James Arlen, Chief Information Security Officer, AivenBlog

Managing advanced persistent threats: Knowledge, Prevention and Defense

By James Arlen, Chief Information Security Officer, Aiven

Organizations across the globe have found themselves in the crosshairs of advanced persistent threat (APT) attacks, a form of cyberattack that stays dormant in networks for extended periods of time while extracting as much data and information as possible before it’s detected.

While many of these high-profile attacks are targeted toward large entities and governments, including SolarWinds and Microsoft Exchange, any company could be at risk. Given the longevity of this type of cyberattack, the incidence rate of APTs hasn’t really increased for large companies, but smaller businesses are being increasingly impacted. However, there are proactive steps organizations can take to protect themselves and their networks.

Why data privacy should be your company’s top priority

How companies can keep cybercriminals at bay

Understanding APTs and the current environment

APT attacks generally work by being simultaneously technically elegant and remarkably simple. The attacks generally use novel techniques or undisclosed vulnerabilities (zero-day exploits) to gain access to a system or set of systems and subsequently, and quite cleverly, install themselves in the places you are least likely to look.

The best analogy is one of the most common pests: the standard house mouse. If you catch a mouse in your house, you have only begun to understand the extent of the problem — you don’t have just one mouse — you have an entire village of them. And much like the analogy, the only way to remove an APT from your systems is an unbelievably thorough search in all of the places where you absolutely would not expect to find a problem. APTs hide in printers and keyboards and IoT devices on your networks — things you might forget even have a network connection.

In a world where a 32-bit processor with Wi-Fi capability is available in quantity of one for less than $2, you can hide malicious code anywhere. It is often said that the easiest way to remove an APT is to simply destroy all of the computer equipment you have, everything electronic, and start over. This is not entirely practical, but it does allude to the reality that you’re going to have to quite suddenly know a whole lot more about your systems than you did in the past.

Prevention is a company’s best defense

Fortunately or not, the best defense against these kinds of attacks is to do the basics well. The security industry has a strong preference for “the better mousetrap,” and this is a fundamentally flawed approach. You don’t want a way to fix the problem — you never want to have the problem in the first place. This means spending less money on vendor pitches to purchase blinky lights and shiny things to solve your problems and much more emphasis on good operational practices and hygiene.

Security isn’t something special, it’s just operations done well. This means spending money on great staff who want to do the right thing and not attempt to cut corners or squeeze costs. Your information and the ability to process it is your organization’s greatest asset. It’s probably not on your balance sheet but you’d be hard-pressed to justify the existence of your organization without it. If you had some other large fixed asset, a manufacturing plant or a fleet of vehicles, and you treated it with the common disdain and cost-cutting approach we see in the IT industry, you’d be talking to the Board about fiduciary duty pretty fast. Take care of your information systems and the people that operate them and you will be a less attractive target.

Defending APTs can be painful, but it can be done

In the mid-2000s, we coined a term in the world of critical infrastructure cybersecurity: The Cyber Black Start. The concept is lifted directly from the engineering of a large power grid. Sometimes, to restabilize the grid, like after the 2003 Blackout in the North East USA and Canada, you have to turn everything off and then back on again. What we’re describing is the information technology equivalent.

If you’ve fallen victim to an APT attack, you need to act immediately. Shut it all down and start bringing systems back up in order of precedence, ensuring that each is clean before you add it back to the network. This will be expensive and painful, but it will work. Playing an endless game of whack a mole is going to be more expensive and painful in the long run.

As you’re doing this Cyber Black Start work, you’ll discover things that are not actually necessary to your core operations and you can safely never re-start those systems. Reducing complexity will provide fewer places for the malicious actor to hide. And call in an expert. There are plenty of organizations in the cybersecurity field that do this kind of work all day every day. Use their expertise. And then do all of the things that will ensure it doesn’t happen again.

Given the ongoing prevalence of APT attacks, including several high-profile breaches in 2021 alone, it’s understandable that companies are on edge about their own vulnerabilities. To prevent APT attacks, companies simply need to practice basic digital hygiene. Don’t click on links. Run endpoint protection with up-to-date configurations. Monitor your networks for bad behavior. Keep networks segregated. Pay attention when your staff tells you that “something is acting weird.” Best practices work; it’s just that most organizations don’t actually follow best practices. That’s all you need to do; the mice will choose your neighbor’s house because they didn’t bother to caulk around their door frames.

Aiven offers a rich set of tools to help organizations operate their data infrastructure. Aiven provides a premium level of security on all accounts, regardless of size.