APTs: The fine balance of control and monitoring
Security is not about winning the war. It is more like insurance, it’s about how we handle risks. In order to successfully handle the risk of Advanced Persistent Threats (APTs) we need to focus on the high stake targets that we want to protect. The challenge, then, is to build a multi-layered security architecture with the right balance of control and monitoring technologies that can prevent any lower-impact threats from escalating into a full blown attack.
The new attack- defence scenario
In the new attack-defence scenario, we need to remember that we only need to make one mistake and the attacker can exploit it. Through just one configuration error, one missed patch update, one weak password or one exposed account, the attacker can get into our system and into our network.
Most likely, the ultimate targets of such attacks are privileged or ‘VIP’ users whose credentials can be used to penetrate further into various systems. Access to these “high stake, high worth” credentials is the real ‘crown jewels’ for attackers. That means our mission is to mitigate – and manage – the chain of events that leads to these high impact incidents.
Many traditional defence systems focus on trying to keep the attacker outside. Yet once the attacker can get through the perimeter and steal the credentials of a privileged user, they can go further and mask the operation as legitimate access to resources. The reality is that the whole protection system fails if it cannot keep the attacker ‘outside the walls.’
However, with smart architecture we can increase our chances of defeating attacks. What we need to do is to design architecture – from the ground up – which takes into account the possible failure of any defence system.
We need to introduce redundancy into our environment where no single error could lead to a high impact event. There should be multiple, independent layers of protection where one error (such as a weak password) would not result in a multi-layer failure. By design, a multi-layer security architecture offers multiple options to stop the attacker and, at each layer, the attacker needs to find a problem that could be exploited.
However, this can create challenges from a usability perspective. Each additional layer could render a system harder to use, less adaptable to changes in business requirements and, just blindly adding or duplicating more layers does not necessarily enhance the overall security of a system.
We therefore need to be efficient in how we setup the architecture. Each layer should augment the other, mitigate the residual risk of the previous layer and overlap just as little as possible so that it is not vulnerable to the same exploit or attack technique.
The second line of defence
Luckily most organisations are well equipped with the first layer of defence to stop an attack. The real challenge is to implement a second layer which enhances security and the goal here is to find the right balance between control and monitoring tools.
The second layer should detect any possible compromised account system, deal with any residual risk from the control and prevention layer and should do this without impeding business’s day to day operations. To use monitoring successfully as a second line of defence, information needs to be accurate and as close to real-time as possible to close the gap between the incident and detection. The goal, ultimately, is to detect when an attack disguised as a legitimate activity is actually malicious.
One approach which is helping organisations to close the blind spot of traditional security monitoring tools and uncover risks that many SIEM tools cannot identify, is to examine user’s behavioural patterns. This is because the way that we interact with IT systems leaves a recognisable fingerprint which can be detected and learned. Users log into to the same applications, do the same things while working and access similar data. These ‘learned’ profiles can be compared in real-time to the actual activities of a user to detect anomalies and differences in behaviour. Once anomalies are detected, counter actions could be applied to stop an ongoing attack or to investigate the event further.
In this new security landscape, this should form part of a multi-layer defence architecture forming the critical second layer that can prevent a low risk threat from becoming a high risk security incident.