Page 99 - index
P. 99
Defending Against an Attack
Just as an APT requires multiple attack layers to be successful, companies wishing to protect themselves
from falling prey to an APT must implement a defense strategy that incorporates multiple layers of
protection. It is critical to understand that no single network security feature will stop an APT.
Security Partnerships: Attackers don’t rest on their laurels and neither should an organization. It is
essential that organizations ensure they expend resources to keep IT staff as up-to-date as possible on
new threats and potential avenues of attack. Having a strong partnership with a security organization can
provide up-to-date information and threat intelligence as well as clearly-defined escalation path when an
incident is detected.
End User Education: Attackers target end users because they find the greatest chance of success focusing
their initial attacks there. Much like the maxim of the bank robber, the attacker “goes where the money
is.” Educating end users on proper use of social media to prevent confidential information from
becoming publicly available is one component. It’s also critical to ensure employees who have access to
sensitive information are specially trained to know how to deal with that data. Internal awareness
training and regular testing by IT staff can help mitigate an attack.
Network Segregation: If there is no reason for an employee to have network access to particular
resources that may contain sensitive data, then basic network segregation can help prevent lateral
movement inside the network. By placing resources on segments that cannot be reached from end
users, an organization can potentially prevent an attacker from moving beyond the initial foothold.
Web Filtering/IP Reputation: By using a solution that provides current IP reputation data and Web
filtering rules, an organization may be able to stop some attacks. For example, if the accounting team has
no reason to visit Websites or IP addresses on the other side of the globe, creating filtering rules that
prevent access to those sites can stymie certain attacks. By using an IP reputation service, an
organization may be able to stop an attacker that has launched attacks on other organizations using the
same network resources.
Whitelisting: Whitelisting can be used in multiple ways. For example, network whitelisting can be used
to only allow certain internal traffic to reach other network resources. This can prevent an attacker from
moving laterally inside a network. Network whitelists can also prevent a user from accessing any sites
online that are not explicitly approved. Application whitelisting can be used to allow only a set list of
applications from running on a computer, preventing all other software from running. This can prevent
an attacker from running new programs on the target’s computer.
Blacklisting: While a whitelist is a list of things that are explicitly allowed to execute or access resources,
a blacklist explicitly blocks items on the list from accessing resources, sites or applications deemed
unsafe.
Application Control: Employees are using Web services like Facebook, Twitter and Skype on a frequent
basis today. While many companies have embraced and allow use of these platforms, complete and
99 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
