This article is the last in our series on the threat APTs pose (you can find part 1 here and part 2 here) and focuses on the practical steps organizations can take to guard against APT attacks. Given the sophisticated, patient nature of APTs and the varied methods they use to compromise their targets, no single solution can prevent APT attacks. However, companies that take a comprehensive approach to their security posture and maintain a strong understanding of their own data and network can mitigate the threats posed by these entities.

Specifically, strengthening compliance with cybersecurity laws and industry regulations, maintaining multiple layers of network security, and educating employees on APT attacks can help organizations defend against APT intrusions. Further, organizations with updated data inventories, a strong understanding of their data management policies, and a definite baseline of ordinary network activity can place themselves in the best position to identify APT activity before it is too late.

1. Strengthen Compliance with Cybersecurity Laws and Industry Regulations

Many industry-specific regulations, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach Bliley Act (“GLBA”), and state laws require technical, physical, and administrative safeguards to ensure the security and privacy of confidential information. Compliance with these laws is critical both to prevent security incidents and to reduce exposure to legal and regulatory action when incidents do arise.

At their core, these laws require that organizations enact organizational policies and security procedures commensurate with their data’s sensitivity. Organizations like the National Institute of Standards and Technology (“NIST”) provide useful guidance in the form of best practice network security frameworks that include a comprehensive set of practices to help safeguard an organization. Similarly, non-legal compliance standards such as the Payment Card Industry Data Security Standard (“PCI DSS”) and the American Institute of Certified Public Accountants’ (“AICPA”) SOC 2 requirements provide standards for a number of cybersecurity practices organizations can consult for guidance. Among other things, these guides recommend that organizations maintain multiple layers of network security, often referred to as “defense in depth.”

2. Take a Layered Approach to Network Security

Guidance from organizations like NIST and the AICPA recommend that organizations maintain multiple layers of network security, often referred to as “defense in depth.” This practice involves deploying a number of specialized security controls throughout an organization that are designed to protect the network from every angle of attack. Given the number of attack vectors used by APTs, this practice ensures that each attack method is addressed with an appropriate security control. Though these methods alone may not prevent an APT attack, a layered security approach creates an environment of maximum resistance for the APT and provides a layer of support for other organizational security practices

Specifically, organizations should control access to their networks by deploying next-generation firewalls, intrusion detection systems, and email filtering solutions.  Organizations should also require two-factor authentication to access the network. Further, maintaining strict access controls and segregating sensitive data from the rest of the network can help limit a threat actor’s movement in the event of compromise. Organizations should also undergo routine penetration testing to identify potential weaknesses to address with tightened controls.

3. Train Your Employees to Spot Spear-Phishing

Perhaps surprisingly, an organization’s employees may be the best line of defense against APTs. As mentioned in our previous article, 91 percent of targeted attacks involve the use of spear-phishing emails to initially compromise an organization’s network. With this in mind, preventing APT attacks requires an educated workforce trained to identify spear-phishing emails and flag these messages for review and deletion by IT personnel.

Although many organizations already train their employees to recognize phishing emails, this training often does not suffice for users to regularly distinguish spear-phishing attacks from ordinary phishing attempts. Run-of-the-mill phishing emails often have clear giveaways like spelling and grammar errors, odd greetings, or unusually direct requests for sensitive information. In comparison, spear phishing emails often refer to the intended target directly by name and include attachments that appear to be legitimate documents ordinarily used by the organization. These emails may even appear to come from a targeted employee’s superior to create a sense of criticality and time-sensitivity. The increased sophistication of a spear phishing attack makes it harder for an ordinary user to recognize it, especially without training. Educating employees on the nature of spear-phishing, and training them on how to spot these messages in the wild, can help users think twice before opening an email that could lead to a devastating breach.

4. Know Your Enemy

As mentioned in our previous article, understanding what APTs want and how they operate is key to addressing these threats. Besides staying on top of annual cybersecurity threat trends, organizations can educate themselves and their employees on common attack methods used by APTs.

MITRE, the organization behind the widely-used Common Vulnerabilities and Exposures Database, maintains a comprehensive knowledgebase known as “ATT&CK” that logs attack methods and techniques used by APTs and ordinary threat actors alike. Attack methods are organized by the stage in MITRE’s ATT&CK framework during which they are used, which can help organizations identify the progress of discovered APT activity. ATT&CK even includes a log of recommended security improvements organized by the attack methods they are designed to mitigate. This database provides an excellent resource for cybersecurity professionals to learn the methods used by APTs and to structure their security programs safeguard against these attacks.

5. Know Your Organization

As careful as APTs may be, their activity creates ripples within the network that trained organizations can detect. For example, common signals of APT activity include: (1) multiple off-hours login attempts from users with elevated access privileges; (2) unexpected or unusual data transfers between internal systems or an external location; (3) storage of large data repositories in locations or formats not used by the organization; (4) presence or increase of spear-phishing emails. With these in mind, organizations with a concrete understanding of their data and ordinary network activity are in the best position to identify APT activity.

Performing a data inventory—often the first step toward compliance with cybersecurity laws—also provides organizations with a useful tool against APT attacks. Data inventories provide a complete view of all the data the organization owns and how this data is stored. Using this tool to identify what data is likely at risk can help an organization understand how best to configure its security policies to protect its critical assets. Similarly, creating a data flow map can help an organizations identify unusual behavior, in that it creates a baseline for how the organization’s data moves across its network in the ordinary course of business.

Information from the data inventory and data flow map can help to create data governance and data transfer policies that regulate storage and movement of corporate data both within and outside the network. With these procedures in place, cybersecurity professionals understand what kind of data their organization owns, where this data moves, and how this data is stored and regulated. Armed with this knowledge, IT personnel may be able to identify network activity or data movement that appears ordinary from a purely technical standpoint, but is out of compliance with the organizations’ stated data management policies.

Although APTs take great pains to cover their tracks, their activity often generates anomalous network and security event logs that leave clues that an APT is operating within a network. However, identifying these logs as relating to APT behavior requires an organization to understand its baseline network activity and traffic patterns. To this end, organizations should closely monitor user activity, network traffic, and security event logs and use log analytics and other methods to develop a picture of their organization’s ordinary level of activity. This baseline serves as a point of comparison that, when combined with regular log review and analysis, can help organizations to identify unusual traffic as originating from an APT.

Conclusion

Although no “silver bullet” solution to preventing APT attacks exists, organizations can still take concrete actions to safeguard their critical assets from APTs and proactively identify APT activity before it spreads throughout their network. Taking these steps often provides other organizational benefits and efficiencies in addition to easing the burden of compliance with  increasingly stringent cybersecurity laws and industry regulations.

For more information regarding this article, please contact Matthew Loffredo.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.