Developing Your Strategy Against Targeted Attacks - A Technical Series

Targeted attacks, often referred to as Advanced Persistent Threats (APTs), are notoriously difficult to explain and define. And the containment of targeted attacks is even more daunting given the fact that a single product cannot do it. Almost everyone universally believes that targeted attacks do not have a technical solution. Targeted attacks are not new; they existed before under different names. And now, not surprisingly, a ‘targeted attack’ is not a single attack but multiple attacks with a common goal. Due to the distributed nature of targeted attacks, it is often difficult to categorize them into external or internal threats because most of the time the origin and destination boundaries disappear.

NetIQ_APT security challenges panel1_2

The simplest possible targeted attack would be using a Botnet to attack an organization and at the same time using Social Engineering techniques like Spam, phishing or simple human contact to gather enough data to exploit the organization. These are two different attack vectors but have a common goal. While it is not impossible to contain this kind of attack, it definitely has low chance of being contained if the attacker is persistent. Then there is the problem of applying a timeline to the targeted attack. Does it take seconds, hours, months or even years for a targeted attack to succeed? More often than not, security products will be obsolete, and we will need to upgrade to the latest and greatest sets of defense.

Security products provide the first level of defense, but they are not the final solution. They provide invaluable information which can be processed and correlated for better analysis which can then be used to find a strategy to defend against targeted attacks. More importantly, monitoring user, service, and protocol and host behavior is essential for any kind of defense to be successful against targeted attacks. A central correlation and analytics tool is mandatory for defending against targeted attacks. Security products work in "silos" and may not know the entire ecosphere and thus will miss a lot of important information that might be essential for defending against targeted attacks. Security Incident and Event Management (SIEM) and related tools take the data generated by security products, process it and provide insight and intelligence that helps us not only contain targeted attacks, but also provide help in combating any future incidents.

Today begins a series of topics that discusses how to best develop a strategy against targeted attacks. The series will be divided into four parts; a summarized view is given below:

1. Establishing a Baseline: In this section we will discuss the importance of establishing a baseline. Baselines determine the scope of risks that an organization faces and needs to be adjusted accordingly to counter targeted attacks.

  • User Baseline: User baselines are the building blocks for detecting anomalies and hence its importance cannot be ignored. User baselines help in checking the compliance levels, unusual activities and can be leveraged to provide feedback and training for user anomaly calculation.

  • Service and protocol baseline: For Network attacks that may be part of targeted attacks, profiling and maintaining their baselines will be critical for detecting and defending against targeted attacks. Any suspicious activity associated with a service and protocol used in an organization can be quickly identified once we know their baseline. The baseline will serve as a referential point for any abnormal pattern for a service or a protocol.

  • Host/ System Baseline: Host and system baselines can be used to detect any compromised machines and systems within an organization. This will in turn help the organizations uncover any potential targeted attack even when systems may not exhibit abnormal behavior over longer periods of time.

2. Security Intelligence and Analytics: One of the most important strategies to counter targeted attacks is to aggregate security incidents and events from a variety of sources.  Aggregation will allow us to correlate and analyze the data in a comprehensive way which may otherwise not be done. To accomplish the aggregation, correlation and normalization of data, a central security management tool like SIEM is mandatory. Both real-time and predictive analytics is vital for an organization to deal with targeted attacks. We will be covering the following topics in security intelligence:

  • Intelligent dashboards

  • Descriptive and frequency analysis

  • Time series analysis

3. Identity Intelligence: Identity intelligence allows us to have granular insight into user privileges, roles, and their activities in real time. This leads to persistent attack detection, potential compromised users, and data leakage attempts by certain identities. In identity intelligence we will be covering the following topics:

  • Behavior Anomaly: A term borrowed from network behavior anomaly. This helps us in identifying unexpected user behavior that might be an indication of a compromised identity.

  • Cluster Analysis: Allows us to analyze what users are doing outside of their cluster and how the clusters are being utilized by a particular role. A cluster can be a matrix of departments and assigned roles and responsibilities.

  • Pattern Detection: This is usually assigned with time periods of specific intervals. Abnormal patterns across various periods, if they recur or are cyclic, can be a symptom of an infection from an automated bot.

  • Risk scores: Risk scores are given to users and hosts based on the reputation of the geographical location, frequency of access, or whether the user has used the same IP address or a different one every time etc.

4. Taking care of the Confidentiality, Integrity and Availability (CIA): It all comes down to preserving the confidentiality, integrity and availability of resources and assets of an organization. At various levels, resources can be vulnerable, but by following industry standards, regulations and best practices, one can minimize and reduce the impact of a targeted attack. We will discuss the following aspects of data protection for maintaining CIA:

  • Endpoint Protection: For example, using encryption at end points will minimize the impact of breach and when compromised, may not result in disclosure of critical information. Similarly, preventing unauthorized devices to connect to internal networks will drastically reduce the impact of persistent threats.

  • Network Protection: All communication and transport medium in an organization that has confidential information needs to be protected. Simple mechanisms such as using secure transport channels like SSH instead of Telnet, HTTPS instead of HTTP, and IPSec tunnels for remote connectivity can be incredibly helpful when dealing with targeted attacks.

  • End User Education: This is perhaps the most important part of the defense strategy. End users are the weakest link in defense and their compromise means that no matter how great defensive technology we deploy it is going to be useless.

When we conclude the series, you will have framework considerations for developing a comprehensive strategy to defend against targeted attacks that best fits your organization’s needs. All necessary information on how to deal with each scenario will be discussed and guidance will be provided to achieve a solid defensive approach to tackle targeted attacks. Given the complexity of targeted attacks, the strategy does not necessarily have to be complicated. Rather, adoption of a firm security policy and sticking to fundamentals will work to significantly improve your overall security posture for the protection of your most vital information assets.


Identity & Access Mgmt