John Bensalhia talks to Ian Thornton-Trump about the rise of the APT (Advanced Persistent Threat), and how organisations can best defend themselves
Advanced Persistent Threat (APT) is a relatively recent addition to the cybersecurity lexicon. It stands for a stealth computer network attack in which the attackers illegally gain access to a network and stay there for a long period without detection.
Ian Thornton-Trump, Head of Cyber Security for AmTrust Internationalis says two forces are responsible for the recent rise in attacks of this kind.
“APT attackers developed in synchronisation with the expansive growth of the internet and a desire by countries to develop cyber capabilities to augment nation-state policy agenda and goals,” he says.
“It’s pretty evident the first cyber criminals and first cyber espionage capabilities emerged at relatively the same time. Computer network exploitation as a technique can be used to make money and gain an adversary’s secrets.”
Ian has 25 years of experience in IT security and information technology. He has worked for the Canadian Forces (CF) Military Intelligence Branch; the CF Military Police Reserves and the RCMP (where he worked as a criminal intelligence analyst) and has worked as a cybersecurity analyst/consultant for multi-national insurers, bank and regional providers.
Today, as head of cybersecurity for AmTrust International, a subsidiary of AmTrust Financial Services Inc (AFSI), Ian explores the emerging threats facing small, medium and enterprise businesses.
“It’s pretty evident the first cyber criminals and first cyber espionage capabilities emerged at relatively the same time”
2018 saw a maturing of APT operations, an improvement of capabilities and a sharper focus on operational security. The Muller indictment of FSB operatives laid this bare: the indictment detailed how FSB operatives had used “freshly” created bitcoin to purchase staging servers in Malaysia.
“This is a long way away from the blatant attacks such as web site defacement and DDOS of years ago which originated from IP addresses associated with the host country. The tools and malware at the disposal of many APT actors are designed to be difficult to reverse engineer, aware of virtual environments, built for stealth and very persistent on compromised systems. Hard to find, nearly impossible to remove and extremely creative in their engineering.”
“It’s not to say all APT groups associated with the 30 some countries with cyber capability have become super elite; but I do believe the overall trend has been an improvement of capability and focus on operational security.”
“Hard to find, nearly impossible to remove and extremely creative in their engineering.”
“APT attacks that are not simple ransomware attacks are mitigated by rigorous application of standard security controls such as those found in NIST, CIS 20 or DSD 35 or any number of security frameworks like ISO 27001,” says Ian.
“What I think though, is if your threat model includes a probable attack by an APT actor, you need to get aggressive with the countermeasures such as detective controls like cyber threat intelligence, IPS/IDS, SIME, and boundary egress filtering.”
“But, don’t stop with just those technical controls. For APT defence, you really need to build a heavily segmented network with internal honeypots to detect the lateral movement of the APT actor towards the most sensitive information they would be after. The ultimate APT defence, of course, is to not have that sensitive information on the internet in the first place; but that may not be a realistic option.”
Ian sees the emergence of User Behaviour Entity Analysis (UBEA) – which applies AI and machine learning capabilities at the network and application level, combined with automated endpoint detection and remediation (EDR) technology – as the way forward.
“These technologies would have to augment an already robust organisational security posture.”
“The reality is APT’s black budgets will be used to improve offensive cyber operation capabilities including the use of more prolific and dreaded 0-day attacks, attacks that vendors are not aware of so ‘there is no patch to fix the vulnerability’. APT actors may use AI platforms similar to DARPA’s Cyber Grand Challenge to develop a host of 0-day attacks.”
“It’s folly to think that AI will not be leveraged by both APT attackers and defenders in the years to come.”