Don’t Be a Target – Anticipate and Monitor for APT Activity

Our security predictions for 2012 forecasted that the class of targeted attacks known at APTs – advanced persistent threats – would trickle down, and begin to affect smaller organizations.

And while it might not make the headlines like the recent story about the data breach at Coca-Cola in 2009 that is still affecting the company three years later, a successful attack can be devastating regardless of the size of the organization or the motive for the attack.

Historically, APT attacks have been created by sophisticated hackers using advanced attack techniques and blended threat malware, but it is only a matter of time before “normal” malware criminals learn from these sophisticated hacks and the evolution of the APT speeds up, making organizations of every size a target.

So let’s revisit this prediction and figure out how to make your organization the smallest target possible with the tools you already have at your disposal.

What’s in an Acronym: APT?

  • Advanced – APTs use the most advanced malware and attack techniques available. By the nature of the name, they often leverage techniques such as encrypted communication channels, kernel-level rootkits, and sophisticated evasion capabilities to get past a network’s defenses. More importantly, they often leverage zero-day vulnerabilities – flaws which software vendors haven’t yet discovered or fixed – to gain access to our systems. In short, APTs are Q-level, James Bond malware.
  • Persistent – This malware is designed to stick around. It carefully hides its communications, using techniques like stenography. It “lives” in a victim’s network for as long as possible, often cleaning up after itself (deleting logs, using strong encryption, and only reporting back to its controller in small, obfuscated bursts of communication).
  • Threat– APTs are extremely blended threats, much like botnets, and very targeted. APT attackers are groups of highly skilled, motivated, and financially-backed attackers with very specific targets and goals in mind. Typically, the often nation-state sponsored attackers have targeted Fortune 500 companies, government-related infrastructure, or the industrial sector – and we anticipate this broadening to organizations of all sizes.

No network security provider can block every APT attack, no matter what they claim. According to Gartner, an estimated $60 billion is invested by corporations and governments in network security systems, yet hackers are still finding ways to sneak past them. By definition, APTs often leverage new techniques, which may not even have a defense yet. However, there are defense strategies that can significantly mitigate the chance of an advanced and persistent infection. WatchGuard supports a variety of reporting and monitoring functions that provide smart and strategic defense against these blended threats.

We’ve outlined a variety of best practices for mitigating risk and monitoring unusual activity across a network that may better detect or stop the next APT, including:

  • Multiple layers of security controls – WatchGuard “defense-in-depth”

A multi-layered approach to network security is the best protection. When combined together, firewalls, intrusion prevention services, proactive anti-virus (AV) solutions, anti-spam and anti-phishing protection, and cloud-based reputation defenses maximize the chance that one or more security controls will catch part of an APT attack.

  • Signature-less malware protection – WatchGuard Proactive Malware Detection

Similar to zero-day attacks, APTs often use malware that has not already been found by AV protection and therefore no signature exists. The only way to catch this kind of APT is to use proactive, non-signature techniques. WatchGuard partners with best-in-class anti-malware and anti-virus service providers such as Kaspersky and AVG Technologies, which both have the capability to detect malware without signatures. Our partners specialize in code emulation, behavior analysis, and sandboxing to determine what a file does and if it may be malware. These techniques can often catch malicious files without actually having reactive signatures for them.

  • An evolving defense framework – WatchGuard XTM (eXtensible Threat Management)

APTs are just further proof that hackers and attacks on the Internet are constantly evolving, so naturally, the only way to really protect against evolving threats is to have a defensive platform that can change along with them. WatchGuard’s strategic XTM hardware and platform design lend to a modular framework that is easily adaptable to adding new security layers to WatchGuard appliances – as new technologies are released, we can better protect against APTs as we integrate them into the platform. This allows WatchGuard to incorporate new defense technologies, such as cloud reputation and the use of heuristics to detect malware, much more quickly than other network security providers.

