Best Practices for Mitigating Advanced Persistent Threats

12 September 2013 ID:G00256438
Analyst(s): Lawrence Pingree, Neil MacDonald, Peter Firstbrook


This document provides information security practitioners with strategic and tactical best practices to mitigate advanced targeted malware by leveraging both existing and emerging security technologies.


Key Challenges

  • A comprehensive strategy across network, edge, endpoint and data security can poise organizations to hunt new attacks and compromised systems in order to minimize the risk of APTs.
  • Because people tend to be easier to target than systems, adversaries are using social engineering and social networks to target sensitive roles or individuals within an organization that either have knowledge, use of or access to the data targeted.
  • Incident response must be improved to include capabilities such as in-house or third-party forensics and malware analysis and handle additional visibility gained by the latest technologies you deploy in your security control ecosystem.


  • Security program managers need to develop a strategy for dealing with advance threats leveraging both tactical best-practice technology configurations and emerging technologies and incident response processes in order to properly address the most common advanced targeted attack scenarios to increase both detection and prevention capabilities.
  • Implement and improve SIEM capabilities to include integrations with DLP, NBA and user access patterns (IAM) to improve contextual awareness within the enterprise. The monitoring and analysis of the output of security controls are as important as the operation of the security controls themselves.
  • Acknowledge that not all threats can be prevented and, therefore, the speed to detect and respond to incidents is also critical; seek to identify currently compromised systems even when no malware has been detected by traditional security controls. Improve incident response processes through staff either augmentation and/or education.

Table of Contents


Many security practitioners see the term "advanced persistent threat" (APT) as primarily a marketing term but acknowledge that there are advanced threats that have bypassed their traditional security protection techniques and reside undetected on their systems. This research will enable security practitioners to understand some of the new threats they face and the best-practice steps they must take in order to reduce the risk of compromise against the advanced adversaries taking direct aim at their organizations.


Use a Strategic Security Approach to Implement Tactical Best-Practice Controls

Best-Practice Strategies

  • Use a comprehensive approach; no one single technology will stop advanced targeted attacks, even products specifically targeted at advanced forms of attack.
  • Review your existing technologies and utilize advanced features in the latest products or services to keep up with changes in the threat landscape. Also read "Five Styles of Advanced Threat Defense" for a framework to compare the styles of ATA-targeted defense technologies.
  • Acknowledge that technology alone won't stop ATAs; your strategy must include the search for compromised systems, improvements in your forensics and incident response capabilities, and rapid response. Review the best practices below, but do so with the mindset of unifying the security processes between each technology so that effective response to threats is possible and the detection and reduction of breach events is the more likely result.
  • C-level executives must recognize the need to staff appropriately to ensure you can operate the latest security technologies your organization deploys to protect itself. If necessary, engage third parties to manage or operate more mature security controls while you focus more on the strategic security processes and technologies.
  • Context-aware security controls (see "The Future of Information Security Is Context Aware and Adaptive") should be a key requirement when evaluating the next generation of security protection platforms (network, endpoint, edge and so on). For example, context-aware security controls may introduce orchestration and graduated response enforcement that can adapt when malfeasance is detected in external integrated controls.
  • Ongoing integration and sharing of security intelligence among your disparate security technologies and other external organizations should be a stated security program goal.

What Best Practices Must Be Adopted to Reduce the Threat of ATAs?

