We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Business Report

Prepare for the "Advanced Persistent Threat"

Security experts say companies need new tactics to fight the next wave of cyberattacks.

A recent string of cyberattacks against large companies, government contractors, financial institutions, and even security providers themselves has highlighted a new type of heist: the advanced persistent threat, or APT.

This spring, these ambitious attacks have hit organizations that have valuable data and the resources to defend it well, including Google, Citigroup, and the International Monetary Fund. A recent APT-style attack on RSA, which provides security technology to some of the biggest banks, alarmed RSA’s high-profile clients and appears to have led to an intrusion at Lockheed Martin, an RSA customer.

Unlike recent website takeovers by brazen “hacktivists” or massive thefts of credit card data, APTs are elaborate and sustained con jobs that are difficult to detect. The term was coined by government organizations accustomed to fighting online espionage, says Tom Cross, manager of the IBM X-Force Advanced Research security team, but these kinds of attacks are now becoming common enough to be discussed in corporate boardrooms. In a March survey of 563 IT security specialists by nCircle, a security technology company, 16 percent of the respondents listed APTs as their biggest security concern in 2011. That made it the second-most-worried-about security issue; 26 percent of respondents said their top priority was complying with security-related regulations.

RSA did not respond to Technology Review’s requests for interviews, but Uri Rivner, the company’s head of consumer identity protection, described some details of the attack in a company blog. First, one employee, who had limited administrative access to internal files, fell for a phishing scam and opened a spreadsheet labeled “2011 Recruitment plan.xls.” Rivner said the file exploited a zero-day (previously unknown) security hole in Adobe Flash software. The hackers then installed a remote administration tool and breached multiple employees’ accounts before extracting information over FTP, or file transfer protocol. According to Rivner and Cross, the breach had many of hallmarks of advanced persistent threats: repeated attempts to find a weak human link, a zero-day opening, sophisticated malware, and strategic methods to avoid detection while extracting data. APTs may lie dormant for months before finding a strategic moment to extract information.

“The first thing that these people do is collect info about their target,” Cross says. “We put a lot of information about ourselves— both our personal and work life—on the Internet, so it’s easy to do research and develop a profile of an organization.”

That’s one reason why many security experts urge companies to assume they are going to be targeted. “That’s the reality,” says Catherine Lotrionte, executive director at the Institute for Law, Science and Global Security at Georgetown University. As a result, she advises companies: “Make sure you have the best intrusion detection in place.”

When RSA was attacked, it was using the services of a company called NetWitness to detect unusual activity across its networks. NetWitness was in fact “instrumental” in detecting the intrusion, says Eddie Schwartz, who was that company’s chief security officer and has held the same title at RSA since it recently acquired NetWitness. Schwartz declined to reveal details of how the company detected the intrusion. However, he says that overall, the idea of securing networks by trying to “build a gigantic wall that nobody can climb over” is outdated. Training all employees to better detect phishing won’t significantly help, he says, essentially because there will always be someone who will fall for a scam.

IBM’s Cross disagrees; he thinks more companies should try training employees to be more alert for phishing or other signs of cyberattacks. “The goal is not to stop everything; the goal is to detect something,” he says. “If you educate these people and show them that there is a real threat, they become your front line.”

Keep up with the latest in Security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
Next in this Business Report
Securing Data

In June, Business Impact will show why information security isn’t an issue only the IT department needs to worry about. We’ll explore why companies still struggle to secure data—from theft or loss—even after all the attention given to costly data breaches and hacking attacks. We’ll analyze fresh ideas for improving security in the cloud and on mobile devices and explain what smart companies are doing.

Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.