Red alert! Beware of insiders bearing APTs

Big enterprises worry about APTs -- and employees who may be using them to engage in corporate espionage. These measures can help you catch the perps

Red alert! Beware of insiders bearing APTs
Thinkstock

We live in a global society. While your country’s economy may be stagnating or barely growing, someone else’s economy is probably booming. It’s no wonder your company is reaching across international borders to establish new business ties and revenue sources.

That’s all well and good. But you should also know that I’ve consulted for a number of companies that found themselves under an APT (advanced persistent threat) attack, only to learn it originated with foreign employees of the same company. I’ve even consulted with a few clients that discovered they had foreign spies working in their domestic operations. The risk is small, but it exists.

Even if no such skullduggery has occurred, most companies worry about it. After all, it’s common knowledge that Chinese APT attacks have been underway for years.

A true spy story

My absolute favorite APT story is about a company that had suffered its third APT attack in two years. No matter what the company did, the APT came right back.

The third time around, we decided to do what is now standard operating procedure. We brought new laptops and a new wireless hub, then held our defense meetings in an executive conference room. The goal was to decide when we would reset all passwords in the environment, including those for service accounts and administrators. We decided to call the big day, which would be a month away, the “picnic event” to avoid mentioning APT or password resets.

For the picnic event, employees would arrive to work and find signs saying all their passwords had been reset. We even planned to make every administrator re-apply for and provide the reason they needed admin credentials. We created a draft of the form they would be required to fill out and return to us on the day of the event.

The next day, I arrived at the conference room early, only to have the project leader tell me, “We have our first picnic event forms submitted!” I was confused. We hadn’t even completed our draft forms. There was more work to do, and in any case the picnic event was a month out. But he handed me two forms filled out by foreign employees asking for admin credentials. In the box asking for the reason they needed admin credentials, it said: “Because our passwords were reset during the picnic event.”

It turns out our foreign friends had been listening, for a long time, to the videoconferencing system in every conference room in the company. We were able to catch the spies was because their translator must have missed the part where we said the picnic event was the following month. They had re-created our form, filled it out, and submitted it too early.

The form was identical to our draft except for a mistake in formatting that proved they’d re-created the form rather than stolen our offline files. Everyone who entered the room that day was aghast when we told them we had our first two submissions—and explained that the conferencing systems had been completely compromised.

How to defend against insider APT threats

How do you protect yourself from employees who are deploying APTs on behalf of a shadowy entity? Basically, go with the same actions you’d take to prevent and detect against any insider threat. Here’s a quick rundown.

Least privilege. First and foremost, live and practice least-privilege permissions. If a person isn’t supposed to have a permission or belong to a group, make sure they don’t have it. Have the least number of permanent members to elevated accounts as possible—get as as near to zero as you can. Put it another way: Delegate the least amount of permissions and privileges as necessary for the job. If elevated privileges are needed, have admins check them out on a time- and location-constrained basis. And automatically change the password when they’re checked back in.

Security domain Isolation. You can’t hack what you can’t reach. Place your most valuable data and resources in high-security zones. Use available tools and features to create security domains that isolate employees to give them access to what they need to do their jobs and no more. Use the dumbest, fastest devices first (like routers and VLANs) and move to smarter and slower devices and features (firewalls, IPsec, IDS). This will give you maximum performance while securely isolating.

Look for anomalous behavior. Despite such restrictions, your “employees” may have all the legitimate access they need to steal data and spy. Look for suspicious activity, including unusual connections between computers, big data downloads, or odd times or places of activity. To do this effectively, you first need to define what is usual, then put a system in place for detecting deviations from baseline behaviors.

Use honeypots. Create a handful of fake systems (databases, web servers, email servers, CEO workstations) and place them near the real assets. After you screen out false-positive connections (antivirus signature updates, patching updates, and so on), any unexpected connections should be investigated. No matter how good the internal attackers, they have to explore. When they touch your honeypot, you can nab them.

Look at it this way: Employees that hack your assets are APTs, whether you think of them that way. If you prepare for internal APT threats, you’ll be guarding against all insider threats, and that can only help your defense-in-depth strategy.

NEW! Download the Fall 2018 issue of Security Smart