Keep Up to Date With the Threat Landscape

Best Practices
  • Review your IT security department's education budget and ensure you have allocated continuing education for security-specific education initiatives for both your security team and your organization for mitigating the latest techniques used to reduce the potential delivery of advanced forms of malware (examples: how to avoid phishing attacks and how to analyze malware).
  • Create a role-centric security awareness program focusing on educating employees on the sensitive roles they hold so that these employees better understand how attackers are attempting to gain access to company data and how that data is likely to be used (examples: finance, accounts payables, human resources and business operations).
  • Invest in forensics and malware sandbox analysis capabilities but realize that incident response workloads will increase — midsize and small organizations should consider outsourced incident response models to augment staff against resource constraints. For enterprises, the security team should ensure appropriate levels of education on malware analysis and incident response are a critical focus area for at least members associated with these functions.
  • Consider extending your involvement with external information and security-related nonprofit organizations (see Note 1) and vertically aligned industry groups to enhance knowledge and collaboration of your security team and organization with others in aligned industries.
  • Establish relationships with government-sponsored security threat and information-sharing programs1 to boost collaboration and enhance the response characteristics of your incident response procedure or process (examples: the Financial Services Information Sharing and Analysis Center [FS-ISAC], Red Sky Alliance, the Forum for Incident Response and Security Teams [FIRST], InfraGard and the Computer Emergency Response Team/Computer Security Incident Response Team [CERT/CSIRT]).
  • Assign at least one security team member to regularly review news articles, publications and critical infrastructure protection alerts while comparing and contrasting this information with your current vulnerabilities and known risk profile and hunt for compromised systems as well as prioritize essential remediation efforts.
  • Subscribe to security intelligence services (see "How to Select a Security Threat Intelligence Service") that provide information on a regular basis to keep up with the latest malicious activities and event information as well as how vulnerabilities are being exploited.

Thwart Social Engineering Techniques Through Education

Best Practices
  • Review company policy to ensure that it has taken appropriate steps to prevent the inappropriate posting of internal information onto public social media sites. Your policy should extend the applicability of the data classification framework to data posted to external sites and including punitive language such as a termination clause.
  • Ensure that your end-user security awareness programs highlight that disclosure of current or active individual job role information onto the Internet is highly discouraged by the company (keep mindful of freedom of speech issues) and also highlight that this information is often used by attackers to identify employees to attack with targeted malware content and malicious URLs.
  • Augment your awareness campaigns to properly describe how attackers are actively using external data repositories to generally target employees through the use of social engineering techniques to gain their trust, and stress the importance of the suspicious mindset for all communications through email and via the Web.
  • Social engineering attacks will often target user credentials. Therefore, it is important that an organization monitor when there are variances in user authentication times; for example, users logging on at odd hours of the day or simultaneously at a different geolocation.

Best Practices That Apply to All Technical Control Layers

  • Ensure you are using the latest offering and engine from your security platform protection provider. Standardize on a short turnaround for testing and deploying signature updates. Most platforms have evolved well beyond purely signature-based approaches for malware detection to include behavioral and anomaly detection capabilities.
  • Evaluate the context-aware security capabilities of your security platform provider. Security platforms must become context-aware — identity, application, content, location, geolocation and so on — in order to make better information security decisions regarding ATAs (see "The Future of Information Security Is Context Aware and Adaptive"). If your provider doesn't have this or have it on its road map, consider switching vendors.
  • Offer linkage into reputation services (see "Emerging Technology Analysis: Cloud-Based Reputation Services"). Like content, pure blacklisting-based approaches for IP address filtering, URL filtering and email sender filtering no longer work. Next-generation security platforms incorporate cloud-based community context for determining the relative reputation of an entity, typically an IP address or URL. At a minimum, communications with IP addresses and URLs with low reputations should be logged, and some organizations will choose to block these entirely.
  • Enable activation of data loss prevention (DLP) capabilities. Most security policy enforcement points have embedded DLP capabilities to detect when sensitive data is being handled by each layer. Alternatively, these security platforms may integrate with enterprise content-aware DLP offerings for their patterns. Review and implement DLP capabilities of the platform to ensure it is configured to detect and use a workflow to provide approvals of or block the release of sensitive data types such as credit card numbers, intellectual property and personally identifiable information as needed.
  • Provide integration into security information and event management (SIEM). All of the security platforms in this research document create logs of activity and events. Consolidating this vital data into broader SIEM platforms increases the ability to correlate and report events in integrated fashion, enabling more effective incident response prioritization.