  • Better manageability through visibility – WatchGuard Firebox System Manager (FSM) and HostWatch

Often, security practitioners focus on prevention and forget about discovery and response. Tools that help quickly identify anomalies or problems in a network and real-time visibility tools such as HostWatch and FSM help find malware through unique monitors, network traffic reports and administrator access to approved or denied external sites. Some network security companies require the purchase of additional reporting tools or appliances in order to have this important insight into a network. WatchGuard believes that customers should not have to pay for the proof (reporting) that indicates a system is providing internal network protection. Visibility tools like FSM and HostWatch are key for APT defense and these WatchGuard tools come free with the WatchGuard XTM appliance.

  • Enforcing Standards – Protocol Anomaly Detection (PAD)

For the most common and important Internet services, such as Web traffic (HTTP), e-mail traffic (SMTP), domain name traffic (DNS), and file transfers (FTP), WatchGuard deploys proxies, or deep application-layer content inspection services. Among other things, these proxy services include our Protocol Anomaly Detection (PAD) feature, which can tell the difference between bad and good traffic by enforcing RFC (request for comment) standards for that particular service. For instance, if the SMTP RFC states that the maximum line length for an email is 1000 bytes; our proxies enforce that standard, and by extension protect you from any attacks (like buffer overflows) that try to leverage overly-long email lines… and that’s just one example. These are “signature-less” protections that can even block zero-day attacks, if they break protocol standards.

  • Reputation Services – WatchGuard Reputation Enabled Defense (RED)

WatchGuard RED is a cloud-based reputation authority that aggregates many sources of security intelligence to provide our appliances with a dynamic, real-time view of the internet threat landscape. It proactively monitors and stores the IPs and URLs of known sources of malware, drive-by download sites, and phishing and spam email. It gets its intelligence from aggregating many known lists of malware distributors and mixing that with real-time feedback from the thousands of appliances we have protecting customers’ sites. This real-time feedback gives RED a very accurate and dynamic view of the quickly changing threat landscape

Because APTs are continually evolving and getting more elusive by the day, no network security solution will be able to anticipate or block every attack. Our advice: Always assume that a network is already breached and then build a security vault using the tools and services noted here. We strongly suggest the utilization of more than just preventative tools – strong visibility tools will help recognize threats and ensure that IT administrators are talking all necessary action to help mitigate them. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

7 Responses to “Don’t Be a Target – Anticipate and Monitor for APT Activity”

  1. I’ll right away take hold of your rss feed as I can’t to find your e-mail subscription hyperlink or newsletter service. Do you’ve any? Please let me know so that I could subscribe. Thanks.

  2. Hi there, yeah this post is really pleasant and I have learned lot of things from it concerning blogging.

  3. Quality articles or reviews is the crucial to be a focus for the visitors to visit the site, that’s what this web page is providing.


  1. What is UTM Security and is it Right for my Business? « Moving Security Forward - November 16, 2012

    […] the need for comprehensive network security solutions is evident. Our own Cory Nachreiner recently blogged on just this topic, but to […]

  2. Virtualized Security Capabilities You’ll Need for Ultimate Protection | The Smart Firewall - April 23, 2013

    […] virtualization security solution needs to defend against botnets, Advanced Persistent Threats (APTs), and other attacks, while keeping your organization in control when using Web 2.0 applications. The […]

  3. Profiling Modern Hackers: Hacktivists, Criminals, and Cyber Spies. Oh My! | WatchGuard Security Center - May 30, 2013

    […] Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. For instance, they might attack a software company to steal a legitimate digital certificate, and then use that certificate to sign the code for their malware, making it seem like it comes from a sanctioned provider. These advanced attacks are what coined the new industry term, advanced persistent threat (APT). […]

  4. Dissecting the Hacker – Three Profiles You Need to Know | The Smart Firewall - June 4, 2013

    […] Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero-day, which have no fix or patch. They often employ the most advanced attack and evasion techniques like using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. These advanced attacks are what coined the new industry term, advanced persistent threat (APT). […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: