The ABCs of APT

Advanced persistent threats are difficult to detect and nearly impossible to stop.

May 18, 2013
/ PRINT / ShareShare / Text Size +

There has been a lot of news recently about advanced persistent threats (APT) affecting many organizations, both public and private. They can create serious issues for financial institutions.

Most current articles on APTs, however, focus on the “what” and few talk in depth about the “how,” as in how they do what they do—and how to protect your credit union.

What are they?

APTs aren’t a single type of threat, but rather a classification of malicious software. They don’t have a single developer and they don’t come from a single source.

Attacks are extremely difficult to detect, and nearly impossible to stop.

Malware isn’t always active, but it can remain idle and undetectable until activated. It can exist in applications, databases, browsers—and just about anywhere else.

Intrusion detection and prevention systems typically don’t detect attacks, which generally are used by malicious individuals to gain access to sensitive systems, private data, credentials, intellectual property, and more.

APT attacks are difficult to detect and stop because the traditional methods of prevention simply don’t work. To ward off these threats, information security experts take previously seen attacks and create “fingerprints.”

Such results can be placed into a database and as traffic enters and exits your network, matching patterns can create an alert or block it.

The problem is that APT attacks are all very different and can morph on demand—making it difficult for traditional information security technologies to detect and stop them. APT attacks have no known signature or particular pattern of behavior.

Therefore, we have to rely on behavior-based monitoring technologies (which exist in many edge-based security systems such as firewalls) for protection.

The problem, however, is that the APT malware uses sophisticated encryption to mask everything it is doing as it enters and exits the network. So it is essentially invisible to those traditional information security solutions.

In fact, credit unions and other financial institutions are among the most coveted targets because they store a lot of confidential consumer information that can be used for identity theft.

APTs can capture credentials and other login information, granting access to systems or authorizing transactions such as automated clearinghouse and wire transfers. They also capture intellectual property, and they could be used to systematically take an entire network offline.

Hackers take advantage of the traditional perimeter or edge-based security most companies use. Unfortunately, APTs can be installed on the inside of the network through any number of methods that bypass the firewall and intrusion detection and prevention systems, such as by visiting malicious or compromised websites and downloaded software.

What can we do?

We’re not helpless. There are several things financial institutions can do to ensure as much protection as possible:

  1. Take a different approach to information security; one that doesn’t assume that your edge security alone will protect you.
  2. Ensure that you have access to tools that create visibility well beyond your traditional scope.
  3. Ensure that your critical systems are managed and monitored by experts.

Just by doing these things you’ll significantly decrease the odds of being attacked and exposed.

We need to dispel the notion that the edge of our network is where the bad guys are stopped. Organizations need the right tools to protect their systems.

Anti-virus software is the first small step in the process. It’s important to ensure that your anti-virus software is installed and up-to-date with frequent updates.

From a prevention standpoint, the best thing you can do is to keep your systems patched. Patching is extremely important because if a vulnerability has been fixed, it can no longer be exploited.

But patching must be timely, which is difficult for many community financial institutions to keep up with. Often, hackers will take advantage of new vulnerabilities prior to system administrators getting patches applied.

Financial institutions also need complete visibility into their network, going far beyond the traditional uptime monitoring of days long gone by.

Availability monitoring is just the first step. Performance monitoring, change-control monitoring, and security monitoring data should all be collected and correlated to create a complete view of your network at all times.

Then, behavior not normally seen on your network can be more easily captured and brought to your attention. These anomalies in your network should be analyzed by information security, networking, and systems experts to determine if something bad is happening—such as an APT attack.

Many large financial institutions have the resources to have properly trained experts on staff, but small and medium-sized credit unions will almost always need to outsource this expertise.

Visibility is important because it allows you to create baselines so you know what behavior is normal and what isn’t.

Every system on your network can and should act as your “eyes and ears,” looking for strange events. Then, with correlation between events, you can determine when something is behaving strangely and react to it.

The same is true for designing a system that creates full visibility across your network. Once the system can identify the abnormal behavior—the APT attack—it can more easily identify the source, destination, and what is being done.

Then the experts can stop the behavior quickly before any major damage or theft occurs.

KEVIN PRINCE is chief technology officer for Compushare Inc., a CUNA Strategic Services alliance provider.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive