Advanced Persistent Threat

Advanced Persistent Threat (APT), is as much a part of the cyber security landscape as viruses, cross site scripting, and identity theft, yet the term is so vague that you might wonder if it applies to you. It does.

In this blog we’ll explain APT and offer some suggestions for combating it. As a starting point, we’ll say that APT is a “low and slow” cyber attack against servers containing valuable intellectual property.

Where is this valuable intellectual property? It could be just about anywhere, but in most cases it’s on back-end systems. Operation Aurora, an APT operation reported in the media in 2009, got a lot of attention because Google was attacked. But that’s just the tip of the iceberg. The targets included dozens of US companies. Similar attacks have targeted government and military computers and business enterprises throughout the world.

APT is characterized by unauthorized software resident on the target system, undetected for a long time, periodically sending information to servers operated by criminal enterprises or foreign governments. The recipients of some of this information use it to get their product to market before yours, at a lower cost, because they’ve skipped the research and development stage, thanks to your stolen intellectual property. Other recipients of the stolen information are more interested in energy grid plans or other information critical to national defense. That’s why some security experts suggest that the term APT should be reserved for state-sponsored cyber-espionage that supports military or economic warfare.

Each of the three words in the term provides more insight to APT.

It’s advanced because of the logistics supporting the attackers. They’re professionals, not hackers. They’re trained and systematic. And their job is to compromise government and commercial entities.

It’s persistent because the modus operandi is repeated theft, not a one-time grab-and-run. The clever hacker who manages to infiltrate a company and steal funds or credit card numbers to sell on the black market doesn’t particularly care if his exploit is detected after the fact. He’s made his profit and is on to another victim. In contrast, APT enterprises are careful to try to avoid detection, because after they’ve stolen the formula for one new drug, the source code for one new application, or the plans for one innovative engine, they want to lurk undetected so they can steal the next, and the next.

It’s a threat because the perpetrators have means and motive, and if they succeed it could mean significant financial loss for the victim.

What can you do about it? Here are a few suggestions for fighting APT:

• Focus on defense in depth, not just the perimeter. A firewall is a good start, but persistent, well-funded, professional attackers will get through it or bypass it, and you need to protect your valuable mainframe data. At a minimum, protect your intellectual property files with ACRs (OS 2200) or Guard Files (MCP), not just read and write keys.
• Educate your users about spear phishing attacks, because they can provide the information the criminals need to get their APT software onto your system. For example, if you have recently attended a business conference, APT attackers might send an email claiming to come from a conference speaker and containing a link to a ZIP file to download. Click the ZIP link, and ZAP—your PC is infected with software that will capture your ClearPath login credentials.
• Admit that intrusions will happen and employ intrusion detection software and procedures. ClearPath software such as Unisys Operations Sentinel, FCI’s IDS 2200, and Locum RealTime Monitor can notify you of suspicious events.
• Encrypt your intellectual property and guard the keys. Use MCP’s Crypto API and OS 2200’s Cipher API.
• Make sure your intellectual property is protected as it moves from one location to another. ClearPath servers support robust TLS encryption. In addition, for a look at APT in the context of Unisys Stealth Solution for Network and the Unisys Stealth Solution for Secure Virtual Terminal (SSVT) device, see Richard Bryant’s blog, “Theft by hacking: Three of the Top Six Threats.”
• Review your system and security logs regularly. Look for invalid login attempts, unexpected file accesses, unexpected new files, activity at odd hours, applications failing, large outgoing file transfers, and other anomalies that might be the result of APT processes at work.
• Review your security policies regularly. Do all users have unique user-ids? Which users still have privileges they no longer need? Are new applications approved and guarded against unauthorized modification before they are installed? Is relevant log data preserved in case it’s needed in forensic investigations? These are just a few of the questions about security policies that need careful periodic review.

Your ClearPath servers hold the crown jewels of your enterprise, and that’s what makes them attractive targets. Keep them safe from Advanced Persistent Threat.

Tags-   ClearPath Security

---