What are APTs? Do conventional antivirus help the security of information in companies and organizations?

The APTs are threats that are directed specifically toward a business or public administration, as its name suggests are “Advanced Persistent Threats” and have a clear objective: to attack with a view to reaching an objective, their purpose is simply to obtain all sensitive information of a company, organization or government persistently and they do not stop until they make it happen.

This attack can be crucial to the end of an organization or it can even seriously disrupt the country´s integrity and the security of its citizens.

A study by ISACA and Trend Micro, revealed that 94% of APTs are threats to national security and economic stability and that 1 out of 5 organizations might have been attacked by this threat.

apt

APTs are often customized and targeted by hackers paid to do the most damage and break through conventional antivirus barriers currently on the market.

The way that they have to access to the most significant information is the following:

First they usually look for a vulnerable environment or computer, normally they are temporary staff´s devices or users without interesting documents but these have internal doors to devices more significant devices.

They access to these devices over email to the users, or planting malware on a website that the victim will likely visit. Once they are inside, they create network backdoors and tunnels allowing stealth access to its infrastructure and wait to find or crack the administrator password to acquire administrator privileges over the victim’s computer. Then they, collect information on surrounding infrastructure and expand control to other workstations, servers and infrastructure elements, filtering all data from the victim’s network. These steps may last for months or years without the victim knowing that is being attacked.

The most popular APT is Stuxnet, a computer worm discovered in 2010, it was spying and reprogramming industrial systems, which targeted the computer hardware of Iran’s nuclear program, NetTraveler, was a malware that exploited a vulnerability found in Microsoft that could extract information in word, excel, ppt files stored in oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.

Last but not least, the Google Aurora attack, disclosed in January 2010, an attack on security, compliance, and risk management provider RSA in 2011, showed that these threats are not confined only to government entities…

How to stop these attacks if the most popular antivirus technologies are vulnerable to these threats?

  • Use IP Reputation systems that examine destination address information for malicious indicators such as known malicious IPs, and recently registered domains
  • Firewall for all users
  • Training employees about potentially dangerous emails, viruses and threats, use of internet etc …
  • URL Classification that examines embedded web links to determine if they point to known malicious destinations, or destinations with poor reputation
  • Use an IRM system, it lets you protect the files in cloud based storage (Dropbox, Gmail, etc.) and own devices to keep control of the access and use of confidential files
  • Do not give administrator permissions to users unless strictly necessary