by Michael Werneburg
Threat actors in the cybersecurity arena are becoming more mature, adopting business techniques such as revenue targets and outsourcing. They are armed with a superb arsenal of tools and techniques. This document describes a problem that has been growing in prevalence and severity over the past decade, and has been implicated in some terrible breaches – such as the Wellpoint breach, in which tens of millions of health and financial records were compromised – even that of the company’s CEO. This is the “advanced persistent threat”.
The purpose of this article is to document an analysis and response to APT in the form of a case study. In this case, a small-to-medium enterprise adopted a stance on information security that will allow it to eventually obtain maximum utility at a cost that is appropriate and sustainable, while minimizing impact on operations from cybersecurity measures.
The work described in this document was conducted in early 2015 at a software provider in the Canadian wealth management industry. The firm has just over forty personnel, and is in possession of extensive financial data shared by client firms in the course of the provision of a function that supports the compliance efforts by those clients.
The firm is constrained in its expenditure on information risks due to the strategic focus of its spending on growing a business during a time of unparalleled opportunity that would not persist. The analysis depicted in this article fell to the internal audit function.
In the past, organizations pursued a conventional strategy of a network perimeter plus a “zone defense” that affords additional protection for certain regions of the network. This strategy recognizes that we have vastly greater assets to defend than resources to defend them (as measured in dollars) and therefore cannot defend everything a) equally or b) absolutely.
Firewalls exist in virtually every corporate environment. These allow only a small number of hosts within the network (so-called bastion hosts, such as email and web servers) to be accessible from (parts of) the Internet, on limited ports. Other points of access are similarly controlled: virtual private network (VPN) access is based on strong authentication and encryption; wireless network access is “guest” only, and does not connect to the trusted network that houses our servers and the desk-side (PC/laptop).
Organizations typically segregate the network into defense zones. The zones are based on the common criticality of the assets contained. Priority is place on those assets which, if compromised, would do the most damage to the firm and/or its clients. This typically depends on the sensitivity of the data they contain or the degree to which revenues rely on their uninterrupted function. In descending order of criticality, the firm’s assets are deemed to be:
Organizations have pursued a strategy based on apportioning different access entitlements to different users grouped by their roles. Some are common to all groups of users:
Some are specific to classes of users:
Typically, organizations have basic defenses in place on the desk-side:
Attacks from [advanced persistent threats] are growing in scope, increasing in frequency and, improving in effectiveness – to establish an insider base camp and cover tracks. [Conventional] strategies are not well-suited to mitigating prolonged and determined attackers leveraging a growing collection of stealthy techniques. The traditional perimeter and prevention response to threats is no longer realistic. Organizational resources need to shift the focus instead onto – Detection, Containment, Eradication and Recovery.
The APT killchainafter Nigel Willson
The strategy proposed above recognizes some difficult facts:
Though this sequence is typically accomplished using long-standing techniques and tools, the added dimension is the specificity of the individuals attacked – sophisticated, frequently personalized, emails are written for those privileged users with attractive set of asset entitlements across the enterprise. Compromising the desk-side computer of a privileged user such as an executive, systems administrator, or HR specialist exploits the weaknesses inherent in a policy-based strategy. These are:
The following section outlines some of the ramifications of the gap in the traditional security stance (part one, above), and this new threat.
Initially missing from the activities described in Part 1 was the active engagement of personnel in anti-phishing training. Our stance did not include monitoring incoming or outgoing web traffic, nor did we apply preventative anti-spam/anti-malware/anti-phishing technology on the email server. Instead, we were relying on passive desk-side anti-virus/anti-malware software – which rely on pattern/fingerprinting technology that is not likely to catch APT software tools.
To counter this, we conducted some training, then ran a test involving a typical spear-phishing email. In our initial test, we had less than a 2.5% rate of response to the bad email. More importantly, we also caused multiple people to run around the office warning everyone not to click; within 12 minutes of the first email being sent, IT had issued a warning. All of this was unscripted; the people who reacted didn’t know the test was coming. We had a friendly chat with those who did click.
The company does not monitor communications (e.g. transfer of data) outbound from zones to each other, or to the Internet. This allows exfiltration of data.
Traditional perimeter defense does not include monitoring for atypical traffic within zones (e.g. between end-points). This allows potential lateral movement by an intruder, the use of network snooping tools, and the spread of undetected malware.
Organizations rarely do periodic searches for known-vulnerable software on end-points, and frequently have no policy mandating upgrades or elimination of software known to have vulnerabilities that allow the desk-side system to be compromised.
Similarly, periodic searches for sensitive data on end-points are required to enforce the policy against such inappropriate storage.
The default (permissive) stance of PC configuration allows users (and therefor intruders) to run any software that resides on the system. Whitelisting, backed up by alerting and active monitoring, is a widely-cited measure that would strengthen our stance enormously.
