Countering Advanced Persistent Threats
A Strategic Approach to a Growing Danger
It was an insidious cyber attack—and no one knew
it had even taken place. At a defense contracting
company, several key employees received what
appeared to be a routine e-mail from their boss, asking
them to review an internal document that was attached.
Although the document was genuine, the e-mail was
not—it hid a sophisticated malware attack known to
come from an advanced persistent threat.
Once the employees opened the attachment, they
unwittingly unleashed havoc upon their organization.
A malicious computer program (malware) installed itself
on the company’s network, in the core of the system,
and began sending the attackers a wealth of proprietary
information, including the company’s bidding strategies
and other competitive secrets. Because the attack was
surreptitious, no one suspected anything was amiss—
not until nearly a year later when company IT officials,
investigating a slowdown in the network, discovered
that the system was being clogged by enormous data
downloads to a foreign site at odd, nonbusiness hours.
What makes Advanced Persistent Threats (APTs) so
effective is that, unlike traditional, known system
vulnerability attacks, they can breach computer
networks from the outside—and the inside—with
sophisticated technological attacks that common
defenses just do not recognize. This malware is
introduced into the system and bypasses even the
most technologically advanced perimeter and network
defenses. Once the programs connect to a victim’s
work station, they quickly install command-and-control
channels that give them further, and in some cases,
deeper access to an organization’s entire network. They
typically use unknown malicious code, and are often so
well hidden that they can operate undetected—and with
impunity—for long periods of time.
The danger continues to grow. Advanced Persistent
Threats have compromised computer networks in
virtually every government agency and department, and
have invaded the systems of nearly every major defense
contractor. The threats come from a variety of sources,
including criminal groups, hackers, terrorists, and even
nation states, whose motives range from industrial
espionage, to stealing intellectual capital, to theft of
military secrets. These attacks threaten the nation’s
economy as well as national security.
While cyber attackers have long tried to gain access to
computer networks as an insider and as an external
threat, during the last several years they have become
highly adept at tricking employees into inadvertently
opening access without really knowing they are doing
so. Adversaries often do a remarkable amount of
computer surveillance on an organization, learning
who the key players are, which documents they would
typically send, and who they would send them to. The
attackers then carefully design their fraudulent e-mails
to appear real in every way.
This new level of sophistication has led to an explosion
of APTs, one that many organizations are ill-prepared
to counter. Faced with such a daunting challenge,
some organizations may rely on technological solutions
alone. In reality, these attacks require a coordinated,
organization-wide approach that is strategic and tactical.
Such an approach has four primary components:
Find the Advanced Persistent Threats—
Triage and Stop the Bleeding
An organization’s first goal is to identify the threats
that are already on its networks. The next step is
to determine precisely how the system is being
compromised, and what should be done to mitigate the
Planning Your Next Cyber Move
attacks. All of this must be accomplished with stealth—
if adversaries become aware of detection attempts,
they can evade or even retaliate against them.
Identifying the “Crown Jewels”
These are the organization’s most critical assets,
functions, and services—ones that must remain secure
and available even if a threat has invaded the network,
and merit the primary security investment. This task
is often fraught with difficulty. One challenge is to
determine how protecting—or failing to protect—these
crown jewels will affect the organization’s legal and
fiduciary responsibilities. In addition, it is rarely easy
to get stakeholders to agree on exactly what the crown
jewels are. And key stakeholders must be persuaded to
back network security measures, especially if it means
changing business processes and personnel.
Assess the Current Security Posture—
Vulnerability Determination and Benchmarking
This is an enterprise-wide assessment of the extent
to which current network security measures are able
to meet the organization’s goals. The initial task is to
determine precisely how the attackers were able to
invade the network, and what their full impact was.
Organizations then evaluate how well current measures
can protect the crown jewels, so they can begin to
develop the range of options available to mitigate
the risk. A key goal is to identify all of the technical
and policy issues that must be addressed in a risk-
Develop a Formal Risk-Management Plan—
Operating Model Design and Strategic Planning
Organizations must take specific countermeasures
against advanced persistent threats. At the same time,
they must also develop a plan to protect the crown
jewels even after an attack is in the network. This often
means significantly limiting internal access to certain
areas of the network. The challenge lies in how to do
that while still enabling an organization to maintain
normal business operations.
Traditional security measures seek to protect all
infrastructure and data. But as threats become
increasingly sophisticated, that is not always possible—
both from an operational and an investment standpoint.
A risk-management plan considers the trade-offs, and
creates an operating model that enables organizations
to make the best choices now—and to quickly adapt
their strategies as conditions change.
A Culture of Cybersecurity
Any successful approach to APTs must be integrated
into the entire organization and its culture. Particular
attention should be paid to five areas:
• Policy and Governance. This provides the unity of
purpose necessary to leverage resources, reduce
conflict and duplication of effort, and work toward
long-term cybersecurity goals.
• Leadership and Culture. Because APTs attack a
network from within, everyone in an organization
must be security-minded.
• Technology and Standards. Threats must be met with
advanced technology, as well as with standards that
ensure no part of an organization is more vulnerable
• Management and Budgeting. Resources and budgets
must be closely aligned with priorities.
• Planning and Operations. Organizations must build
effective cybersecurity operations that systematically
assess and respond to threats, and quickly recover
from any attacks.