A Lockheed Martin employee working on a server in the NextGen Cyber Innovation and Technology (NCITE) Center in Gaithersburg. (Fran Dries)
For years the IT community has been building walls and digging moats to keep out an especially damaging form of cyber attack: the advanced persistent threat, or APT. Now the emphasis has changed. Rather than focus on outside invaders, security experts have set their sights on internal vulnerability.
“It is critical to have people standing on the wall, but someone is always going to slip through, so you do have to have your defense in place beyond that wall,” said Greg Kushto, director of security practice for IT solutions provider Force 3.
Internal APT attacks may come in two flavors: Angry or disloyal employees may initiate an attack, or a successful breach will take over a computer and launch an assault from the inside. Either way, IT experts say the growing APT peril represents not just a threat from outside, but also a menace from within.
An APT gives an attacker access to the victim’s network. The bad actor can remain there stealing high-value data undetected, often breaking in through fake email attachments, links to bogus websites and other forms of social engineering.
In a 2013 study on APT awareness, the industry association ISACA found that one in five security professionals reported experiencing an APT attack, while 63 percent said it is just a matter of time before their systems are targeted. Arbor Networks Inc.’s research found a 36-percent increase in APTs in its most recent survey.
While firewalls and other barriers have helped check the phenomenon, experts say it has become increasingly clear that more and better external defenses are not enough. “While at Treasury we developed an effective insider-threat program that married technology with human eyeballs looking at the problem,” said Michael Madon.
A former deputy assistant secretary for intelligence community integration at the Department of the Treasury, and now vice president at RedOwl Analytics, Madon is skeptical of the IT community’s efforts to stop APTs thus far. “As with all programs, challenges remain due to the dynamic aspect of human behavior,” he said.
Automation has been helpful. Digital defenders can be programmed to respond instantly to a range of attacks. When it comes to insider threats, however, IT leaders increasingly believe that human intervention is needed.
One key to watchfulness is behavioral tracking, said Greg Boison, a Lockheed Martin program manager and director of cyber and homeland security. “You know who is in your enterprise, and you have a tremendous amount of data about those people: travel systems, HR systems, computer systems,” he said. “So what behaviors are happening that should cause you to focus on certain persons of interest?”
The travel scenario offers a concise metaphor for insider defense. Most agencies keep a running tally of employees on the road, “so now you tell the computer the likely actions of that person,” Kushto said. “Then you see if he is logging in from the wrong state, see if he is accessing payroll. A lot of times that person on the road has got an APT in their system, and you will know because now they are trying to get into a place where that person never goes.”
Defenders have an edge here. When attacks come from outside, security teams may not recognize the patterns. An insider threat, on the other hand, may flag itself by breaking with long-established norms.
“You watch the throughput on your system,” Boison said. “Everything has related events. When do you see something happening, and how does that relate to what you have seen for years?”
Confronting the inside APT is a labor-intensive job any way you slice it, Madon said. New employees have to be screened as potential security risks. At an organizational level, managers must ensure sensitive data is classified properly, limiting access to those who need it.
Ultimately, though, it’s the painstaking work of behavioral tracking that will most likely carry the day. And it’s imperative to have those “eyeballs,” that human effort to define normal behavior and track aberrant moves, and it has to be hands on.
“This is the one that can really do the most good, the one that can best prevent damage before it is done,” Madon said. “Somehow you have to separate the signal from the noise.”