How visibility can help combat APTs and return power to the defenders

An advanced persistent threat (APT) was once the weapon of choice for nation-state attackers. APTs were used to steal sensitive government information or, in the case of Stuxnet, carry out even more extreme operations. That malware was used to sabotage Iran's nuclear program.

APTs proved extremely effective at infiltrating their targets and going undetected for extended periods of time, increasing their appeal to hackers who targeted businesses. Now APTs are every organization’s problem. Target, Sony and JP Morgan Chase are just a few of the companies that have been crippled by an APT in recent years.

To combat APTs, security professionals need visibility into what the adversary is doing, said Justin Lachesky, cyber intelligence analyst at Lockheed Martin.

“In order to know the enemy, you need to see how they operate. If you can’t see what they’re doing, you can’t stop them,” Lachesky said during a webinar Lockheed Martin and Cybereason held on the four secrets of combating APTs.

Companies also need visibility into their entire IT environment. Organizations may think they have enough insight into certain activities, but many companies don't realize the perspective that's needed to face today's threats, said Lachesky, who used email as an example.

“Everyone has some level of email visibility. You can see some basic information. But do you have deeper visibility into headers, content and attachments? And can you see those things in a meaningful and useful way?” Lachesky said.

Even if a company has perfect email visibility that’s only one of the many vectors that hackers can use. Companies also need insight into the other methods hacker can use to infiltrate an enterprise, he said.

“You need visibility into how the attackers are using different technologies to carry out attacks,” Lachesky  said.

This is where endpoint visibility comes in, said Cybereason CTO Yonatan Striem-Amit. Monitoring all endpoint activity is vital since attackers carry out their actions on those machines, he said. While network visibility is important, Striem-Amit cautioned that only looking at what’s happening on a network may not reveal an attack.

As mature as network visibility products are, “ there are still some inherent limitations in purely network-centric visibility,” he said.

For instance, if malware has infected a company, hackers will use legitimate tools to take control of an endpoint and the network for lateral movement. These techniques would be nearly invisible on the network layer, he said.

Ultimately, visibility serves as a foundation security teams can use to better understand adversaries and improve their company’s overall security, Lachesky said.

“Visibility shapes what kind of security you have,” he said.

Fred O'Connor
About the Author

Fred O'Connor

Fred is a Senior Content Writer at Cybereason who writes a variety of content including blogs, case studies, ebooks and white papers to help position Cybereason as the market leader in endpoint security products.