Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

GUEST ARTICLE: Mitigating Advanced Persistent Threats

Noor Azwa Azreen Abd Aziz and Zahri Yunos | Oct. 11, 2012
CyberSecurity Malaysia: Understanding the APT exploitation lifecycle and the numerous challenges in addressing threats.

Initial intrusion into the network - Utilise several techniques to gain initial access. The most common form is social engineering combined with e-mail; e.g. spear phishing.

Establishing backdoor into the network - Establish footing in the system using malware and move laterally to install multiple backdoors.

Obtaining user credentials - Obtain domain controller credentials to allow operation within the network.

Installing various utilities - Utility programs install backdoors, dump passwords, obtain e-mail from servers and list running processes to steal targeted information.

Privilege escalation/Lateral movement/Data exfiltration - Exfiltrate data by compressing into smaller files and moving to a server in the APT's command and control infrastructure.

Maintaining persistence - When backdoors are discovered, it will continuously evolve to gain additional footing and maintain position.


There are numerous challenges in achieving the high level of vision and knowledge required in order to address the threat of a targeted attack. Some of these challenges include:

· Organisation usually has an extremely large database and information management environment. Trying to find certain information is like looking for a needle in a haystack. It is very difficult, if not impossible to find among everything else around it.
· Attackers are skilled at hiding in plain sight.
· Anti-forensic techniques are being used more frequently.
· Complexity, diversity, and lack of standardisation are often a factor.

Possible questions that should be thought about regarding specific information security practices are as follows:
- How do we track what digital information is leaving our organisation and where that information is going?
- How do we know who is logging into our network, and from where?
- How do we control what software is running on our devices?
- How do we limit the information we voluntarily make available to a cyber adversary?

Incident response and handling

As attacks on information systems become more sophisticated and severe, it is important to develop a well-defined incident response capability. A dependable incident response program helps to quickly detect security incidents, minimise losses and destruction, identify weaknesses, and restore information technology operations rapidly.

There are four possible stages in incident response and handling as follows:

· Preparation - Ready to respond before an incident actually occurs. This stage is extremely important because many of today's incidents are so complex and time consuming that preparation is a necessity, not a luxury. Some basic notions behind preparation are setting up a reasonable set of defences/controls based on the threat that presents itself, creating a set of procedures to deal with incidents as efficiently as possible, obtaining the resources and personnel necessary to deal with the problem and establishing an infrastructure to support incident response activities.

- Detection and Analysis - Detection determines whether malicious code is present, files or directories have been altered, or other symptoms of an incident are present and, if they are, what the problem is, as well as its magnitude. Detection is very important. Without detection, there is no meaningful incident response and detection triggers incident response. Sometimes, very small symptoms may indicate that an incident is in progress and therefore, analysing every anomaly that can be found is a very good measure.

- Containment, Eradication and Recovery - Containment is to limit the extent of an attack and thus the potential damage or loss. Containment-related activity should occur only if the indications observed during the second stage conclusively show that an incident is occurring. Eradication is to eliminate the cause of the incident, while recovery involves system and data recovery as well as providing back-up files.

 - Post-Incident Activity - To review and integrate information related to an incident that has occurred. This stage is extremely critical, in that it is hard to envision a successful incident response effort if it is omitted.


Cyber space is borderless and difficult to control, and it is seemingly vulnerable to criminal and terrorist attacks. It provides the room for individuals with the necessary skill and capability to cause damage; even to a nation. Cyber attacks are relatively so much easier to launch compared to conventional military attacks.

The constantly increasing number of security incidents in Malaysia is indeed worrying, given the high and rapidly growing rate of Internet usage in the country. Technological threats such as cyber crime and cyber terrorism require immediate attention and critical analysis by nations worldwide. For example, there is still a need for improvement of cyber laws and regulations in the country.

At the same time, the competency level of the enforcement agencies must also be further improved to deal with the growing sophistication involved in cyber threats. Malaysia is committed in countering cyber crime and cyber terrorism by implementing and enhancing critical information infrastructure protection to ensure a trusted, secure and sustainable online environment. Cyber security requires both national and transnational mechanism to deal with threats.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.