Desk-side operating systems are already patched by the vendor (Microsoft). But patching of the entire installed base of software residing on the desk-side would minimize the exposure (again, see Public Safety link).
This work cannot be done without adequate staffing, because it requires constant and laborious patching. The complexities of this problem include the endless multiplicity of installed software instances, issues with versions, problems with the availability of patches and upgrades, and secondary issues arising from the connections made possible by those installed software instances. User resistance to mandated changes only compounds the problem.
Administrator access must be removed from end-points for nearly all staff other than administrators. To allow this to happen, the company must adequately staff its desk-side support team to allow for modifications in a timely fashion, preferably through a centralized process taking advantage of tools provided by Microsoft (e.g. via Active Directory).
Without active monitoring of the LAN, an organization is at a disadvantage in detecting and incident in progress, let alone investigating. Moreover, automated prevention of illicit traffic – such as a massive export of stolen data – is not possible.
A company will have difficulty recovering from a breach in a smooth and timely fashion, unless personnel:
Internal initiatives and vendor solutions can help us with the detection and containment phase of this mission. Recognizing that this is a complex problem with little data to assist in making a decision, the decision process should:
Additionally, it was important to recognize the realities of institutional resistance to change.
To simplify the process, we set aside any attempt at modeling the effectiveness of individual solutions, and certainly did not attempt to compute an aggregate degree of certainty regarding that effectiveness. Instead, we pursued a 1/n heuristic, in which each solution components might be reasonably expected to be partially effective, and that in aggregate we could reasonably expect to meet our objectives.
We realized that the multiplicity of options we faced presented us with an opportunity. By selecting mutually unrelated solutions, we could drop in pieces that did one thing well without introducing dependencies on other solutions. This might take more support than an all-in-one solution (if one existed) but would be much easier to implement without a monolithic change to the users. It would also make for easier changes, later.
Here's our approach to simplifying the decision, acquisition, and implementation phase:
(This process is a mutilated form of the process espoused by Dave Thomas, co-authored of the Agile Manifesto, e.g. here.)
The fundamental process that follows is to look at the steps by which an "advanced persistent threat" attack takes place, and look at effective counter-measures to each of these steps.
Happily, expert information risk researcher Nigel Willson has already done this, and provided a superb matrix of solution types against those steps.
APT countermeasures – Reproduced after Nigel Willson
Focusing on the “detect” and “contain” verticals, we observed the areas where we wanted to beef up our capabilities (in red in the diagram that follows). It was then a matter of researching the tools that would allow us to do so in a cost effective fashion.
Ranging from the least to most expensive, some seven common solutions are listed (in the columns), with check marks indicating where that solution matched part or all of the need identified in the stage represented by each row.
APT countermeasures – Reproduced after Nigel Willson
In 2015, we approached the solutions in order of which we felt best met the security needs and had other business benefits.
Deciding on the training was a no-brainer. A phishing test was easy for us to arrange – this is a software firm.
We are now conducting a trial of secure password storage tools – 1Password and LastPass, two free plugins for web browsers that generate and store smart passwords.
We have also implemented the filtering web proxy, in the form of a service that blocks traffic to known-bad DNS domains (OpenDNS).
We have now implemented a cloud-based email server, which has adaptive anti-malware, anti-phishing, and blacklists. This is not strictly speaking "inexpensive", at a few dollars per user per month, but it as it includes the company's entire email service in the price, and data backups that allow swift post-incident recovery. It's a huge step up from self-hosted email, for several reasons:
With that solution in place, we decided that the separate filtering email proxy service in our solutions matrix was effectively redundant.
Still outstanding on our to-do list is the selection of a remote LAN monitoring service or a SIEM/HIDS/Whitelisting solution that we ourselves will monitor. The former is actually the more expensive of the two to acquire, but the latter requires the support of in-house staff, thereby making it the most expensive to deploy and sustain. Happily, prices in this space are coming down significantly, and there are vendors who will deal with relatively small firms. We’re currently waiting on a hire in our IT department to move forward with the SIEM/HIDS/Whitelisting solution. The expenses for the new measures amount to a figure in the low four figures annually, and even acquiring the final solution won’t bring us to five figures, once past the initial deployment expenses (and exclusive of the cost of man-hours in supporting the tool and responding).
This document describes a strategy for analyzing the advanced persistent threat area of information risk, and deciding upon countermeasures. It is designed as an illustrative example of a process that should be repeatable at other small-medium enterprises in possession of substantial data assets.
 Nigel Willson, http://bit.ly/1eK1FWx
 E.g. Canada’s department of Public Safety: http://bit.ly/1ZcuIqI
This is a peerless resource on the subject.
 SIEM: Security Incident &Event Management, a tool for catching and responding to unauthorized activity on the network in real time. HIDS: host-based intrusion detection. Whitelisting: allowing only explicitly permitted software to run on a desk-side system.