I then embarked on serious learning from the very first day because I had limited time with which to accomplish this research. In the morning hours I had to take my time with my resource person, Mrs. Munuve between 9 am and 11.30 am and then in the evening, during 4 pm to 6 pm I carried out my research and prepared for the following day’s activities.
I learned about the various techniques and best practices for detecting and mitigating the APT threats in any organization. We did that by considering the APT threat landscape and the available technologies and systems that can help to achieve the detection and mitigation. We also put into consideration the various levels of the organization and how they need to collaborate to handle the APT threats in their organizations effectively. I then documented everything I had learned.
Observation
I observed that the APT attacks target people and that will never change. The adversaries have been found to leverage social engineering as well as the social networks to trick employees into sharing sensitive information via familiar interactions using the perceivably trusted sources (Li, Lai, & Ddl, 2011). Since the people are the weakest link in any security chain, there is need to train the employees so that they can be aware of the techniques leveraged by the attackers. Also, the security personnel needs to put in place specific strategies as well as tactical best practices that are aimed at detecting and mitigating the APT threats using both the existing and new security technologies (de Vries et al., 2012).
The organization should also perform business impact as well as threat assessment analysis so as to categorize the threats, digital assets, and users into high, medium, and low priority categories thereby enabling faster alert response on the high-impact threats, critical assets, and events. Where inapplicable;e, the SIEM capabilities should be improved to incorporate the mitigations that have multiple security tools aimed at improving the contextual awareness and offer a high-level alerts management capability (C. Munuve, Personal Communications, September 22, 2016). The another technique is to subscribe to the security intelligence services that regularly offer information to keep security people updated with the latest malicious events and activities information. Organizations should also invest in forensics as well as malware sandbox analysis capabilities as they aim to secure their organizations from the APT threats (Beuhring & Salous, 2014).
Reflection
The second iteration went on commendably well in many areas. The resources that I leveraged and the resource person all provided me with the crucial information that saw the research being successful in the long run. Outlining the objectives of the session and also informing the resource person early enough made it possible to achieve the success that was witnessed in their iteration (C. Munuve, Personal Communications, September 22, 2016). I realized that proper prior planning is an imperative ingredient to success. Carrying out an own investigation in the evening, recapping on the things learned during the day and preparing for the next day’s activities helped me to save much time that I would have spent making inquiries from the resource person. It also made her work easier.
As I carried out more research, I came to discover that there were many things that I had to learn. Many time we had to rush through other basics so as to save time for other activities as the time was limited. I plan to take more time during the subsequent iterations as I investigate into the other areas that must have been left out of the scope of the second and first iterations. Having only one resource person meant that I omitted some other knowledge that would have been possible had I used more experts. I plan to involve more experts in the area of security so as to gain more knowledge on the detection and mitigation of APT threats.
Iteration 3: Further consultation with an IT security personnel and recording the findings
Plan
Since the area of APT, threats detection had been comprehensively handled, and it is not as wide as the area of mitigations, I planned to focus more on the area of mitigating the threats. I partially addressed this area with my resource person during the previous session and in this session in planned to involve more resource persons and to carry out the analysis of the information collected from the previous iteration so as to effectively integrate it to make meaningful documentation and recommendation. I planned to consult IT security experts from renowned companies, and their names were Mr. Clinton, Mrs. Swaminarayan, and Mr. Triton.
I planned to take two weeks in this research so as to ensure that I comprehensively tackled the mitigating techniques for the APT threats so as to make a reliable and well-informed report. The areas that I planned to tackle during these two weeks included the area of tactical best practices, how to reduce the threat of APTs using the tactical controls, the area of network perimeter security, and intrusion detection and prevention. Addressing all those areas would make me feel that everything has been efficiently addressed about the APT threats’ detection and mitigation.
Action
Since I had informed the resource persons early enough, when the time came when the research was to commence I met the resource persons in the town hall ready for the research. We brainstormed on an approach to take ion addressing the issues in the program and came up with a sound plan that would have all the areas addressed within the time span of the two weeks. I also presented to them the information I had on hand for them to make a few clarifications and understand the areas that had already been addressed to save time.
