Persistent Threats

A layered approach to security

A layered approach to network security is the most reliable way of ensuring peace of mind against Advanced Persistent Threat (APT) forms of cyberattacks because no modern company can afford the surefire method of protection: cutting the cord that connects computers to the internet and moving that company back in time.

But, the APT threat isn’t a new problem for the CISO or System Administrator today. It’s actually a 60-year-old problem.

The first infector was conceived, but never written, in 1949 by John von Neumann in his lectures at the University of Illinois about the “Theory and Organization of Complicated Automata” in which he discussed how a computer program could be designed to reproduce itself.

In 1971, arguably the first in the wild ‘virus’ was created called “Creeper,” an experimental program written by Bob Thomas which used the program to infect computers running a specific operating system. A short while later, the Reaper program was written to delete the Creeper file. Hence, the first antivirus was born.

In 1984, Fred Cohen from the University of Southern California wrote an article titled “Computer Viruses - Theory and Experiments” and demonstrated that there is no algorithm that can perfectly detect all possible viruses and their variants.

Interestingly enough, only one year later in 1985, what could be viewed as the first antivirus company was founded in order to ‘protect’ computers by attempting to detect viruses. In 1986, Clifford Stoll, author of The Cuckoo’s Egg, may have had the first publicly known encounter with an APT while investigating a $0.75 accounting discrepancy.

Nearly 30 years later the multi-billion antivirus industry has not been able to solve the problem. The situation has worsened; there is more malware in the wild than ever before and infection rates are soaring, mostly driven by cyber-crime.

Understanding the Anti-virus Problem

The problem with anti-virus software lies within the fine line that divides “proof” and “resistant.”

A water-resistant wristwatch may be resistant to water, but it is not waterproof. This “resistance” is usually qualified up to certain depth. Take that watch down a little too far, and it will be ruined.

Padlocks, perhaps more aptly, are tamper-resistant but not tamper-proof. One could try lock-picking, a pocket-sized crowbar, or a host of other measures to separate hasp from staple without success. However, hit it with a 40-pound sledgehammer and it will shatter.

Traditional antivirus measures do not make computers infection proof, only infection resistant, and then still only resistant to ‘known-bad’ files. This is due to reliance on blacklisting technology (virus signature databases) to recognize and remove malicious files. This means that someone, somewhere has to be patient zero though statistics show that there generally have to be hundreds, if not thousands, of patient zeroes before the infection is recognized, a signature created and a database update rolled out.

But, what if just one “patient zero” had code specifically written and targeted to just them? Would that code be detected? What if that code was so ingeniously created by highly skilled programming gurus that it was completely unrecognizable against the backdrop of the millions of other files on the network? Would it be detected?

The knee-jerk reaction to blacklisting is a full 180-degree tilt to whitelisting. Only known good files are allowed to exist on the network. This raises questions— is it possible to whitelist every file on a network? Is it possible to maintain that list? How does one know which files to whitelist? What about new, never-beforeseen files? Whitelisting is then perhaps better described as a process, part of the solution, not a solution in and of itself.

Enter the Advanced Persistent Threat

An APT is not an object, it is a process. It is the counter-process to the process of IT security with the goal of placing a “super- Trojan” on the desktop computer or using the desktop as a staging post en route to the server, eavesdropping on your network traffic and extracting valuable data such as Intellectual Property, customer’s data, M&A information, business or product strategies, political or social affiliations or any other sensitive material.

How APTs Survive and Thrive

The process behind an APT could come from the pages of an Ian Fleming or John le Carré novel. It starts with profiling the target.

Rather than target a mass audience, APTs zero in on specific individuals in an organization, who if engineered or workstation compromised, can be used to advance the goals of the attack. This requires more patience and persistence than an undifferentiated email blast.

Using the example of email, the cause of approximately 80 percent of compromises, when sending out an APT, attackers go to great lengths to make the subject line and message appear plausible. This is done through a variety of methods including the use of externally available, public information tools and resources such as LinkedIn, Facebook, Twitter, Google+, YouTube, Monster and other resources where the organization may be advertising for IT staff thereby disclosing the hardware and software skills being sought after.

The organization’s business partners, suppliers and customers will also be thoroughly researched and noted. An APT is not a one-shot attempt.

Once this information has been gathered a phone call or two to the organization will probably take place (the HR department could be a likely recipient of these calls) to establish personnel movements. A call or two to the helpdesk may also take place to test the resilience of support staff to password reset requests.

During the above, the target will receive emails, perhaps from a ‘supplier’ under the context of an attached invoice, perhaps from a ‘customer’ under the context of a pricing enquiry perhaps even from a spoofed C-level executive’s email address requesting status updates. Unsuspecting users may open these attachments and, using a yet-to-be-discovered programming flaw, an exploit will be leveraged and a new ‘Unknown’ will enter the network.

Perhaps the intrusion may be of a more physical nature and a burglary will be staged. The organization may find that a number of items have been stolen overnight, what they will not realize is that although they may have lost some equipment they will also have gained a new “Unknown” piece of software brought in by the ‘burglars’ and injected from a USB memory stick.

APTs do not look for a home run at the outset. The main objective is to gain access into low priority areas the company fails to protect adequately: the endpoint. By being patient the hackers can gradually work their way into higher value segments of the network where important data resides.

Regardless of the method, the attack will not stop until proven fruitless; the agent will most likely invade the network. Mission accomplished.

A Seven-layer Approach to Re-evaluating Security

Short of cutting your internet connection entirely, there are other steps that can be taken to defend the network and recover in the event defenses are breached. Here are seven layers of a security checklist that every IT Administrator should have in place to defend against the ATP and/or recover from the attack.

  • Defend the pre-perimeter: Leverage the cloud and use mail filtering and antispam solutions to remove potentially infected emails or attachments before they ever get to your network. Also consider using secure DNS products which have a real-time database of spoofed and compromised servers.
  • Defend the perimeter: Conduct penetration testing regularly; have Intrusion Detection and Intrusion Prevention systems installed; regularly audit firewall and SIEM logs for anomalies.
  • Defend the transit: Log network events through a Security Information and Event Management system (SIEM); employ Network Access Control (NAC) and Network Intrusion Detection mechanisms to control who has access to the transit.
  • Defend the soft interior: Train and educate users on security protocols, have BYOD and VPN policies in place; have acceptable use policies backed by Clevel execs—visibly enforce these policies and ensure user training is concurrent with the latest threats.
  • Harden the soft interior: Deploy and maintain antivirus, firewalls, whitelisting and sandboxing/containerization technologies; keep software patching up to date. 
  • Encrypt everything sensitive: Have your data encrypted at multiple checkpoints, along multiple points in the network. Encrypted data is useless to the cyber attacker.
  • Backup, backup, backup, and then restore: Backup with three different methods—file backup to offsite storage for organizational recovery (disaster recovery), file backup to local storage for immediate volume recovery, and file backup to local storage for immediate file recovery. Fully test backups by restoring critical data and verifying the data’s integrity.

The advanced persistent threat isn’t going to go away. You need to understand how the APT survives and thrives, and how battling it begins with a multi-layered approach across your network.

This article originally appeared in the November 2015 issue of Security Today.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity


New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3