Baseline Hardening: The Best Defense Against Advanced Persistent Threats

What business should do to protect against APTs

• By Brad Thies
• Jun 25, 2018

According to a number of sources, Reaper, a hacking group linked to North Korea, has now become sophisticated enough to be labeled an advanced persistent threat (APT) — a type of cyber threat with the capability and intent to get ongoing, long-term access to a system. With its recent exploitation of a zero-day vulnerability present in Adobe Flash Player, the group demonstrated the ability to infiltrate high-value corporations. Past targets include companies in Japan, the Middle East, and Vietnam, and the group is mainly focused on industry verticals such as manufacturing, aerospace, chemicals, and electronics.

The attack on Adobe represents a high level of sophistication; this is not your everyday smash-and-grab cyberattack. An APT that is able to exploit a zero-day vulnerability is more like an "Ocean’s 11"-style heist: It takes long-term planning and continuous stealth.

Because APTs take more time for hackers to put in place, they tend to target high-value organizations with a lot of data, such as cloud service providers. In the case of the Equifax job, hackers were looking to augment a database they already had. APTs will also go after valuable intellectual property or even military strategies. While there are some loosely affiliated hacker collectives, such as Anonymous, that are capable of APT attacks, most of these groups are state-sponsored; governments are well-suited to provide the ongoing resources required by the hacker for yearslong operations.

The Best Defense

The first thing a business should do to protect itself against APTs is make sure its system meets up-to-date industry security standards — this process is called a baseline hardening initiative. The speed at which applications and servers are deployed and the sheer volume of system builds make it impossible to produce safe, resilient systems unless there are baseline security standards every step of the way. The Center for Internet Security (CIS) has effective benchmarks that should be considered in any environment, as they can sometimes prevent significant damage from APTs.

The first step in baseline hardening is defining the standards you will use (such as the CIS benchmarks) and measuring your current environment against them. Then, commit to an immutable infrastructure (one in which you are not just making small tweaks to the same servers over time) so your standards are automatically rebuilt with every change made. That will help you avoid “configuration drift.”

Immutable infrastructures take time to build, so while this process is underway, you should make sure to segment your network, which will limit an attacker's mobility within your system and limit the damage.

Expect an Attack

Those first lines of defense are critically important, but it is equally important for large corporations to be realistic. Assume you will get hacked, and assume you will be breached. The best thing you can do is develop an action plan for when it happens.

Each person on your team should have a specific job when responding to a breach. Assign people responsibility for handling interactions with the security, legal, and forensic teams, as well as outside law enforcement, including the FBI and federal regulators. Have other parties get in touch with any cybersecurity partners you use to develop a plan moving forward. Have your PR team organize media communications. In broad strokes, the NIST framework is an excellent method to follow when creating a cybersecurity response plan: identify, protect, detect, respond, and recover.

In a crisis, it is important to have a core group of experts running the show. This is where a business needs to lean on its IT staff. There are many tools available to help your developers create a secure environment, so turn your DevOps team into a DevSecOps team. This transformation will maintain consistent security while improving processes and enabling a higher velocity of system changes. A thorough security strategy will also include a security operations center that can monitor for suspicious network activity.

Protecting your company from APTs takes a big commitment. Hackers will exploit any vulnerability you give them, so cutting corners does you no good. You will need to have the tools, people, and processes in place that allow you to take action if — or when — the time comes.