Pointers on Not Being an APT Statistic (or How I Learned to Love Bug)

Horatiu Bandoiu

August 07, 2014

Pointers on Not Being an APT Statistic (or How I Learned to Love Bug)

Several weeks ago we started a series dedicated to considering APTs (Advanced Persistent Threats) and possible ways to mitigate them. In the first post we strived to define and “contain”  the APT as category of threats as the term is abused, and today most all the sophisticated attacks are presented as APTs – the supreme evil.

Working from the definition, we now remain with two aspects:

#1:  Advanced – as APTs are sophisticated, out of the range even for organized crime networks – “we are sorry, no botnets or banking trojans allowed”.

#2:  Persistent – as we have seen and described, we are talking about organized attackers with myriad resources - the most important being time and patience, until they can reach their objective. A modern characteristic is that they prefer, with few exceptions, the “low and slow” approach; doing “the job” as silently as possible.

The thesis we don’t agree with is that APTs can pass over any antimalware technology. As a matter of fact, the majority of their components have been spotted-out as suspicious files prior to being investigated and detection being added.In the second part of our series we made a brave effort of enumerating the seemingly endless “silver-bullet” anti-APT technologies (products, services, and stories), some of them promising 100% protection. That’s an affirmation that we like to see sometimes in the information security field. Our objective has been to view them through a critical eye and see where they could fail or be tricked. And the bad news is that they can.

A first and important statement we must make is that we are not promising a silver-bullet technology against APTs. It is hard to imagine such a technology knowing that the attackers are focusing to evade detection technologies, cautiously profiling the victim and trying to find and avoid all the alarms. Instead of this, we are appealing to common sense, a clear vision of what is to be protected and for intelligence in doing it.

We don’t believe that there is a magic response for APTs. Analyzing a series of them, we have seen that although they follow the same process, they differ in penetration payload, in reconnaissance techniques, in communication channels, and in exfiltration methods. Some APTs don’t present some of these phases, especially reconnaissance and exfiltration, they just deliver a payload and a command and control system.

Our first recommendation is to prepare your defenses after a serious and realistic analysis of the most precious assets that can be compromised in such a sophisticated breach. This follows a basic principle: you must know what to protect in order to prioritize the defenses.


Understanding the specific assets you must protect, given the field of activity you are in, look to other APT attacks that have happened lately, and consider appropriate defenses.

A. Supposing that what you want to protect are some files, then you can use:


  •  Strong encryption – how strong depends on the sector - you may have seen that several agencies are capable of decrypting relatively weak encryption (we have a saying that if the NSA can read it, the Russians and Chinese can read it too).

  •  Data chunking technologies – they are a nice and innovative approach that relies on the fact that distributed info is harder to access and exfiltrate. However, the strength/weakness may rely in the chunking/dechunking algorithms and the access to them.

  •  Securing and isolating environments, a layered defense strategy. The more fences (strong or weak), the greater, and more prolonged the effort.

  •  Use virtualization – for high sensitive data that you fear that can be intercepted / disclosed, you may use the option to keep the data centralized in the datacenter, providing access from secured virtual desktops with highly controlled access and only over strongly encrypted connections. However, the weakest links may be at the points of connection. Antimalware – specialized for virtual environments and for endpoint protection – would be a great ally to protect these entry points.

People and Processes:

  • In the case of file access, strong access control most important, accompanied by complementary controls like: personnel screening, control over privileged accounts, change management, security awareness, segregation of duties allowing people to access only parts of the information, etc.


B. In the case of control systems, SCADA, information systems, automation controls etc. the defenses are different:


  •  Advanced authentication and authorization, strong validation of users who can access systems (biometrics for example); overlapping controls like multiple step authentication and identity & privilege management.

  •  Secure encrypted connections for remote commands for those systems; again, the encryption strength of which is a concern.

  •  Layered, SAS-like systems, implemented as workflows that engage authentication and authorization for important controls – several persons/roles are required to perform a specific sequence of actions to control important/sensitive systems.

  •  Intrusion detection and antimalware to ensure the reliability of remote endpoints.

  •  Virtualization – secured virtual desktops could be used for systems control manipulation – when idle, these machines, and the machines hosting the actual control system, could be turned off to minimize the attack surface.

People and processes:

  •  Again, strong access control will be the name of the game.

  •  Strong physical security controls are a frequent measure employed in this type of organizations, accompanied by strong HR procedures in order to ensure the access only to authorized and trusted people; but that must be backed-up by IT.


C. In the case of financial services targets, there are two generic threats:

  1.  Access to the banking systems or access to transaction platforms from other institutions. Such attacks could fall under the APT category - they are normally fraudulent operations that occur once or for a very short period of time.

  2.  Databases of clients and transactions, either at the financial institution, the transacting retailer, or the end-user (the hanging fruit, from highest to lowest).

Among the controls that could be applied we outline:


  •  Database security controls – some of them are intrinsic, some others are related to the control of access to them. An interesting approach would be also to use distributed databases and data chunking, if and where is possible.

  •  Architectural controls, like segmentation, intra-database controls (further segmentation of roles, including roles of applications, queries, etc.).

  •  A sum of network level segregation technologies.

People and processes:

  •  Strong user management and management of privileged accounts.

  •  Restriction and control of the use of specific database utilities.

  •  Segregation of duties and roles.

  •  Integrity checks and other data validations.

D. In the case of industrial designs, trade secrets, patent pending files we can use an approach similar to Point A above. An additional option is the accessing and use of these files in a controlled virtual desktop environment where the virtualization-specific security controls will be mandatory.

Many other use-cases fall under these scenarios. A common conclusion may be that using a conjunction of countermeasures, one can defend against APTs.

Our summarized recommendation is to:

  •  Assess the risks associated to your most important assets;

  •  Learn from APTs that happened to prominent representatives of your field of activity;

  •  Deploy countermeasures but always remember, they must be a combination of people, processes and technologies.

To come-back to Bitdefender, consider that APTs can be detected with a combination that includes detection for the known and threat intelligence for the unknown in an effective way:

  •  Signatures for known threats – eliminating 95% of the threats, leaving the focus on the remaining 5%;
  •  Advanced behavioral and heuristic analysis – that in our case is revealing most components of APTs as suspicious files
  •  Intelligence – advanced distributed threat intelligence – in the cloud, parsing millions of samples and behaviors from users and sensors distributed across the world to obtain a risk factor for each file and process;
  • Real-time inspection – due to a proprietary technology that allows us to take rapid decisions, in most cases without any user intervention.

Yet, even using all of these, we will never guarantee 100% security, especially in the world of APTs.

Any organization may become a target for APTs. It is wise to be prepared, and spend wisely on various technologies, but not to the detriment of implementing processes and educating people and, at the end of the road, being prepared to face some small, compartmentalized defeats, as long as the most important assets remain untouched.

Contact an expert


Contact an expert



Horatiu Bandoiu

Horatiu B has been in the field of information security for about 14 years, switching lanes between marketing, sales, consultancy and business development. Engineer by formation, he thinks that a diagram says 10 times more than a speech but sometimes you have to employ words in order to describe diagrams. Horatiu’s principal areas of interest are in security management, practices, processes, buying behaviors and psychology.

View all posts

You might also like