Upgrade Your Perimeter and Network-Based Security

IPsec and SSL VPN Remote Access Connections

  • Review your VPN devices and ensure all users are required to utilize a risk-appropriate authentication method prior to authorization (see Gartner research titled "Good Authentication Choices for Workforce Remote Access").
  • Review your VPN device policy and ensure that users are only permitted to the internal environment that they specifically need to access and not to the entire organization.
  • Implement internal inspection devices, such as intrusion prevention system (IPS) and network behavior analysis (NBA) technologies between your VPN termination device and your internal network environment so that attacks or behaviors can be discovered or prevented within your remote access network infrastructure.
  • Consider technologies that allow for the termination and security inspection of Secure Sockets Layer (SSL) traffic so that attacks cannot be perpetrated in the encrypted tunnel back to your internal applications or systems obfuscated from your security inspection technologies.
  • Validate that monitoring controls are in place and appropriate levels of logging are performed off-device in centralized log servers and deploy security information management systems so that attacks can be detected or analyzed through additional analysis or correlation of incoming events.
  • Regularly review VPN events identified and ensure these are correlated in your SIEM technology and look for anomalous patterns of activity. Leverage vendor-supplied anomaly detection and alerting capabilities when technically feasible.
  • Where possible, reduce the use of direct network-level VPN access and shift to Web-enabled access or application-level VPNs.
  • For mobile devices, consider implementing a mobile device management technology to ensure for basic consistency of security controls extended out to mobile devices and to ensure compliance with these policies before VPN access is granted.
Vendor Samples
  • Authentication technology vendors: RSA, The Security Division of EMC; ActivIdentity; CryptoCard; SafeNet; Symantec; Vasco; Nexus Technologies; PhoneFactor; SMS Passcode; and SecurEnvoy
  • SSL VPN vendors: Juniper Networks, Cisco Systems and Citrix
  • Mobile device management vendors: Sybase, Good Technology, AirWatch and MobileIron, MaaS360, Tango (see "Magic Quadrant for Mobile Device Management Software")

Next-Generation Firewalls

Best Practices
  • Review and, if necessary, adjust your egress network firewall rules in order to ensure only business-critical services are permitted to both enter and leave the network; this includes the consideration of geographical filtering at the country level (GEO IP filtering).
  • Review and, if necessary, adjust your ingress network firewall rules in order to ensure only critical inbound services are permitted to enter the network; this also includes geographical blocking or filtering at the country level based on business need.
  • Consider the use of application awareness (a form of context awareness) provided in next-generation firewall (NGFW) functionality that leverages deep packet inspection techniques to permit valid (authorized) applications and deny everything else. To enable the NGFW functionality, you may need to perform a firewall refresh if you are using legacy firewalls that only provide filtering based on IP protocols, source and destination IP address, and port numbers.
  • Review and (if available) regularly implement new capabilities provided by the latest firewall technologies to incorporate new concepts that emerge such as today's dynamic threat feeds that are provided via hosted or cloud-based services to deliver malicious threat lists for instant blocking at the firewall (don't allow your firewall technology to stagnate).
  • Ensure proper zoning and segmentation is performed in your internal network environment (not just the demilitarized zone [DMZ]) and that proper firewall logging and inspection is performed between high- and low-security segments.
  • Ideally implement an NGFW that converges firewalling IPS capabilities so that separate platforms are not needed.
  • Review and, if available, implement the latest firewall capabilities to perform advanced examination of executables and other content using either emulation and/or virtualization (sandbox) technologies either hosted in a cloud or on a separate appliance to identify targeted polymorphic malware through behavioral analysis.
Vendor Samples
  • NGFW vendors: Check Point Software Technologies, Palo Alto Networks, Fortinet and SonicWALL

