Myth vs. Reality -- Testing Security Controls Against APTs

By Dor Sarig

Why are advanced persistent threats a concern for large and mid-size enterprises? And how can they defend against them?

Formerly the concern of only mammoth-size enterprises and government bodies, advanced persistent threats (APTs) are now also a source of alarm for midsized companies targeted for their fewer cyber security resources. And while the stereotypical APT is launched for political or intelligence gains, APT groups have been confirmed to act out of financial motives, as well, targeting smaller businesses who move large sums of money online while lacking the security prowess of larger companies.

 
Cyber Speculations Confirmed

In fact, a recent UN report revealed what many have suspected for a long time—that sophisticated cyber attacks serve sanction-choked nation states as a source of cash, obtained through ransomware attacks, illicit banking transactions, and fraudulent ATM withdrawals. In North Korea’s case, it’s been reported that $2 billion obtained from such attacks have funded its weapons program.

Other well-known APT groups have been traced to threat actors in Russia, China and Iran, with recent APTs including the likes of a Silence APT strain targeting banks worldwide, Chinese APT TA428 - Operation LagTime IT and APT27 Group Attacks on MySQL Servers. (Cymulate customers can log in to check if they are vulnerable to these Immediate Threats.)

 

The Good News and the Bad

The good news is that dwell time has dropped from 416 days in 2011 to 78 days in 2018, meaning that organizations have become better at detecting breaches faster. This is not completely surprising given the immense rate of innovation seen over that period of time in the realm of cyber security technologies, including emerging spaces such as EDR and MDR, SOAR, deception honeypots, and attack simulation tools.

As called out by Cisco VP, Ashley Arbuckle, these figures also drive home a shift in cyber security strategy, whereby detection and response capabilities are being developed to complement preventive tools, as organizations realize they cannot block a sizable portion of threats. However, by utilizing behavior analysis, machine learning and other tools—they may be able to detect and contain threats more quickly.

The bad news? Breakout time is accelerating, meaning the interval is shortening between initial system compromise and the start of lateral movement inside the network. And indeed, unlike low-grade opportunistic attacks, lateral movement is a key attribute of advanced persistent threats that seek to move from ‘patient zero’ to servers and segments of interest that harbor an organization’s crown jewels.

So what are security teams to do? Outbudgeted by state-sponsored APT groups and highly-skilled criminal gangs, do they stand a chance? The myths busted below address this very question.

 

Myth #1 – Security testing against advanced persistent threats is impossible

Since different organizations have different architectures, be they critical infrastructure, banking or technology, and because APTs target multiple vectors of the kill chain with numerous methods of operation involved, there is no way to test against a full blown sophisticated cyber attack.

In reality, security testing across the cyber kill chain reduces your chances of experiencing an APT, and improves your ability to recover from a breach when one does occur, thanks to continually optimized defenses. Plus, by methodically utilizing frameworks such as the MITRE ATT&CK matrix, security teams can ensure they are testing against all the techniques mapped to these attacks, thereby covering all their bases.

 

Myth #2 - No one security testing tool can improve your APT-related security posture

Given their multi-step, highly targeted and complex nature, APTs seem impossible to test against. Security teams assume they have to test many different security controls, and that there is therefore no one security tool to help in APT-related security risk assessments.

The reality is that some automated security testing tools allow you to test your security controls exhaustively using a one-stop-shop approach. This means incident response teams can test their security controls vector-by-vector, starting from attack delivery, through system compromise to lateral movement and beyond—challenging all their security controls in the cyber kill chain. Or, they can run a full-blown advanced persistent threat simulation all at once, in a single go.

 

Myth #3 – Creating an APT testing plan is a major undertaking

The notion is that since there are so many controls to test and subsequently remediate, that there is no simple way to plan and execute such tests. In fact, a recent SANS Institute poll found that 59% of respondents see “Lack of systematic approach to defining testing (e.g., lack of testing plan)” as a their #1 barrier to assessing control effectiveness.

In reality, building your APT test plan doesn’t have to be a major undertaking. You can start your test plan based on your top concerns. Are there certain APT groups relevant to your industry whose modus operandi you want to defend against? Alternatively, you can leverage MITRE ATT&CK techniques, create a template with those techniques to run automated penetration testing, and methodically cover the entire matrix. By saving simulation templates, you can simply and easily repeat those same sets of tests at any time, or regularly by scheduling them in advance.

 

Myth #4 – Security effectiveness testing requires advanced skills

If you are testing security controls against the most sophisticated threat actors, wouldn’t you need your own top talent to perform their equivalent security risk assessments? With the global shortage in cyber security skills, this would indeed be a challenge.

Fortunately, thanks to extensive automation in security testing tools, a full-vector advanced persistent threat simulation can be launched with just a few clicks of a button. Plus, at the end of each cyber threat assessment, many tools provide comprehensive remediation and mitigation steps to help SOC professionals fine tune their security controls, helping take the guesswork out of corrective measures.

 

Myth #5 – There is no objective, quantifiable way to assess APT preparedness

How can you assess your security posture over time in a metrics-based, vendor-agnostic way? According to the same SANS poll, in order to improve the effectiveness of security controls, 67% of IT and security professionals require quantifiable, objective metrics to measure their effectiveness.  In fact, security managers and executives alike seek metrics that will help them not only assess security performance over time, but also allow prioritization of remediation efforts and enable benchmarking against others in their industry.

Security testing vendors have picked up the gauntlet, providing KPI metrics based on industry-recognized frameworks that include NIST, Microsoft DREAD, CVSS 3.0 and MITRE—providing the transparency that teams need to assess and improve their cyber attack preparedness.

Ready to see how your controls measure up to a true-to-file APT? Start a free trial, learn more by downloading the Are You APT-Ready: Your Four Step Action Plan - White Paper, check out the Full Kill Chain APT brochure, or watch the video interview below to see how breach and attack simulation can help you continuously uncover and improve your real time security posture.

https://cymulate.com/resources/collateral/are-you-apt-ready-the-role-of-attack-simulations-ismg-interview/

 

Subscribe to Our Blog

Stay up to date with the latest cybersecurity news and tips