Posted on Aug 3rd, 2021 by Dan Rheault

Advanced Persistent Threats (APTs) – The Captain Ahab of Infrastructure

In Melville’s Moby Dick Captain Ahab applies his “great natural intellect” to the destructive force of killing the great white whale aptly named Moby Dick – a known and terrifying entity by reputation, earned by destructive deeds. Similarly, APTs are some of the most sophisticated and destructive cyberattacks enacted by people with advanced skills and malicious intent. Whether like Ahab, driven by wrath (Ahab’s “faculties of reason were enslaved by passions” in part driven by his “general rage and hate felt by his whole race from Adam down.”(p200)) or by financial gain, the potential harm of APT’s can be ameliorated through automated segmentation - by automating security policy management that is built upon a deny by default allow by exception philosophy.

How APT’s Work

APTs are designed to avoid detection in order to enable effective reconnaissance with the goal of compromising specific targets for disruption and/or data extrication. APTs are often undertaken by groups that can coordinate and support one another such as hacking collectives or nation state actors. After compromising the network through initial ingress, attackers seek to escalate privileges of the compromised host, and use that higher permission to laterally traverse the network across segments. Avoiding detection provides the time for effective mapping of the network, identification of desired targets, and the ability to construct a data extrication plan or orchestrate changes on the network to impact processes (e.g. coordinated network disruption, embed malicious code in development environments).

Defined Response Limits the Harm of the Inevitable Breach

The reality is that every organization is capable of being breached, and when attackers target a specific company their ability to compromise an end user is an inevitability. Prevention from initial breach is difficult given human fallibility, but identification and defined response programs can prevent both privilege escalation and lateral movement. Defined response is commonplace today as demonstrated by the adoption of endpoint security solutions and SOAR playbooks, however its accuracy and consequent effectiveness can be enhanced through integration and automation.

Decrease Dwell Time with Segmentation

While alerting mechanisms can identify indicators of compromise, the most important metric to consider is dwell time. Hackers must figure out how to navigate the network to pivot – flat networks that are unsegmented enable attackers as there are few security controls in place. Segmented networks restrict what can talk to what, and how, and impede attackers as they must abide by network security controls. Organizations that want to complicate the network specifically for attackers to obligate multiple pivot points should look to deploy effective network segmentation practices. Beyond dwell time, segmentation offers many other benefits. Understanding existing access can also help direct vulnerability prioritization programs to identify contextually exposed vulnerable assets for remediation to reduce the attack vectors of an ATP.

The Benefits of Automation

Security Policy Management solutions streamline the deployment of network segmentation models and prevent unnecessary access, across a multi-vendor, multi-platform environment. They automate design changes and risk assessments, measure compliance, and orchestrate network changes end-to-end across the network and cloud if desired. They support audit and diagnosis of misconfigurations with full documentation. Security Policy Management further can integrate with vulnerability management providers to identify the policies that expose vulnerable assets for exploitation. They provide effective response to reduce pivoting capabilities via remote access vulnerabilities. Varying the network landscape for attackers while prioritizing known exploitable vulnerabilities by network segment creates a much more arduous task for attackers.

Beyond automation, as part of a successful segmentation strategy, and perhaps most importantly, deny by default and allow by exception – adopt a black and whitelist process. During Ahab’s fanatical mission for revenge his pride causes him to undervalue Moby Dick’s strength and thereby attack the unconquerable. Automate security policy management – become the unconquerable.

And if you want to make it really hard for attackers to conduct reconnaissance, prohibit Nmap from being installed on your network ;)

To learn more about how Tufin can help you simplify and manage segmentation, click here or request a demo.