Cybersecurity threats are often perceived as obviously and immediately disruptive to an organization’s operations. But more subtle threats can be equally debilitating. Advanced persistent threats (APTs) are cybersecurity threats designed to hide inside, but not disrupt, the host network and relay information back to their creators. Unlike phishing, APTs are highly sophisticated and subtle, capable of acquiring not only discrete data, but also penetrating proprietary and copyrighted software. The successful creation of APTs requires extensive knowledge of cybersecurity protocols, procedures and routines. The APT label is only given to long-term infiltrations that usually remain undiscovered until their mission is complete, that is, all the captured information is transmitted to the APT owner or enterprise operations are completely disrupted.1
To build a proactive defense against APTs, the internal auditor must aid network administrators in conveying the following critical message to business managers: Internally testing a working network and causing temporary reduction of performance and possible temporary disruption of employee resources may be necessary to avoid larger disruptions.
Internally testing a working network and causing temporary reduction of performance and possible temporary disruption of employee resources may be necessary to avoid larger disruptions.
Benefits of Reduced Productivity
Although management generally objects to activities that reduce the organization’s productivity, sometimes the benefits are worth the costs. For example, scheduled fire drills cause productivity to drop to nothing, but the cost is negligible when compared to the possible loss of life during an actual fire.
Network administrators routinely back up entire networks and, when necessary, restore single files at the request of data owners. These normal procedures help protect the data held within the computer network. However, when was the last time a single drive was completely reformatted to see if only the known files were installed or if unauthorized access had been granted to the entire drive? When was the last time the network administrator required every employee to turn off their computer for several minutes during the workday? Since network administrators are often rewarded for keeping the computer systems available and working, they have no incentive to change the availability of the networks or to request approval for work stoppages during business hours. Their success in these areas means management cannot compare the benefits of temporary stoppages against the costs of a major loss of data.
APTs are built to withstand the normal low-volume tests and planned disaster or other restoration processes. Even properly planned and executed standardized audit testing can be completed without incident.
Working in collaboration with the network administrator, the internal auditor can provide management with more effective proactive measures. When conducting unusual tests, there are some suggestions to keep in mind.
Mandatory Live Testing
There are several steps that provide a safe testing environment.
Step 1
The careful shutdown of a healthy network begins by understanding the resources utilized by the known applications that execute on each network segment. Using the Cybersecurity: Based on the NIST Cybersecurity Framework CSF Audit Program,2 the internal auditor can evaluate the established security controls. Network administrators can use the results to update network policies and procedures. Then, management can understand the importance of controls established within the network.
Step 2
Useful network logging systems should be utilized. Network administrators use various logging techniques to monitor the network’s performance, and internal auditors use specific automated data analytical tools that emphasize data protection. The resulting teamwork can provide an efficient and effective foundation for detecting unauthorized system information changes.
Step 3
The live test can now be conducted. Because the network administrators and auditors determine the timing and the testing methodology (not the situation or management requirements), the servers, network equipment and segmented network resources can be specifically tested for hidden APTs. While the recommendation is not that department managers and employees should not be informed, the key to the live test is that management does not control any part of the process development.
Step 4
Adopt a policy to continue to repeat these scenario types. Since APTs have not changed their overall strategy of seeking information and disrupting daily operations, the internal auditor does not need to significantly change testing methodologies. While more resources will be spent by the specific network administration, the general control risk and internal auditing skills developed by each testing process will increase the efficiency and effectiveness of the internal auditors.
Conclusion
APTs live inside externally connected networks. Internal auditors and network administrators can work as a team to perform healthy network disruptions during normal business hours. Forcing an APT to reinfect or regain required network resources—under the control and awareness of a cybersecurity auditor—can be an effective strategy for controlling the effects of an APT.
Editor’s Note
This article is excerpted from an article that appeared in the ISACA® Journal. Read Timothy Neuman’s full article, “Healthy Network Testing to Identify APTs,” in vol. 1, 2020, of the ISACA Journal.
Timothy Neuman, CISA, CIA
Has more than 20 years of information systems auditing and consulting experience. As a senior local county governmental auditor and South University (Savannah, Georgia, USA) adjunct professor, he utilizes the latest information system tools to evaluate, analyze and instruct the citizens of the Savannah area.
Endnotes
1 Rouse, M.; “Advanced Persistent Threat (APT),” TechTarget, July 2018
2 ISACA, Cybersecurity: Based on the NIST Cybersecurity Framework Audit Program, USA, 2016