Countering Advanced Persistent Threats A Strategic Approach to a Growing Danger

It was an insidious cyber attack—and no one knew it had even taken place. At a defense contracting company, several key employees received what appeared to be a routine e-mail from their boss, asking them to review an internal document that was attached. Although the document was genuine, the e-mail was not—it hid a sophisticated malware attack known to come from an advanced persistent threat.

Once the employees opened the attachment, they unwittingly unleashed havoc upon their organization. A malicious computer program (malware) installed itself on the company’s network, in the core of the system, and began sending the attackers a wealth of proprietary information, including the company’s bidding strategies and other competitive secrets. Because the attack was surreptitious, no one suspected anything was amiss—not until nearly a year later when company IT officials, investigating a slowdown in the network, discovered that the system was being clogged by enormous data downloads to a foreign site at odd, nonbusiness hours.

What makes Advanced Persistent Threats (APTs) so effective is that, unlike traditional, known system vulnerability attacks, they can breach computer networks from the outside—and the inside—with sophisticated technological attacks that common defenses just do not recognize. This malware is introduced into the system and bypasses even the most technologically advanced perimeter and network defenses. Once the programs connect to a victim’s work station, they quickly install command-and-control channels that give them further, and in some cases, deeper access to an organization’s entire network. They typically use unknown malicious code, and are often so well hidden that they can operate undetected—and with impunity—for long periods of time.

The danger continues to grow. Advanced Persistent Threats have compromised computer networks in virtually every government agency and department, and have invaded the systems of nearly every major defense contractor. The threats come from a variety of sources,

including criminal groups, hackers, terrorists, and even nation states, whose motives range from industrial espionage, to stealing intellectual capital, to theft of military secrets. These attacks threaten the nation’s economy as well as national security.

While cyber attackers have long tried to gain access to computer networks as an insider and as an external threat, during the last several years they have become highly adept at tricking employees into inadvertently opening access without really knowing they are doing so. Adversaries often do a remarkable amount of computer surveillance on an organization, learning who the key players are, which documents they would typically send, and who they would send them to. The attackers then carefully design their fraudulent e-mails to appear real in every way.

This new level of sophistication has led to an explosion of APTs, one that many organizations are ill-prepared to counter. Faced with such a daunting challenge, some organizations may rely on technological solutions alone. In reality, these attacks require a coordinated, organization-wide approach that is strategic and tactical.

Such an approach has four primary components:

Find the Advanced Persistent Threats— Triage and Stop the Bleeding

An organization’s first goal is to identify the threats that are already on its networks. The next step is to determine precisely how the system is being compromised, and what should be done to mitigate the

Planning Your Next Cyber Move

attacks. All of this must be accomplished with stealth— if adversaries become aware of detection attempts, they can evade or even retaliate against them.

Identifying the “Crown Jewels”

These are the organization’s most critical assets, functions, and services—ones that must remain secure and available even if a threat has invaded the network, and merit the primary security investment. This task is often fraught with difficulty. One challenge is to determine how protecting—or failing to protect—these crown jewels will affect the organization’s legal and fiduciary responsibilities. In addition, it is rarely easy to get stakeholders to agree on exactly what the crown jewels are. And key stakeholders must be persuaded to back network security measures, especially if it means changing business processes and personnel.

Assess the Current Security Posture—Vulnerability Determination and Benchmarking

This is an enterprise-wide assessment of the extent to which current network security measures are able to meet the organization’s goals. The initial task is to determine precisely how the attackers were able to invade the network, and what their full impact was. Organizations then evaluate how well current measures can protect the crown jewels, so they can begin to develop the range of options available to mitigate the risk. A key goal is to identify all of the technical and policy issues that must be addressed in a risk-management plan.

Develop a Formal Risk-Management Plan— Operating Model Design and Strategic Planning

Organizations must take specific countermeasures against advanced persistent threats. At the same time, they must also develop a plan to protect the crown jewels even after an attack is in the network. This often means significantly limiting internal access to certain areas of the network. The challenge lies in how to do that while still enabling an organization to maintain normal business operations.

Traditional security measures seek to protect all infrastructure and data. But as threats become increasingly sophisticated, that is not always possible— both from an operational and an investment standpoint. A risk-management plan considers the trade-offs, and creates an operating model that enables organizations to make the best choices now—and to quickly adapt their strategies as conditions change.

A Culture of Cybersecurity Any successful approach to APTs must be integrated into the entire organization and its culture. Particular attention should be paid to five areas:

• Policy and Governance. This provides the unity of purpose necessary to leverage resources, reduce conflict and duplication of effort, and work toward long-term cybersecurity goals.

• Leadership and Culture. Because APTs attack a network from within, everyone in an organization must be security-minded.

• Technology and Standards. Threats must be met with advanced technology, as well as with standards that ensure no part of an organization is more vulnerable than another.

• Management and Budgeting. Resources and budgets must be closely aligned with priorities.

• Planning and Operations. Organizations must build effective cybersecurity operations that systematically assess and respond to threats, and quickly recover from any attacks.

As adversaries develop increasingly sophisticated APTs, organizations must become equally sophisticated in countering them. The risk is substantial, but it can be mitigated—if organizations take an holistic approach.

About Booz Allen Hamilton Booz Allen Hamilton has been at the forefront of strategy and technology consulting for nearly a century. Today, Booz Allen is a leading provider of management and technology consulting services to the US government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. In the commercial sector, the firm focuses on leveraging its existing expertise for clients in the financial services, healthcare, and energy markets, and to international clients in the Middle East. Booz Allen offers clients deep functional knowledge spanning strategy and organization, engineering and operations, technology, and analytics—which it combines with specialized expertise in clients’ mission and domain areas to help solve their toughest problems.

The firm’s management consulting heritage is the basis for its unique collaborative culture and operating model, enabling Booz Allen to anticipate needs and opportunities, rapidly deploy talent and resources, and deliver enduring results. By combining a consultant’s problem-solving orientation with deep technical

knowledge and strong execution, Booz Allen helps clients achieve success in their most critical missions—as evidenced by the firm’s many client relationships that span decades. Booz Allen helps shape thinking and prepare for future developments in areas of national importance, including cybersecurity, homeland security, healthcare, and information technology.

Booz Allen is headquartered in McLean, Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31, 2012. For over a decade, Booz Allen’s high standing as a business and an employer has been recognized by dozens of organizations and publications, including Fortune, Working Mother, G.I. Jobs, and DiversityInc. More information is available at www.boozallen.com. (NYSE: BAH)

AuthorEd Kanerva, Vice President kanerva_ed@bah.com301-419-5112

ContactsThomas Chandler, Principalchandler_thomas@bah.com301-821-8968 Anthony Harris, Senior Associateharris_anthony@bah.com301-419-5119 Mark Eckert, Senior Associateeckert_mark@bah.com210-932-5612

www.boozallen.com ©2013 Booz Allen Hamilton Inc.

04.093.13A