Many organizations do not know they have been victimized, says Bryan Sartin, director of investigative response at Verizon Business. Nearly 90 percent of organizations only learn they have been infected when told by an outside security firm, law enforcement, or other source.
Called advanced persistent threats (APTs), these attacks have been aimed at organizations with particularly valuable intellectual property. But they are now being aimed at a wider variety of targets, says Jon Oltsik, a principal analyst at the Enterprise Strategy Group. One reason is that the attacks are becoming simpler to execute and use.
Many organizations focus on the perimeter when protecting against attacks, but looking for suspicious activity inside the network can be a good way to protect against APTs, says Christopher Ling, a senior vice president at Booz Allen.
Many APT attacks, are initiated by first gaining access to an employee’s password, perhaps through trickery. As the next step, the attacker will search throughout a network to gain access to higher-level administrative passwords. Knowing how this scheme works can help security spot the attacks.
Monitoring logs for this type of scanning traffic is another good way to detect an APT. Malicious activity on a network, it can almost always be detected in an organization’s event logs, says Sartin. The trouble is that there is so much data can be hard to know where to look. Security information and event management solutions can help, he notes. Such tools can be complex to use, however, and the company may need to contract with a service provider that has the expertise needed to make them more effective.
Another way to defeat APTs is to keep them from sending out the data they harvested. Thus, a goal should be to see what’s “egressing the network,” says Sartin.