Thales Blog

APTs And The Insider Threat

October 1, 2013

Insider ThreatAdvanced Persistent Threats (APTs) hardly need an introduction these days. First widely recognized as a threat vector of rising severity following the discovery of the Stuxnet worm in 2010, and gaining greater distinction as a result of the Mandiant report into APT1 in February this year, APTs have firmly entered the security vernacular and have become a serious concern for enterprises – and rightly so.

Being so targeted and often going undetected for long periods of time, this type of malicious activity has been attributed to a number of data breach incidents with some of the most high profile victims including the most prominent media organizations in the world, the New York Times being one of many.

You might ask why these attacks are so successful? What is it about them that allows them to go undetected by any number of IT security measures put in place by those that fall victim?

Well it’s all based on trust mimicry. To talk in the simplest terms, APTs focus on discovering and taking over the user profiles within organizations that will provide them with access to the most valuable data. Who, typically, do you think that might be? The CEO or executive of a US government agency? They will probably have access to a good deal of valuable sensitive information, but would they necessarily have access to the servers hosting research and development related documents? Probably not. And those that did have access to that type of intellectual property are unlikely to have access to HR records or financial information. All these different types of information are kept separate on computer systems for any number of operational and compliance reasons. However, there are user accounts within organizations that often do have access across many different areas of the organization: IT and network administrators. By exploiting the accounts of this type of user, hackers will hit the jackpot in terms of being able to launch a number of additional attacks and will enjoy the ability to sneak around undetected, masked as a legitimate user.

Last week you may have seen the results of some research by ESG (conducted on Vormetric’s behalf) taking a look at ‘insider threats’. This research revealed some interesting conclusions regarding organizations’ ability to defend themselves from insider threats stemming from APTs among other vectors. Indeed it found that more than half (54%) of IT and security professionals believe that insider threats are more difficult to detect/prevent today than they were in 2011. That isn’t so surprising when you consider that APTs exploit legitimate accounts – there is an obvious challenge in defending against them as its easy to see how quickly you could get yourself into a false positive nightmare!

The simplest, most effective way to mitigate this type of risk is to make sure that this kind of user just cannot read any data that they don’t need to (which is pretty much all of it). Sure they need to be able to move files around and make repairs and adjustments to systems, but they don’t need to actually read what’s inside the documents under their control. If you’re interested in finding out more, take a look at this page on the Vormetric website which explains in further detail how to manage users and their access controls.