We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

Prepare for the "Advanced Persistent Threat"

Security experts say companies need new tactics to fight the next wave of cyberattacks.

A recent string of cyberattacks against large companies, government contractors, financial institutions, and even security providers themselves has highlighted a new type of heist: the advanced persistent threat, or APT.

This spring, these ambitious attacks have hit organizations that have valuable data and the resources to defend it well, including Google, Citigroup, and the International Monetary Fund. A recent APT-style attack on RSA, which provides security technology to some of the biggest banks, alarmed RSA’s high-profile clients and appears to have led to an intrusion at Lockheed Martin, an RSA customer.

Unlike recent website takeovers by brazen “hacktivists” or massive thefts of credit card data, APTs are elaborate and sustained con jobs that are difficult to detect. The term was coined by government organizations accustomed to fighting online espionage, says Tom Cross, manager of the IBM X-Force Advanced Research security team, but these kinds of attacks are now becoming common enough to be discussed in corporate boardrooms. In a March survey of 563 IT security specialists by nCircle, a security technology company, 16 percent of the respondents listed APTs as their biggest security concern in 2011. That made it the second-most-worried-about security issue; 26 percent of respondents said their top priority was complying with security-related regulations.

RSA did not respond to Technology Review’s requests for interviews, but Uri Rivner, the company’s head of consumer identity protection, described some details of the attack in a company blog. First, one employee, who had limited administrative access to internal files, fell for a phishing scam and opened a spreadsheet labeled “2011 Recruitment plan.xls.” Rivner said the file exploited a zero-day (previously unknown) security hole in Adobe Flash software. The hackers then installed a remote administration tool and breached multiple employees’ accounts before extracting information over FTP, or file transfer protocol. According to Rivner and Cross, the breach had many of hallmarks of advanced persistent threats: repeated attempts to find a weak human link, a zero-day opening, sophisticated malware, and strategic methods to avoid detection while extracting data. APTs may lie dormant for months before finding a strategic moment to extract information.

“The first thing that these people do is collect info about their target,” Cross says. “We put a lot of information about ourselves— both our personal and work life—on the Internet, so it’s easy to do research and develop a profile of an organization.”

That’s one reason why many security experts urge companies to assume they are going to be targeted. “That’s the reality,” says Catherine Lotrionte, executive director at the Institute for Law, Science and Global Security at Georgetown University. As a result, she advises companies: “Make sure you have the best intrusion detection in place.”

When RSA was attacked, it was using the services of a company called NetWitness to detect unusual activity across its networks. NetWitness was in fact “instrumental” in detecting the intrusion, says Eddie Schwartz, who was that company’s chief security officer and has held the same title at RSA since it recently acquired NetWitness. Schwartz declined to reveal details of how the company detected the intrusion. However, he says that overall, the idea of securing networks by trying to “build a gigantic wall that nobody can climb over” is outdated. Training all employees to better detect phishing won’t significantly help, he says, essentially because there will always be someone who will fall for a scam.

IBM’s Cross disagrees; he thinks more companies should try training employees to be more alert for phishing or other signs of cyberattacks. “The goal is not to stop everything; the goal is to detect something,” he says. “If you educate these people and show them that there is a real threat, they become your front line.”

Hear more about security from the experts at the EmTech Digital Conference, March 26-27, 2018 in San Francisco.

Learn more and register
More from Business Impact
Securing Data

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.