Persistent Threats

A layered approach to security

A layered approach to network security is the most reliable way of ensuring peace of mind against Advanced Persistent Threat (APT) forms of cyberattacks because no modern company can afford the surefire method of protection: cutting the cord that connects computers to the internet and moving that company back in time.

But, the APT threat isn’t a new problem for the CISO or System Administrator today. It’s actually a 60-year-old problem.

The first infector was conceived, but never written, in 1949 by John von Neumann in his lectures at the University of Illinois about the “Theory and Organization of Complicated Automata” in which he discussed how a computer program could be designed to reproduce itself.

In 1971, arguably the first in the wild ‘virus’ was created called “Creeper,” an experimental program written by Bob Thomas which used the program to infect computers running a specific operating system. A short while later, the Reaper program was written to delete the Creeper file. Hence, the first antivirus was born.

In 1984, Fred Cohen from the University of Southern California wrote an article titled “Computer Viruses - Theory and Experiments” and demonstrated that there is no algorithm that can perfectly detect all possible viruses and their variants.

Interestingly enough, only one year later in 1985, what could be viewed as the first antivirus company was founded in order to ‘protect’ computers by attempting to detect viruses. In 1986, Clifford Stoll, author of The Cuckoo’s Egg, may have had the first publicly known encounter with an APT while investigating a $0.75 accounting discrepancy.

Nearly 30 years later the multi-billion antivirus industry has not been able to solve the problem. The situation has worsened; there is more malware in the wild than ever before and infection rates are soaring, mostly driven by cyber-crime.

Understanding the Anti-virus Problem

The problem with anti-virus software lies within the fine line that divides “proof” and “resistant.”

A water-resistant wristwatch may be resistant to water, but it is not waterproof. This “resistance” is usually qualified up to certain depth. Take that watch down a little too far, and it will be ruined.

Padlocks, perhaps more aptly, are tamper-resistant but not tamper-proof. One could try lock-picking, a pocket-sized crowbar, or a host of other measures to separate hasp from staple without success. However, hit it with a 40-pound sledgehammer and it will shatter.

Traditional antivirus measures do not make computers infection proof, only infection resistant, and then still only resistant to ‘known-bad’ files. This is due to reliance on blacklisting technology (virus signature databases) to recognize and remove malicious files. This means that someone, somewhere has to be patient zero though statistics show that there generally have to be hundreds, if not thousands, of patient zeroes before the infection is recognized, a signature created and a database update rolled out.

But, what if just one “patient zero” had code specifically written and targeted to just them? Would that code be detected? What if that code was so ingeniously created by highly skilled programming gurus that it was completely unrecognizable against the backdrop of the millions of other files on the network? Would it be detected?

The knee-jerk reaction to blacklisting is a full 180-degree tilt to whitelisting. Only known good files are allowed to exist on the network. This raises questions— is it possible to whitelist every file on a network? Is it possible to maintain that list? How does one know which files to whitelist? What about new, never-beforeseen files? Whitelisting is then perhaps better described as a process, part of the solution, not a solution in and of itself.

Enter the Advanced Persistent Threat

An APT is not an object, it is a process. It is the counter-process to the process of IT security with the goal of placing a “super- Trojan” on the desktop computer or using the desktop as a staging post en route to the server, eavesdropping on your network traffic and extracting valuable data such as Intellectual Property, customer’s data, M&A information, business or product strategies, political or social affiliations or any other sensitive material.

How APTs Survive and Thrive

The process behind an APT could come from the pages of an Ian Fleming or John le Carré novel. It starts with profiling the target.

Rather than target a mass audience, APTs zero in on specific individuals in an organization, who if engineered or workstation compromised, can be used to advance the goals of the attack. This requires more patience and persistence than an undifferentiated email blast.

Using the example of email, the cause of approximately 80 percent of compromises, when sending out an APT, attackers go to great lengths to make the subject line and message appear plausible. This is done through a variety of methods including the use of externally available, public information tools and resources such as LinkedIn, Facebook, Twitter, Google+, YouTube, Monster and other resources where the organization may be advertising for IT staff thereby disclosing the hardware and software skills being sought after.

The organization’s business partners, suppliers and customers will also be thoroughly researched and noted. An APT is not a one-shot attempt.

Once this information has been gathered a phone call or two to the organization will probably take place (the HR department could be a likely recipient of these calls) to establish personnel movements. A call or two to the helpdesk may also take place to test the resilience of support staff to password reset requests.

During the above, the target will receive emails, perhaps from a ‘supplier’ under the context of an attached invoice, perhaps from a ‘customer’ under the context of a pricing enquiry perhaps even from a spoofed C-level executive’s email address requesting status updates. Unsuspecting users may open these attachments and, using a yet-to-be-discovered programming flaw, an exploit will be leveraged and a new ‘Unknown’ will enter the network.

Perhaps the intrusion may be of a more physical nature and a burglary will be staged. The organization may find that a number of items have been stolen overnight, what they will not realize is that although they may have lost some equipment they will also have gained a new “Unknown” piece of software brought in by the ‘burglars’ and injected from a USB memory stick.

APTs do not look for a home run at the outset. The main objective is to gain access into low priority areas the company fails to protect adequately: the endpoint. By being patient the hackers can gradually work their way into higher value segments of the network where important data resides.

Regardless of the method, the attack will not stop until proven fruitless; the agent will most likely invade the network. Mission accomplished.

A Seven-layer Approach to Re-evaluating Security

Short of cutting your internet connection entirely, there are other steps that can be taken to defend the network and recover in the event defenses are breached. Here are seven layers of a security checklist that every IT Administrator should have in place to defend against the ATP and/or recover from the attack.

  • Defend the pre-perimeter: Leverage the cloud and use mail filtering and antispam solutions to remove potentially infected emails or attachments before they ever get to your network. Also consider using secure DNS products which have a real-time database of spoofed and compromised servers.
  • Defend the perimeter: Conduct penetration testing regularly; have Intrusion Detection and Intrusion Prevention systems installed; regularly audit firewall and SIEM logs for anomalies.
  • Defend the transit: Log network events through a Security Information and Event Management system (SIEM); employ Network Access Control (NAC) and Network Intrusion Detection mechanisms to control who has access to the transit.
  • Defend the soft interior: Train and educate users on security protocols, have BYOD and VPN policies in place; have acceptable use policies backed by Clevel execs—visibly enforce these policies and ensure user training is concurrent with the latest threats.
  • Harden the soft interior: Deploy and maintain antivirus, firewalls, whitelisting and sandboxing/containerization technologies; keep software patching up to date. 
  • Encrypt everything sensitive: Have your data encrypted at multiple checkpoints, along multiple points in the network. Encrypted data is useless to the cyber attacker.
  • Backup, backup, backup, and then restore: Backup with three different methods—file backup to offsite storage for organizational recovery (disaster recovery), file backup to local storage for immediate volume recovery, and file backup to local storage for immediate file recovery. Fully test backups by restoring critical data and verifying the data’s integrity.

The advanced persistent threat isn’t going to go away. You need to understand how the APT survives and thrives, and how battling it begins with a multi-layered approach across your network.

This article originally appeared in the November 2015 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3