The resource persons addressed the area of how to mitigate the APT threats beginning with how to implement the tactical best practice controls and strategies. I learned how to adopt the best practices with the aim of reducing the threat of APTs including updating oneself with the treated landscape, thwarting social engineering via education, and the best practices applicable to all technical control layers. They also taught about how to upgrade the network perimeter and the network-based security using the IPsec and SSL VPN connections. They also handled the area of a next-generation firewall and the unified threat management; the intrusion prevention and detection technologies, the Network and cloud sandboxes; and the web application security. Lastly, they addressed the area of infrastructure protection strategy for the malicious content.
Observation
I observed that the resource persons had a good insight of the area of the APT threats due to their many years of experience working in senior positions in their organizations. What I observed with securing the organizational information systems from the APT treats is that there must be the usage of a comprehensive security approach. That is because there is no single technology that is capable of stopping the advanced targeted attacks (Cárdenas et al., 2011). I observed that organizations need to implement the proper system as well as application patching since it is one of the single most successful security defense against the APTs.
I also learned there is need to seek for integrated cross-product security controls that offer telemetry as well as adaptive responses to the detection of security incidents and events. I also observed that a comprehensive security should not be approached as a holistic approach since some areas are likely to be missed out. Approaching the organization security and mitigation of APTs needs a reductionism approach so that every layer of the system and every event are adequately addressed individually (Rhodes-Ousley, 2013). The security control that might be effective in one area of the system may not work for another area.
Reflection
The iteration enriched me with essential information that I had anticipated for as a young IT security professional, especially about the area of APTs. I got to learn that the security of the organizational systems is something that I important and need to be approached using the reductionist approach. I came to understand the roles of the different security experts within an organization and how to collaborate with them so as to ensure there is reliable security for the information system within their organization. I also got to know how security intelligence can help to garner fundamental information about the APTs so that both the old and the upcoming threats are covered in the security strategies (Wittkop, 2016).
During this iteration, I over-relied on the IT security personnel that I used as my resource persons. I feel that using other resources such as journals, books, and conference papers would have provided more information that I could not get from these experts. I plan to make sure that in the future I use as many resources as possible for the purpose of acquiring all the essentials, information to make the research successful.
Iteration 4: Sharing and making known the findings
Plan
This iteration involved sharing the information acquired from the research with the security personnel for both private and public companies with the aim of increasing their knowledge of the APT threat landscape and their mitigation as well as the mitigation. I first of all planned to analyze the findings and filter them adequately so as to eliminate the items that were repetitive and unnecessary so as to present the information in a clear and concise manner even for the novice readers to easily understand it. I planned to come up with an online portal or website from whence I can share the information gained from my research and has the security personnel of organizations and any other interested parties well informed about the APT detection and mitigation.
Since this was iteration like any other, I had to have a solid plan on how to come up with that online portfolio by consulting two programmers who could help to design it for me. It would just be a simple platform about “Organization Defenses against APT Threats.” I will brainstorm with the programmers and have them knowledgeable on how to effectively design and develop the site so as to contain all the elements that I wanted it to have.
Action
I came up with the entire research outline for the two weeks and planned to assess and interpret the findings correctly in the first three days. During that period, I filtered the information I had recorded from the previous iterations and removed anything that was irrelevant or repetitive so as to make the information as simple and as clear as possible. I then met the two programmers, Mr. Kim and Mrs. Seraphina in the town conference hall to enlighten them with what I wanted them to do for me regarding the online blog. We brainstormed on several issues to which they should adhere, and I made half the payment before completing the rest after they were through.
The site contained all the information collected from the research and I used the online platform so that it could be easy to reach as many people as possible. It was also a way of finding as many clients as possible as I also put my contacts there including my personal profile. I also came up with a plan on how to manage the site and how to update the information on the same through carrying out continuous investigations. Through this platform, the information would reach as many people as possible so that they would get informed about the APTs and any other security information that would be relevant to them.
