Persistent Threats

A layered approach to security

A layered approach to network security is the most reliable way of ensuring peace of mind against Advanced Persistent Threat (APT) forms of cyberattacks because no modern company can afford the surefire method of protection: cutting the cord that connects computers to the internet and moving that company back in time.

But, the APT threat isn’t a new problem for the CISO or System Administrator today. It’s actually a 60-year-old problem.

The first infector was conceived, but never written, in 1949 by John von Neumann in his lectures at the University of Illinois about the “Theory and Organization of Complicated Automata” in which he discussed how a computer program could be designed to reproduce itself.

In 1971, arguably the first in the wild ‘virus’ was created called “Creeper,” an experimental program written by Bob Thomas which used the program to infect computers running a specific operating system. A short while later, the Reaper program was written to delete the Creeper file. Hence, the first antivirus was born.

In 1984, Fred Cohen from the University of Southern California wrote an article titled “Computer Viruses - Theory and Experiments” and demonstrated that there is no algorithm that can perfectly detect all possible viruses and their variants.

Interestingly enough, only one year later in 1985, what could be viewed as the first antivirus company was founded in order to ‘protect’ computers by attempting to detect viruses. In 1986, Clifford Stoll, author of The Cuckoo’s Egg, may have had the first publicly known encounter with an APT while investigating a $0.75 accounting discrepancy.

Nearly 30 years later the multi-billion antivirus industry has not been able to solve the problem. The situation has worsened; there is more malware in the wild than ever before and infection rates are soaring, mostly driven by cyber-crime.

Understanding the Anti-virus Problem

The problem with anti-virus software lies within the fine line that divides “proof” and “resistant.”

A water-resistant wristwatch may be resistant to water, but it is not waterproof. This “resistance” is usually qualified up to certain depth. Take that watch down a little too far, and it will be ruined.

Padlocks, perhaps more aptly, are tamper-resistant but not tamper-proof. One could try lock-picking, a pocket-sized crowbar, or a host of other measures to separate hasp from staple without success. However, hit it with a 40-pound sledgehammer and it will shatter.

Traditional antivirus measures do not make computers infection proof, only infection resistant, and then still only resistant to ‘known-bad’ files. This is due to reliance on blacklisting technology (virus signature databases) to recognize and remove malicious files. This means that someone, somewhere has to be patient zero though statistics show that there generally have to be hundreds, if not thousands, of patient zeroes before the infection is recognized, a signature created and a database update rolled out.

But, what if just one “patient zero” had code specifically written and targeted to just them? Would that code be detected? What if that code was so ingeniously created by highly skilled programming gurus that it was completely unrecognizable against the backdrop of the millions of other files on the network? Would it be detected?

The knee-jerk reaction to blacklisting is a full 180-degree tilt to whitelisting. Only known good files are allowed to exist on the network. This raises questions— is it possible to whitelist every file on a network? Is it possible to maintain that list? How does one know which files to whitelist? What about new, never-beforeseen files? Whitelisting is then perhaps better described as a process, part of the solution, not a solution in and of itself.

Enter the Advanced Persistent Threat

An APT is not an object, it is a process. It is the counter-process to the process of IT security with the goal of placing a “super- Trojan” on the desktop computer or using the desktop as a staging post en route to the server, eavesdropping on your network traffic and extracting valuable data such as Intellectual Property, customer’s data, M&A information, business or product strategies, political or social affiliations or any other sensitive material.

How APTs Survive and Thrive

The process behind an APT could come from the pages of an Ian Fleming or John le Carré novel. It starts with profiling the target.

Rather than target a mass audience, APTs zero in on specific individuals in an organization, who if engineered or workstation compromised, can be used to advance the goals of the attack. This requires more patience and persistence than an undifferentiated email blast.

Using the example of email, the cause of approximately 80 percent of compromises, when sending out an APT, attackers go to great lengths to make the subject line and message appear plausible. This is done through a variety of methods including the use of externally available, public information tools and resources such as LinkedIn, Facebook, Twitter, Google+, YouTube, Monster and other resources where the organization may be advertising for IT staff thereby disclosing the hardware and software skills being sought after.

The organization’s business partners, suppliers and customers will also be thoroughly researched and noted. An APT is not a one-shot attempt.

Once this information has been gathered a phone call or two to the organization will probably take place (the HR department could be a likely recipient of these calls) to establish personnel movements. A call or two to the helpdesk may also take place to test the resilience of support staff to password reset requests.

