| CYBERSECURITY Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. |
Advanced Persistent Threats
As cyber-criminals become more versed in common detection and aversion tactics such as anti-virus, cybersecurity awareness education, and basic encryption algorithms, those security monitoring mechanisms are losing their effectiveness in keeping the attackers at bay. Recent compromise attacks against organizations like SolarWinds, Microsoft 365, Microsoft Exchange, Accellion, and SonicWall show that attackers are patient and willing to use multiple methods to successfully execute their target[1]. Protecting against these advanced persistent threats (APTs) requires innovative and multi-tiered security to be baked into a network at every level of the Open Systems Interconnection (OSI) model, from physical to application[2].
Compromised? Me? Couldn’t Be!
| ADVANCED PERSISTENT THREAT An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception. The advanced persistent threat pursues its objectives repeatedly over an extended period; adapts to defenders’ efforts to resist it; and is determined to maintain the level of interaction needed to execute its objectives. |
Software development has long depended on a hardened exterior network to protect more vulnerable coding practices. Nobody likes to be bested, the victim of a deliberate and targeted attack. Even less do teams like to admit the trade secrets of an organization were leaked through a vulnerability exploited on their own product[3]. Conversations leaving the table during forensic studies of successful ATP attacks focus on what can be done to detect these predators at their most vulnerable moment – after they have gained access to the network and before they execute the target[4].
Attacking the Attacker
The lifecycle of an APT attack includes a human element of discovery and security analysis after breach of the network, where the actor can create a customized attack methodology based on the security tools used, pattern of vulnerability remediation, and active security monitoring of the network[5]. During discovery, the most vulnerable state of the attacker, they simply perform reconnaissance of the target. The attackers are passively listening to traffic and patterns, but actively searching for software and associated vulnerabilities. In the noise of the normal network packet passing, their search goes unnoticed by standard security monitoring tools. Is it possible that hooks developed into software itself could create a monitoring mechanism for this surveillance?
Threat Modeling
Growth of a practice called DevSecOps, which combines development, security, and operations into an automated pipeline development standard shows promise in creating a standard that will harden software development and make software an active part of the layered defense package. While the concept behind DevSecOps is that security is baked into all development steps, a critical step in the DevSecOps workflow as circled features a security theory called threat modeling[6]. In threat modeling, lessons learned from successful APT attacks are analyzed for software development weaknesses.
Catching the Outlier
In an APT attack, the presence of the threat goes undetected due to quiet harvesting of data during what appear to be normal operations. Collection of security tool patterns, active directory or application user credentials, patching cycles, and routine jobs are some of what forensic teams have shown are the first indicators of compromise. Suppose, during an integrated prediction and adaptation step throughout the DevSecOps process, an application threat modeling addressed the capabilities of the application to detect users accessing the application and sending that data to a centralized logging or security orchestration, automation, and response (SOAR) platform? The data could then be correlated with pre-set parameters including normal hours of activity provided through behavior analysis, active directory, and other multi-factor authentication data points to create alerts of unusual application level activity[7].
Mind vs. Mind
Threat modeling involves research and human analysis to be successful, it is pitting brain against brain, mind vs. mind. The inclusion of threat modeling in DevSecOps creates an ability for the human analysis capabilities to go head to head against the attacker. Documenting details about software architecture, data and data transition diagrams, data tagging, and organizational risk help define the requirements and security framework required for a software application. The security operations team can assist with identifying potential threats and areas of weaknesses within the software through both threat landscape knowledge and application penetration testing. Identification of vulnerability or logging weaknesses create analysis of proactive monitoring or appropriate mitigation planning. With each iteration of released code, the question is asked – “Are we doing everything we can to mitigate and manage the threat of an APT?”
| What are we using in our application code that could be collected in APT reconnaissance? Can we detect unauthorized collection? |
The future of software development no longer requires only a business analyst to ensure the needs of the business are met, it needs analysis focus on security mechanisms. Through the integration of active threat modeling within the software development process, developers are involved in seeing software bugs or weaknesses as risks that can be exploited by APT actors[8]. Developers are challenged to observe the software weakness from the viewpoint of a dedicated and persistent human threat versus an accidental hiccup created by a bot. This puts the development software team in a position to offer a proactive countermeasure, anticipating and effectively blocking the threat.
[1] Cybersecurity & Infrastructure Security Agency (CISA). (2021). Current Activity. U.S Department of Homeland Security, US-CERT. https://us-cert.cisa.gov/ncas/current-activity
[2] Repetto, M., Carrega, A., & Rapuzzi, R. (2021). An architecture to manage security operations for digital service chains. Future Generation Computer Systems, 115, 251–266. https://doi.org/10.1016/j.future.2020.08.044
[3] Mann, Z. Á. (2020). Secure software placement and configuration. Future Generation Computer Systems, 110, 243–253. https://doi.org/10.1016/j.future.2020.03.064
[4] Adelaiye, O., Ajibola, A., & Faki, S. (2018). Evaluating advanced persistent threats mitigation effects: a review. International Journal of Information Security Science, 7(4), 159–171.
[5] Ajibola, A., Ujata, I., Adelaiye, O., & Rahman, N. A. (2019). Mitigating advanced persistent threats: a comparative evaluation review. International Journal of Information Security and Cybercrime, 8(2), 9-20.
[6] Open Web Application Security Project (OWASP). (n.d.). Application threat modeling. https://owasp.org/www-community/Application_Threat_Modeling
[7] Quintero-Bonilla, S., & Martín del Rey, A. (2020). A new proposal on the advanced persistent threat: a survey. Applied Sciences, 10(11), 1-22. https://doi.org/10.3390/app10113874
[8] Quintero-Bonilla, S., & Martín del Rey, A. (2020). A new proposal on the advanced persistent threat: a survey. Applied Sciences, 10(11), 1-22. https://doi.org/10.3390/app10113874