Gartner Advises On An APT Defence Strategy

Adding more layers of defence will not necessarily improve protection from targeted threats, said Gartner in its latest report on advanced persistent threats (APTs). What is needed, the analysts said, is the evolution of better security controls.

The Gartner research considers the term “advanced persistent threat” as being overhyped and responsible for distracting organisations from the real problem – focusing on the vulnerabilities that the attackers are exploiting.

“Targeted attacks are penetrating standard levels of security controls, and causing significant business damage to enterprises that do not evolve their security controls,” said John Pescatore, vice president and distinguished analyst at Gartner. “For the average enterprise, four to eight percent of executables that pass through antivirus and other common defences are malicious. Enterprises need to focus on reducing vulnerabilities and increasing monitoring capabilities to deter, or more-quickly react to, evolving threats.”

Military Heritage Source Of FUD

The term APT was originally a military term referring to a specific threat from another country or aggressive nation state. APT has often been co-opted by security vendors to hype the source of an attack, Gartner claimed.

“The reality is that the most important issues are the vulnerabilities and the techniques used to exploit them, not the country that appears to be the source of the attack,” Pescatore said. “The major advance in new threats has been the level of tailoring and targeting – these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches.”

For a threat to be persistent, it must be able to communicate across secured boundaries to a remote attacker or infrastructure. This means that hiding the exploit from detectors is part and parcel with being persistent.

Gartner said that financial gain is usually the basic aim and defines three types of APT: denial of service to disrupt business operations; obtaining the use of a business product or service without paying for it; and information compromise by stealing, destroying or modifying business-critical information.

“Vendors tend to define ‘advanced’ evasions and threats based on the capabilities of their most recently-released product,” said Wade Williamson, security analyst at Palo Alto Networks, commenting on the report. “IT professionals, on the other hand, will often define ‘advanced’ based on the last threat that made it through their defences. Both of these definitions can be a bit self-serving rather than scientific.”

Williamson added that an evasion technique, advanced or otherwise, is a component of a persistent attack and Gartner suggests three methods of dealing with APTs.

The Gartner report Strategies for Dealing With Advanced Targeted Threats contains several suggestions to understanding and tackling APTs.

Own the vulnerability; don’t blame the threat, Pescatore advised, adding that the curious teenager, the experimental hacker, the cybercriminal, and the information warrior can be stopped if the vulnerability is closed. The use of specialised threat detection, network forensics and situational awareness technologies can be very effective in quickly detecting and reacting to the first stages of an advanced targeted threat, but require high levels of skilled resources to be effective.

Physically, the best way to reduce the risk of compromise is to invest in security in depth. This means more than hardware and software but also encompasses staffing and operations support.

Pescatore said that staff must understand the difference between compliance and security. Due diligence, from a compliance perspective, means limiting the company’s liability to legal action – on its own this will never live up to customers’ trust.

“A lean-forward approach to security is going beyond the due diligence level of the standard network security and vulnerability assessment controls, and using tools and processes to continuously look for active threats on the internal networks,” Pescatore said. “However, IT leaders must be prepared to invest in and staff lean-forward processes – and they must be prepared to take action if they find something.”

The report has been published in the run-up to a two-day Gartner event beginning September 19 in London: the Gartner Security & Risk Management Summit 2011.