Advanced persistent threats (APTs) are introduced by adversaries that possess sophisticated levels of expertise and significant resources, which allow them to achieve their objectives by using multiple attack vectors (e.g., cyberattacks, physical attacks, deception). The adversary may be an individual, group, organization or government that conducts, or has the intent to conduct, detrimental activities targeted at organizations and individuals.
The threats are global, the impact is local—and every organization, regardless of industry, should examine strategic options to mitigate this risk to business.
The old mantra “trust, but verify” has given way to the idea of a zero trust security model, which assumes the adversary is already inside the organization’s defenses. It is worthwhile to examine some options to reduce risk from APTs.
Core Components of Enhanced Cyberdefense
The US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 emphasizes that enhanced security requirements for a multidimensional, defense-in-depth (DiD) strategy, include 3 core components:1
- Penetration-resistant architecture (PRA)
- Damage-limiting operations (DLO)
- Cyber resiliency survivability (CRS)
DESPITE AN ORGANIZATION’S BEST EFFORTS TO IMPLEMENT PROTECTIVE MEASURES, APTS MAY FIND WAYS TO COMPROMISE OR BREACH BOUNDARY DEFENSES AND DEPLOY MALICIOUS CODE WITHIN A DEFENDER’S SYSTEM.
This cyberstrategy recognizes that despite an organization’s best efforts to implement protective measures, APTs may find ways to compromise or breach boundary defenses and deploy malicious code within a defender’s system. When this situation occurs, organizations must have access to safeguards and countermeasures to detect, outmaneuver, confuse, deceive, mislead and impede the adversary—that is, remove the adversary’s tactical advantage and protect the organization’s critical programs and High Value Assets (HVAs).
Attack vectors such as cyberattacks, physical attacks or deception pose threats to business operations and require organizations to rethink their cyberdefense approaches. There are 2 standards of valuable information that can impact the establishment of a credible cyberdefense, including the Certified Cybersecurity Maturity Model (CMMC) standard established by the US Department of Defense (DoD) and NIST SP 800-172.2, 3 Higher CMMC maturity levels are designed to specifically address APTs. Future cyberdefense strategy should be influenced by the CMMC and NIST SP 800-172.
Addressing the APT
Organizations should focus on enhancing their security requirements to mitigate APT risk. NIST has established an excellent reference for enhanced security requirements, NIST SP 800-172. Enhanced security requirements represent methods for protecting sensitive information, including personally identifiable information (PII), personal data (PD), Controlled Unclassified Information (CUI) or any other information regarded as high value by the organization.
Examples of enhanced security requirements that organizations need to integrate into their cyberdefense strategy include:
- Applying a threat-centric approach to security requirements specification
- Employing system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines and containers
- Implementing dual authorization controls for the most critical or sensitive operations
- Limiting persistent storage to isolated enclaves or domains
- Implementing a comply-to-connect approach for systems and networks
- Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components
- Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components
- Employing a security operations center (SOC) with advanced analytics to support continuous monitoring and protection of organizational systems
- Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate or the environment in which they are operating
The DoD’s CMMC Model
The CMMC establishes requirements for cyberresilience by mitigating risk posed by APTs to sensitive and confidential information and assets. This model measures cybersecurity maturity using 5 levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. CMMC Maturity Levels 4 and 5 are specifically designed with APTs as the focus of security requirements that must be met. CMMC certification is a requirement for the DoD Defense Industrial Base (DIB) of more than 300,000 suppliers to the DoD. Those specific suppliers at risk from APTs will be required to meet CMMC Maturity Levels 4 or 5.
The CMMC model is an excellent reference for every cybersecurity professional at the senior leadership level to study and understand its applicability to reducing cyberrisk. Organizations should consider pursuing CMMC certification to establish a credible, evidence-based defense.
Conclusion
Forward-thinking organizations will focus on the 3 components described here. The first is an architecture that uses technology and procedures to limit the opportunities for adversaries to compromise an organizational system and to achieve a persistent presence in the system. The second key component is designing systems, missions and business functions to provide the capability to prepare for, withstand, recover from and adapt to compromises of cyberresources to maximize mission or business operations. Finally, the third component is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use, or are enabled by, cyberresources.
Assume the adversary is already inside your network. Every organization must reimagine cyberdefense to mitigate business risk.
To learn more about improving cyberdefense to protect against APTs, watch Pabrai discuss his article in this video interview.
Endnotes
1 National Institute of Standards and Technology, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, USA, February 2021
2 Office of the Under Secretary of Defense for Acquisition and Sustainment—Cybersecurity Maturity Model Certification; CMMC Model, USA, 2020
3Ibid.
Uday Ali Pabrai, CISSP, CMMC PA, CMMC RP, HITRUST CCSFP, MSEE, Security+
Is the chief executive of ecfirst, an Inc. 500 business. His career was launched with the US Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory, in Chicago, Illinois, USA. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. Pabrai can be reached at Pabrai@ecfirst.com.