Even when an organisation becomes aware of a vulnerability, it can remain at risk of an APT attack as it takes time for software vendors to develop, distribute or apply a patch. Where a security patch is available, any required quality assurance tests to ensure that the functionality of systems will not be adversely affected by a patch will extend the period of exposure.
While their very nature suggests that APTs will continue to pose a serious threat to organisations for the foreseeable future, there are steps that can be taken to minimise and mitigate the risks that APTs pose.
Basic steps for combating APT
Monitoring and detection are critical tasks in the ongoing battle against APTs. Real-time automated monitoring of networks and hosts can help organisations identify threats at the earliest possible stage. Early detection also gives an organisation the best possible chance of taking action against the threat while keeping negative fallout to a minimum.
Analysis and response are another key step in defending organisations against APTs. By analysing network traffic and activities, organisations can better understand how and where threats are affecting them. Properly co-related alerts can also be created, customised for an organisation's specific risks and systems facilitates.
Following identification of a threat, a swift response comprising investigation, analysis and remediation is essential. These activities generally require experienced professionals with a highly sophisticated understanding of both the organisational and threat environments.
Finally, post-incident reporting and forensic investigation play an important role. Forensic investigations can help identify, recover and preserve evidence from an APT attack for analysis.
For example, network data can be captured, retrieved and stored to understand the events and activities leading up to and following an infection. Disk imaging can also be performed on hosts to support these investigations.
Ultimately, the intelligence gathered through such forensic activities can be used to enhance the organisation's cyber defences against future attacks.
Dealing with APT is a complex matter. Only by employing constant vigilance, deploying appropriate tools and a team of skilled professionals with a clear understanding of APT's ecosystem, will an organisation have a chance of defending itself, and responding to such external threats.
Victor Keong, is partner, performance & technology at KPMG in Singapore. The views expressed are his own.
Sign up for Computerworld eNewsletters.