Intrusion Prevention Devices

Best Practices
  • Review and, if necessary, adjust intrusion prevention security enforcement policies to block rather than just detect known attacks and attack signatures and selectively enable more signatures when possible. Decide acceptable trade-off between potential false positives and better ATA prevention or detection.
  • Review your IPS and ensure that the technology you are using has the latest botnet prevention technology to prevent botnet command and control network activity. Likewise, see if communications to other types of low-reputation IP addresses can be blocked or allowed and logged for further investigation.
  • Review your IPS's features and ensure it provides host and traffic anomaly detection (for example, using processing netflow data) and has capabilities to prevent or at minimum detect and alert on the anomalous (statistically deviant) traffic exiting through your perimeter devices.
  • Review your current intrusion prevention implementation and, if available, implement blocking capabilities that include reputation-based or real-time block list threat feeds provided by your technology vendor.
  • Review and, if necessary, adjust protocol anomaly detection and prevention capabilities to ensure nonstandard communications are blocked while expected and authorized protocol communications are allowed through known standard ports such as HTTP (TCP port 80), for example, while not permitting an FTP session through the standard HTTP port.
  • Review and ensure all critical and Internet traversal network segments are inspected with IPSs that are configured to block known high- and medium-high-fidelity signatures with low false positives as directed by your technology provider.
  • Make sure that network visibility extends into virtualized environments either by tapping internal virtual switch traffic out for external inspection or by virtualizing IPS capabilities and running directly within the virtualized environment.
  • Terminate encrypted sessions so that session content may be inspected.
  • Ideally implement an NGFW that converges firewalling and IPS capabilities so that separate platforms are not needed.
Vendor Samples
  • IPS vendors: McAfee (Intel), Sourcefire, Cisco, IBM, HP TippingPoint, Radware and Check Point Software Technologies

Web Application Security

Best Practices
  • Combine both static and dynamic code analysis in order to reduce vulnerabilities in Web applications.
  • Acknowledge that internal procedures and static code analysis are no longer enough to protect against common Web vulnerabilities and that Web application firewalls are an essential ingredient to the defense against advanced targeted Web attacks.
  • Prefer solutions that have comprehensive coverage and specific templates for protecting common Web front ends and content management systems used for your enterprise Web applications.
  • Prefer Web application firewalls that have the capability to share intelligence via reputation feeds, offer fraud detection services, and offer the capability to perform browser and endpoint security and spyware infection assessment.
  • Review your Web application firewall configuration and implement vendor-recommended prevention settings.
Vendor Samples
  • Application security testing vendors: IBM, HP, Veracode, WhiteHat Security, Cenzic, NT Objectives, Qualys
  • Web application firewall vendors: Imperva, F5, Bee Ware, Barracuda Networks, Citrix, DenyAll, Trustwave, Riverbed Technology
  • Web application firewall SaaS vendors: Incapsula, Akamai, CloudFlare, Qualys

Advanced Threat Protection Appliances

Best Practices
  • Evaluate and deploy a network-based advanced threat detection/prevention technology to reduce the potential impact of zero-day malware and other targeted attacks.
  • If already deployed, review your existing advanced threat detection/prevention technology and ensure that you take appropriate steps to employ any prevention capabilities it provides as directed by your technology vendor while considering any negative impacts to your environment's specific needs.
  • Review your advanced threat protection appliance deployment and ensure that all network connections to the Internet are inspected.
  • If network topology prohibits full network visibility, evaluate and prioritize placement of these types of capabilities to inspect public Internet connections and critical systems within the data center.
  • Properly employ your incident response processes around this new technology and execute the process when appropriate indications exist for a potential malware infection or command and control callback is detected.
  • Recognize that mobile devices such as laptops, ultrabooks, tablets and smartphones must be addressed with endpoint security controls and mobile device security technologies since the interception of their off-premises network traffic may not be practical.
Vendor Samples
  • Advanced threat protection appliance vendors: FireEye, Fidelis Security Systems, Damballa, RSA,Trend Micro, Lastline, Cyphort, AhnLab, Check Point Software Technologies, Palo Alto Networks, Sourcefire, Norman, McAfee

Focus Your Infrastructure Protection Strategy Toward Malicious Content

Email Content Security

Best Practices
  • To increase detection and prevention rates, Gartner suggests organizations use diversity in the source of antivirus engines that will scan email content; for example, using one antivirus engine at the email gateway and an alternative antivirus engine for your endpoint systems. Ideally, the email gateway would support the use of multiple engines.
  • Review and ensure your mobile device security includes monitoring of all email going to and from mobile devices.
  • Review your email security gateway or software and ensure you have set it to the highest threshold for malware and phishing detection and prevention.
  • Strip or quarantine all executable content from email attachments and ensure that all email content types and attachments are being evaluated for malware.
  • Review and consider secure email gateways that implement specific protection technology for both URL links and attachments with active content that cannot be blocked by policy (that is, PDF and doc file types).
  • For attachment-type attacks, consider content sandboxing (virtual environment emulation in code execution), also called virtual sandbox technology. This technology allows attachments to be tested within a virtualized or emulated simulation environment prior to delivery and subsequent execution on the destination endpoint system of the recipient.
  • For attachment type attacks, also consider solutions that strip or neuter active content in commonly used document types.
  • For URL link attacks, consider solutions that rewrite suspect URLs such that they are proxy at the time of click.
  • Do not assume URL protection is redundant due to secure Web Gateway technology; emails can be read and acted upon when devices are outside the perimeter or with other machines using Outlook Web access.
Vendor Samples
  • Secure email gateway and service vendors: Cisco, Google, Websense, McAfee (Intel), Proofpoint, Symantec, Trustwave, Trend Micro, Spamina, Barracuda Networks, Proofpoint, AppRiver and Zscaler