Observation
I observed that the research was successful and it would be meaningless if I did not share the information I got from the research with the relevant personnel. Another thing that I observed that having an online blog is the way through which I would share the information with as many people as possible. The social media has created a platform through which information can be disseminated to as many people as possible throughout the world (Mangold & Faulds, 2009). I took advantage of this social media to share my findings with many people through the online blog that I developed. The Internet is a learning platform through which many people get to know about the current information. The security information is of paramount importance since the APT threats remain a nightmare of many organizations and industries (GordonLoeb, & Lucyshyn, 2003).
Being proactive is a very important characteristic of all the IT security personnel. They have to keep themselves updated with the latest news and trends of the security threats to their information security so as to leverage the mechanisms that can address all the types of threats (Eloff & von Solms, 2000). I observed how vigilant and altered the security personnel are because immediately my site was online there were so many people that had already started visiting it.
Reflection
The security of information is very vital for any organization since the data and information are the reason for the existence of these organizations. I conducted a useful research into the detection and mitigation of APTs in organizations and unraveled useful information that will be of help to many organizations. In this iteration, I got to learn many tings including the essence of leveraging the media ion sharing information and reaching a wide spectrum of the intended people. Also, the analysis and the interpretation of the results of the research helped me to remove the items that would have been irrelevant and repetitive so that I only presented the information on my blog that was relevant, clear and precise.
The site that I came up with made me spend a lot of funds that I had not intended as the site developers demanded a lot of money to develop the site. As much as I achieved my objective, I think that if I had adequate programming knowledge, it would have been possible to develop the site on my own and save that money for other uses. I also did not get involved throughout the site development. I think that if I had involvement throughout the development, I would have acquired some crucial knowledge on how to develop and use the site thereby avoiding the costs of training.
Summary of Learning
Throughout the entire research, I acquired much and useful information as an IT security expert especially in the area of APT detection and mitigation. In all the iterations, I continued to grow my knowledge in that area up to the last iteration where I had to share the acquired knowledge. During my first iteration, I collected study materials that I would be using for research, and the iteration proved to be informative and successful. During the second iteration, I analyzed the different techniques of detecting and mitigating the APT threats as I also made consultation from my resource person, Mrs. Munuve. I got to acquire indispensable knowledge about the detection techniques and some mitigation techniques of APTs.
In the third iteration, in met three IT security experts from whom I got to learn about the other APT mitigation techniques that organizations should leverage. I learned about the tactical best practices, web security, preventing social engineering, and other areas of security that are mandatory to protect against the APT attacks. The interaction with the experts helped me to understand the essence of being proactive as security personnel, especially towards the APT threats. Rte fourth iteration entailed sharing the acquired knowledge with the relevant personnel in both the private and public organizations. I came up with a blog and observed that many people were visiting it thereby achieving my objective of this iteration.
References
Bencsath, B., Pek, G., Buttyan, L., &Felegyhazi, L. (2012). The cousins of stuxnet: Duqu, flame, and gauss. Furture Internet, 4 (2), 971-1003.
Beuhring, A., & Salous, K. (2014). Beyond blacklisting: Cyberdefense in the era of advanced persistent threats. IEEE Security & Privacy, 12(5), 90-93.
Binde, B., McRee, R., & O’Connor, T. J. (2011). Assessing outbound traffic to uncover advanced persistent threat. SANS Institute. Whitepaper.
Bordens, K. S., & Abbott, B. B. (2002). Research design and methods: A process approach . McGraw-Hill.
Cárdenas, A. A., Amin, S., Lin, Z. S., Huang, Y. L., Huang, C. Y., & Sastry, S. (2011, March). Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security (pp. 355-366). ACM.
Sherry Roberts is the author of this paper. A senior editor at Melda Research in help writing nursing research paper if you need a similar paper you can place your order for customized papers.
No comments:
Post a Comment