Google+ Followers

Wednesday, August 14, 2013

Some defenses against Advanced Persistent Threats




Remember that Advanced Persistent Threats (APTs) take advantage of vulnerabilities in software such as the Web browser, Microsoft Office applications, or Adobe Acrobat to install malware (think of malware as bad software) -- usually a remote access tool (RAT) on your system that communicates with the attacker through command-and-control servers. As an individual, your best defense against these attacks is to make sure that you apply all available software updates. On Windows systems, you can set up automatic updates so that this happens routinely. If not, you should check manually by running Windows Update (or by looking for a "check for updates" option that's available in most software applications). The main point is that you need to make sure your system's software is up to date, so that at least the known vulnerabilities are patched up.

In addition to keeping up with software updates, you should also use some security software such as Microsoft Security Essential or any of the many commercial products. You need to deploy all currently available defenses even though it's impossible to fully defend against APTs because, in addition to known vulnerabilities, software often contains vulnerabilities that may have been discovered by the attackers, but not yet patched by the software vendor.

Additionally, you should use 2-factor authentication for sensitive transactions, including logging into social networking sites such as Google+, LinkedIn, and Facebook. For example, Google+ provides 2-factor authentication that works for logging into all services such as Gmail, Blogger, Google+, and others (see my previous video http://nbtmv.blogspot.com/2011/11/nbtmv-turn-on-2-step-verification-on.html for more information).

Organizations have more resources and can use more advanced defenses that are based on some key behavior of all APTs -- they install malware on the system, then periodically communicate to the command-control-server.

First, organizations should start with the existing defenses of firewall and usual patching and anti-virus regimen. Beyond that, there are security appliances (basically computers that inspect network traffic) available that can inspect email and web traffic to detect suspicious behavior and, potentially stop installation of malware. Third, organizations should collect event logs of various activities occurring in their systems and analyze those logs to detect any potential APT activities.

These are not perfect defenses, but they are a start. Unfortunately, it seems that APT attacks are bound to succeed, so organizations would just have to be prepared to deal with the aftermath.

As for individuals, I wish some low-cost security appliance were available to help us deal with the APT problem.

Note: There are some promising defenses based on running applications in a virtual environments where the activities of the malware could be contained before it causes damage, but this seems to be a cat-and-mouse game between the defenders and the attackers. Attackers are now designing malware that try to avoid being caught by looking for user activity such as mouse move or simply go to sleep for some time before initiating any contact with the remote command-and-control server.

No comments:

Post a Comment