Web Content Security

Best Practices
  • Deploy a secure Web gateway or equivalent technology to filter and monitor inbound and outbound Internet communications and inspect content and keep it up to date with the latest version as soon as possible.
  • Review your URL filtering configuration and ensure that known proxy sites, hacking sites, phishing URLs and other malicious site categories within your Web filtering product or service are blocked.
  • Implement real-time block lists to block hosts that have already been determined to pose an existing threat and reputation feeds to block hosts that are suspect.
  • Review incumbent secure Web gateway (SWG) vendors' capability to ensure that the most advanced malware detection capability has been licensed. Be aware that it may be necessary to add additional security capability if the incumbent solution is designed primarily for our productivity filtering or network optimization.
  • Review and utilize advanced security capabilities provided by the SWG beyond the capabilities of simple real-time block lists (see "Secure Web Gateway Malware Detection Techniques"). Many solutions do not turn on advanced techniques by default due to performance impact. Ensure that SWG solutions are sized to manage traffic adequately with all advanced detection methods turned on.
  • Review and implement, where possible, content sandboxing (virtual environment/emulation and code execution); virtual sandbox technology allows code to be tested within a virtualized simulated environment that allows malware to be evaluated for common malicious behavior prior to delivery and subsequent execution on the end system.
  • Ensure that mobile devices such as laptops, small office/home office (SOHO) devices, smartphones and tablets are also inspected by your secure Web gateway solution; this may require a cloud-based solution or use of VPN technology.
  • Ensure that SWG solutions are capable of detecting all malicious outbound protocols (that is, not just HTTP) for indicators of infection and provide suitable alerts as well as data to trace and remediate infected hosts.
  • Ensure that the SIRT or endpoint administrators have access to outbound reporting showing potentially infected machines or abnormal traffic patterns.
  • Use SWG DLP technology tactically in the absence of enterprise DLP to detect sensitive or secret data traversing the Web gateway.
Vendor Samples
  • Secure Web gateway and service vendors: Cisco, Blue Coat Systems, Websense, McAfee (Intel), Zscaler, Symantec, Spamina and Trend Micro

