Hi community members,
I'm working as a Cloud Security Architect at a Tech Services Company with 10000+ employees.
I'm looking for a security solution to detect and prevent APT attacks.
Can anyone suggest a good and cost-effective solution? Please explain why would you choose this particular tool or solution.
Thank you!
APT attacks are tough. And as already mentioned, there is no single solution for it. To me, there are two areas that are important to consider protecting.
1) Attacks from Outside to Inside: An APT attack that is launched and maybe focused on like a DDOS attack to just deny your service. For this type of attack, you have DDOS solutions, like intrusion detection systems, etc. These systems focus on patterns, that signify unexpected behavior, or traffic. to avoid, firewalls, etc. can block IP addresses. And/or try to change your public IP address and, deflect attacks to different websites.
2) Attacks from inside: These are attacks, where malware has been installed on computers, servers, etc. within your organization, and essentially open a bridge to an outside. These are more difficult to protect and to find. Since malware can lay dormant for some time before they become active. Most relevant to prevent these attacks are malware/virus scanners. on systems and on in and outgoing emails. Since a lot of this malware is using default protocols, like HTTP and HTTPS. They are hard to detect between the other normal HTTP traffic. Protecting your laptops, phones, servers inside also requires educating your users, on what to do, and what not to do.
Cost-effective solutions:
- I am sure there are cheap intrusion detection, firewall, etc. products out their, that you can use. And if get up to date, they might protect you for at least 80%. The same goes for internal virus scanners and malware scanners. again, some open-source tools, are quite useful.
However, in the case of an APT, you have to realize that this will normally be a targeted attack, which is planned. Where a hacker or group has analyzed your security for some time. And probably have found a way to attack. As such, open-source tools will normally not help you enough to be able to mitigate or resolve when such an attack occurs. This will require adaptive tools, to recognize the attack, and run countermeasures. In this case more advanced/commercial software/systems will be necessary.
You will also need to consider, that besides the tool or software, you will need the resources and knowledge to be able to operate these tools/software. And then there is the maintenance and keeping the systems up to date, which is another requirement to stay ahead of an APT.
So to be cost-effective depends on the budget, knowledge, amount of threat.
The higher the threat, the higher the investment to be protected.
If budget and knowledge are constrained, or sparse. I would recommend looking at either host your public services/websites, with a cloud provider, that has the necessary security already setup.
For protecting your office environment. I would recommend checking specialized service companies like Akamai, to have them analyze and advise you on a cost-effective solution to protect you. These types of companies, are security-focused and keep their security systems up to date, and you as a customer informed. To me, if you are a small-sized company are the 2 most effective solutions.
If you are small enough and the threat and risk are not that high then I would recommend building the expertise, and strat with opensource, default protection tools. E.g for home I have standard opensource IDS deployed, which protects my home fairly well. But then my home has a low threat for an APT type of attacks.
I hope this helps you.
@Satish Singh,
Thank you for your question it's one that requires deeper thought and understanding of the impacted environment.
Several things you can do is to have an up-to-date IRP (Incident Response Plan) - This plan includes all layers of your organization from top to bottom. Is a living document subject to review and change as needed and everyone involved has a part to play and needs to understand what their part is should an incident happen.
Use products like DNS twist to review third-party run domains that are close to your own domain name. Work with the ISP's/ DNS authorities to remove bunk domains known to attack yours.
Make sure to have a proper email security application or gateway in place. I prefer products like Avanan or Proof Point.
User education is key here. Make sure your user base understands what phishing emails are and how to handle/ report them.
If you need help on the security side of things, partner with an MSP and have access to a NOC or SOC 24/7 that can monitor for threats and respond on your behalf if needed.
Make sure to adopt a least privileged model for user access to PCs, servers, etc... Give users access only to what they need to perform their work.
Split up your networks if possible. Avoid using a flat network where you're unable to lock down a network should malware get inside your network.
Use a strong EDR solution like SentinelOne.
When you are considering cost-effectiveness
Hardening perimeter defenses such as firewalls and antivirus are pivot points of preventing APT malware from being installed on your computer systems.
Not sharing account details, recognizing phishing attempts at the first stage, safe web browsing at work.
As per me, no clear-cut solution is effective... it's a mixture of solutions / tools you may use when you are tackling the aftermath... There are solutions like Trend Micro XDR which can trace back but not so cost-effective.
APT attacks use cutting-edge technology and hacking methods to sneak into a company’s system, So the best thing is Prevention...
Hi, from my side the Deceptive Bytes solution has checked. My preliminary opinion is -the solution can prevent APT with high efficiency
Hi @Satish Singh,
No single solution will 100% protect the environment.
You need multiple layers of security working together, all the time, in addition to constant network monitoring.
With that said, there are multiple ways to protect against advanced persistent threats.
Install a Firewall
Choosing a firewall is an essential first layer of defense against APT attacks.
Software firewalls, hardware firewalls, and cloud firewalls are the 3 most common types of firewalls used – any of which will help you prevent advanced persistent threats.
Enable a Web Application Firewall
A web application firewall is a useful tool for defeating APT attacks because it can detect and prevent attacks coming from web applications by inspecting HTTP traffic.
Install an Antivirus
Up-to-date antivirus programs can detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system.
Make sure that your antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware.
Implement Intrusion Prevention Systems
Intrusion prevention systems (IPS) are an essential IT security service that monitors your network for any strange behavior or malicious code and alerts you if any is found.
This is a powerful tool for recognizing network compromises before they can be exploited.
Create a Sandboxing Environment
A sandbox is a secure, virtual environment that allows you to open and run untrusted programs or codes without risking harm to your operating system.
If a file is found to be infected, you isolate it, remove it, and prevent future infections.
Install a VPN
Remote access risks such as an insecure WiFi hotspot, present an easy opportunity for APT hackers to gain initial access to your company’s network.
A virtual private network (VPN) provides an encrypted “tunnel” that you and your employees can use to access your network without cybercriminals snooping on your activity or gathering your data.
Enable Email Protection
Email is one of the most-used and most-effective forms of infiltration.
Advanced persistent threat protection relies on good software as much as it does on good end-user behavior.
Enable spam and malware protection for your email applications, and educate your employees on how to identify potentially malicious emails.