Advanced persistent threats (APTs) are introduced by adversaries that possess sophisticated levels of expertise and significant resources, which allow them to achieve their objectives by using multiple attack vectors (e.g.、网络攻击、物理攻击、欺骗). 对手可能是个人, 集团, 管理的组织或政府, 或者有行为的意图, 针对组织和个人的有害活动.
这些威胁是全球性的, 它的影响是地方性的,是每个组织, 无论行业如何, 是否应该检查战略选择以减轻这种业务风险.
那句老话是“信任”, 但是“验证”已经让位于零信任安全模型的概念, 假设对手已经进入了组织的防御系统. 研究一些减少apt风险的选择是值得的.
增强网络防御的核心组成部分
The US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172 emphasizes that enhanced security requirements for a multidimensional, 纵深防御策略, 包括3个核心组件:1
- 抗渗透结构(PRA)
- 限损作业(DLO)
- 网络弹性生存能力(CRS)
尽管一个组织尽了最大的努力来实施保护措施, APTS MAY FIND WAYS TO COMPROMISE OR BREACH BOUNDARY DEFENSES AND DEPLOY MALICIOUS CODE WITHIN A DEFENDER’S SYSTEM.
This cyberstrategy recognizes that despite an organization’s best efforts to implement protective measures, APTs may find ways to compromise or breach boundary defenses and deploy malicious code within a defender’s system. 当这种情况发生时, 组织必须能够使用安全措施和对策来进行检测, 智取, 混淆, 欺骗, 误导和阻碍对手——就是这样, remove the adversary’s tactical advantage and protect the organization’s critical programs and High Value Assets (HVAs).
攻击媒介,如网络攻击, physical attacks or deception pose threats to business operations and require organizations to rethink their cyberdefense approaches. There are 2 standards of valuable information that can impact the establishment of a credible cyberdefense, including the Certified 网络安全 Maturity Model (CMMC) standard established by the US Department of Defense (DoD) and NIST SP 800-172.2, 3 更高的CMMC成熟度级别是专门针对apt设计的. Future cyberdefense strategy should be influenced by the CMMC and NIST SP 800-172.
解决APT问题
Organizations should focus on enhancing their security requirements to mitigate APT risk. NIST has established an excellent reference for enhanced security requirements, NIST SP 800-172. Enhanced security requirements represent methods for protecting sensitive information, 包括个人身份信息(PII), 个人资料(PD), Controlled Unclassified Information (CUI) or any other information regarded as high value by the organization.
Examples of enhanced security requirements that organizations need to integrate into their cyberdefense strategy include:
- 对安全需求规范应用以威胁为中心的方法
- Employing system and security architectures that support logical and physical isolation using system and network segmentation techniques, 虚拟机和容器
- Implementing dual authorization controls for the most critical or sensitive operations
- 将持久存储限制在孤立的飞地或域
- 为系统和网络实现一种“完全连接”的方法
- Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components
- Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components
- Employing a security operations center (SOC) with advanced analytics to support continuous monitoring and protection of organizational systems
- Using deception to 混淆 and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate or the environment in which they are operating
国防部的CMMC模型
The CMMC establishes requirements for cyberresilience by mitigating risk posed by APTs to sensitive and confidential information and assets. This model measures cybersecurity maturity using 5 levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats. CMMC Maturity Levels 4 and 5 are specifically designed with APTs as the focus of security requirements that must be met. CMMC certification is a requirement for the DoD Defense Industrial Base (DIB) of more than 300,000家供应商. Those specific suppliers at risk from APTs will be required to meet CMMC Maturity Levels 4 or 5.
The CMMC model is an excellent reference for every cybersecurity professional at the senior leadership level to study and understand its applicability to reducing cyberrisk. Organizations should consider pursuing CMMC certification to establish a credible, 以证据为基础的防御.
结论
Forward-thinking organizations will focus on the 3 components described here. The first is an architecture that uses technology and procedures to limit the opportunities for adversaries to compromise an organizational system and to achieve a persistent presence in the system. 第二个关键部分是设计系统, 为任务和业务功能提供能力准备, 承受, recover from and adapt to compromises of cyberresources to maximize mission or business operations. 最后, 第三个要素是预测的能力, 承受, 从不利条件中恢复并适应, 强调, 对使用, 或由, cyberresources.
假设对手已经进入了你的网络. 每个组织都必须重新构想网络防御,以降低业务风险.
了解更多有关加强网络防御以防范apt的知识, 观看Pabrai在此讨论他的文章 视频面试.
尾注
1 美国国家标准与技术研究院, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171,美国,2021年2月
2 Office of the Under Secretary of Defense for Acquisition and Sustainment—网络安全 Maturity Model Certification; CMMC Model, 美国, 2020
3同前.
Uday Ali Pabrai, CISSP, CMMC PA, CMMC RP, HITRUST CCSFP, MSEE, Security+
首席执行官是 ecfirst,一家公司. 500年业务. His career was launched with the US Department of Energy’s nuclear research facility, 费米国家加速器实验室, 在芝加哥, 伊利诺斯州, 美国. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms. Pabrai也是 InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. Pabrai可以联系到 Pabrai@ecfirst.com.