Uplift Your Endpoint Security Controls and Detection Stance

Best Practices
  • Remove administrative privileges on desktops to reduce the ability of malware infections to cause low-level system damage (see "Best Practices for Removing End-User Administrator Rights on Windows"). Where privileged access is needed, use privileged account activity management (PAAM) technologies to properly manage the on-demand escalation of privileges.
  • Implement a vulnerability assessment and remediation process with service-level agreements for the remediation of all endpoints. Review the effectiveness of remediation efforts across IT support teams on a quarterly basis with responsible parties and/or their management teams.
  • Extend your patch management processes to all common desktop elements, especially Internet-facing applications (for example, Adobe, Java, alternative browsers and so on) while prioritizing vulnerabilities that will commonly be used to deliver malware.
  • Review your existing endpoint antivirus products to ensure they are the latest version and uplift, if necessary, to include complete anti-malware protection, potentially unwanted program detection, and other malware detection and prevention capabilities.
  • Add host and server intrusion prevention capabilities to your endpoint systems handling sensitive data types and enable blocking of high-fidelity critical, high and medium attack signatures with low false-positive rates as suggested by your security technology provider.
  • For endpoints that routinely handle sensitive data, fixed function roles and users that have high security access credentials, consider deploying application control technology to limit application execution to known good applications (see "How to Successfully Deploy Application Control").
  • For lean forward organizations consider deploying application containment to isolate risky applications such as browsers and PDF viewers from the core endpoint system resources where this is the primary avenue of attack (see "Technology Overview for Virtualization and Containment Solutions for Advanced Targeted Attacks"). For lean forward organizations consider deploying endpoint threat detection and response tools to detect indicators of compromise, and accelerate and improve malware remediation and SIRT investigation.
  • Consider systematically resetting desktop and server workloads to high-assurance states as a way to proactively remove ATA footholds (see "Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations" and "Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts").
  • Implement network and system behavior analysis capabilities on your endpoint systems to detect potentially irregular or suspicious user and system behaviors.
  • Review and consider implementing application sandboxing or application control/whitelisting technology on endpoint systems (see "How to Successfully Deploy Application Control" and "Technology Overview for Virtualization and Containment Solutions for Advanced Targeted Attacks").
  • Review and consider implementing endpoint threat detection and response products to validate the security status of your endpoints.
  • Deploy network forensics capabilities in order to ensure your organization can review past network activities and utilize their findings during the triage process or for potential court cases.
Sample Vendors
  • File integrity monitoring products: Tripwire, IBM Tivoli, Qualys, McAfee (Intel), LogRhythm, nCircle, Guidance Software, AccessData and NetIQ
  • Sample endpoint threat detection and response vendors: Bit9, HBGary, RSA ECAT, Cyvera, AccessData and Mandiant
  • Network behavior analysis vendors: McAfee, Tenable Network Security, Arbor Networks, Lancope and Radware
  • Application control/whitelisting vendors: Bit9, McAfee, Lumension, Kaspersky, Microsoft, Viewfinity
  • Network forensics vendors: Solera Networks, Cybertap, Niksun, RSA, Endace, Fluke Networks, Netresec, WildPackets, Riverbed, NetAgent

Improve Your Automated Monitoring, Correlation and Analysis

Best Practices
  • Ensure you have implemented off-device, centralized logging facilities for all your security controls to prevent potential tampering through data breach.
  • Form a security operations center or designate specific individuals to operate as a security operations center in order to properly monitor and respond as well as perform initial triage status for security events.
  • Implement a SIEM solution to enable centralized log analysis and complex correlation as well as automated anomaly alerting.
  • Review anomaly reports and alerts generated by your SIEM system to identify irregular behaviors in the environment.
  • When suspicious anomalies or alerts are received by the security operations center, invoke the incident response process.
Sample Vendors
  • Security information and event management vendors: IBM (Q1Labs), HP (ArcSight), McAfee, Splunk, LogRhythm, AlienVault, RSA

Improve Your Incident Response Capabilities

Best Practices
  • Define an incident response procedure that defines the roles of appropriate business and IT contacts throughout the organization and other departments needed to respond to security incidents, including human resources, public relations, legal and executive management.
  • Retain either internal or external resources for executing an incident response plan; specifically target resources with digital forensics and malware analysis knowledge.
  • Consider implementing a secure case management or incident response ticketing system separately from IT support systems so that security incidents will remain confidential within the incident response process and proper workflows as well as collaboration can exist between involved parties during execution of the incident response procedure.
  • Leverage endpoint forensics tools and endpoint threat and response technologies or services for incident response favoring capabilities that specialize in cybersecurity incident response, including investigation assessment templates for identifying and analyzing suspicious common infection assessment capabilities such as service startup locations, driver hooks, kernel driver analysis, running process exploration, memory snapshot and other various malware analysis technologies.
  • When possible, consider automating your incident response investigation triage efforts with integration between forensic analysis tools and other security monitoring software to more rapidly respond to potential suspicious security events when they occur.
Sample Vendors
  • Incident response forensic analysis vendors: Google GRR, Guidance Software, AccessData, Mandiant


1 Worldwide Cert Organizations —

Note 1
External Information and Security-Related Nonprofit Organizations

The following are external information and security-related nonprofit organizations:

  • International Information Systems Security Certification Consortium (ISC2)
  • Information Systems Security Association (ISSA)
  • Information Systems Audit and Control Association (ISACA)