During the above, the target will receive emails, perhaps from a ‘supplier’ under the context of an attached invoice, perhaps from a ‘customer’ under the context of a pricing enquiry perhaps even from a spoofed C-level executive’s email address requesting status updates. Unsuspecting users may open these attachments and, using a yet-to-be-discovered programming flaw, an exploit will be leveraged and a new ‘Unknown’ will enter the network.

Perhaps the intrusion may be of a more physical nature and a burglary will be staged. The organization may find that a number of items have been stolen overnight, what they will not realize is that although they may have lost some equipment they will also have gained a new “Unknown” piece of software brought in by the ‘burglars’ and injected from a USB memory stick.

APTs do not look for a home run at the outset. The main objective is to gain access into low priority areas the company fails to protect adequately: the endpoint. By being patient the hackers can gradually work their way into higher value segments of the network where important data resides.

Regardless of the method, the attack will not stop until proven fruitless; the agent will most likely invade the network. Mission accomplished.

A Seven-layer Approach to Re-evaluating Security

Short of cutting your internet connection entirely, there are other steps that can be taken to defend the network and recover in the event defenses are breached. Here are seven layers of a security checklist that every IT Administrator should have in place to defend against the ATP and/or recover from the attack.

  • Defend the pre-perimeter: Leverage the cloud and use mail filtering and antispam solutions to remove potentially infected emails or attachments before they ever get to your network. Also consider using secure DNS products which have a real-time database of spoofed and compromised servers.
  • Defend the perimeter: Conduct penetration testing regularly; have Intrusion Detection and Intrusion Prevention systems installed; regularly audit firewall and SIEM logs for anomalies.
  • Defend the transit: Log network events through a Security Information and Event Management system (SIEM); employ Network Access Control (NAC) and Network Intrusion Detection mechanisms to control who has access to the transit.
  • Defend the soft interior: Train and educate users on security protocols, have BYOD and VPN policies in place; have acceptable use policies backed by Clevel execs—visibly enforce these policies and ensure user training is concurrent with the latest threats.
  • Harden the soft interior: Deploy and maintain antivirus, firewalls, whitelisting and sandboxing/containerization technologies; keep software patching up to date. 
  • Encrypt everything sensitive: Have your data encrypted at multiple checkpoints, along multiple points in the network. Encrypted data is useless to the cyber attacker.
  • Backup, backup, backup, and then restore: Backup with three different methods—file backup to offsite storage for organizational recovery (disaster recovery), file backup to local storage for immediate volume recovery, and file backup to local storage for immediate file recovery. Fully test backups by restoring critical data and verifying the data’s integrity.

The advanced persistent threat isn’t going to go away. You need to understand how the APT survives and thrives, and how battling it begins with a multi-layered approach across your network.

This article originally appeared in the November 2015 issue of Security Today.


  • Survey: Less Than Half of IT Leaders are Confident in their IoT Security Plans

    Viakoo recently released findings from its 2024 IoT Security Crisis: By the Numbers. The survey uncovers insights from IT and security executives, exposes a dramatic surge in enterprise IoT security risks, and highlights a critical missing piece in the IoT security technology stack. The clarion call is clear: IT leaders urgently need to secure their IoT infrastructure one application at a time in an automated and expeditious fashion. Read Now

  • ASIS International and SIA Release “Complexities in the Global Security Market: 2024 Through 2026”

    ASIS International and the Security Industry Association (SIA) – the leading security associations for the security industry – have released ”Complexities in the Global Security Market: 2024 Through 2026”, a new research report that provides insights into the equipment, technologies, and employment of the global security industry, including regional market breakouts. SIA and ASIS partnered with global analytics and advisory firm Omdia to complete the research. Read Now

  • President Biden Issues Executive Order to Bolster U.S Port Cybersecurity

    On Wednesday, President Biden issued an Executive Order to bolster the security of the nation’s ports, alongside a series of additional actions that will strengthen maritime cybersecurity and more Read Now

  • Report: 15 Percent of All Emails Sent in 2023 Were Malicious

    VIPRE Security Group recently released its report titled “Email Security in 2024: An Expert Look at Email-Based Threats”. The 2024 predictions for email security in this report are based on an analysis of over 7 billion emails processed by VIPRE worldwide during 2023. This equates to almost one email for everyone on the planet. Of those, roughly 1 billion (or 15%) were malicious. Read Now

Featured Cybersecurity


New Products

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection. 3