The Agonizing War of the IT Worlds: APTs versus Continuous Monitoring
Have you heard about the new blockbuster movies coming out?
They will be near you soon. Some of the titles are intriguing—
Crackshot, Crosswalk, ColdJava, GearShift, EasyNight, and Downtime. Downtime looks like a true horror story.
On second thought, this is the kind of family entertainment that could ruin your night out. These are malware titles that are used by APT41, or as the group calls themselves, Double Dragon.
APT and The War
APT is short for Advanced Persistent Threat and originates from China.
An APT does what the name boldly claims. It makes life miserable for corporations and government offices by dropping malware on a network and staying there.
It moves laterally within the network, drops back doors to remain there, and steals data and anything of value.
To go until remediation or the APT could decide to back out of the network(if ever).
APT Resources and Information
The security monitoring website, www.fireeye.com, outlines how APT41 works and what malware and network tools it leverages to get inside a network.
The number beside the APT – 41, reveals, that this APT is not the only black hat gang that has ridden into town on a desert trail.
Other APT names from other countries like Iran, North Korea, and Russia are Tailgator Team, DeputyDog, Calc Team, and Unit 61398 or Comment Crew.
The consequences of allowing them in your house cannot be dealt with by a nice and tidy last act in the span of a two-hour movie.
Fixing the damage may take several months.
The History of APT
The APT attackers are here now and will in town for a while.
A showdown between APTs and cybersecurity is happening 24/7.
On one side of the fight, the ever-changing, nefarious gang called the Advance Persistent Threat tries to hit the network infrastructure of a high-value target.
What defines a High-Value Target?
HVTs are big corporations with money, sensitive data, or government offices where infiltrating the network would create a political statement. Also, an HVT might be a single person or country targeted for espionage activities.
How do the bad guy’s attack?
They use the tools at their disposal, every one of them.
For instance, Double Dragon is a dual-threat cybercrime and espionage operation, according to FireEye’s analysis document.
The study shows that Double Dragon hits many industries, including the video game industry. Dragon uses Powershell, changing group policy, blocking antivirus updates, spear phishing, key loggers, and rootkits, to name a few.
How To Win The War of APT
How can organizations beat the vast numbers of APTs from countries everywhere?
Enter the sheriff, cybersecurity professionals, and they have a counter-insurgent weapon.
That defense is continuous monitoring of the network or what the document NIST 800-137 refers to as Information Security Continuous Monitoring (ISCM).
Continuous monitoring is part of the risk management framework that tracks security issues, vulnerabilities, threats, patching, and perimeter defense monitoring using a list of controls or a checklist.
One of these is a white hat penetration testing and scanning, designed to find holes in the network and application codes.
Network security professionals also do this by monitoring Intrusion detection systems, security logs, and attack signatures.
Companies must also keep track of configuration management, software upgrades, Operating System patches, Access Control List changes, Firewall rules, Active Directory, roles, and permission modifications.
There are a long line of infrastructure vehicles to keep on the information superhighway without wrecking one.
As travelers all know, one wreck can mean a sudden stop for several hours. No movement means no data arrival at the destination.
Continuous monitoring means no rest and no slack off for IT Security professionals scanning the network.
Johnny black hat’s work for the APT never rests.
How to Manage IISCM
All this to reveal that continuous monitoring means hardware, money, and a robust workforce.
One of the best ways to handle this is Platform as a Service and all the other services offered by a cloud provider.
Cloud Service Providers have the responsibility of watching and examining any attempt to get into their networks.
Cloud providers work diligently – they don’t want a data breach from an APT.
The battle wages on and more APTs form and maneuver their attack vectors in position for a strike.
No one is safe, not even the online video game industry and small businesses.
One advantage to have in this battle is an ally, an organization that deals with Advanced Persistent Threats and all their deployable zero-day weapons—like a cloud provider.
Chief content and technical writer
Rick Bretz possesses comprehensive experience in several subjects including video editing and production, radio/TV and journalism writing, videography, radio broadcasting, IT Management, Information Security and Assurance. He also works as a Senior Cyber Security Engineer for Vulnerability Management, Service/Infrastructure Operations and Platforms Support for the government. Mr. Bretz also is a documentation and technical writer for the Veteran Administration’s Continuous Readiness in Information Security Program. He also served in the US Army beginning in 1979, graduating from leadership schools and from Journalism, Broadcasting, Newspaper Editing and Public Affairs Supervisor courses. He retired from the Army with many writing and broadcasting awards to accept video production and management positions. He holds a BS degree in Information Technology with a Specialization in Security Assurance from Capella University and has a Security + Certification from CompTIA. Mr. Bretz also writes his own blog on topics that interest him that can be reached at pastparallelpaths.com.