Skip to main content


Protecting Employee Data is an Organization’s Legal Obligation or Is It?

In today’s world, countless organizations fall victim to data breaches that involve employee data. In 2014, I was engaged to lead the remediation efforts of a data breach for a Pennsylvania-based client.  Hackers gained access to the company’s employee payroll information containing the salaries, social security numbers and other Personal Identifying Information (PII) through an insecure email system. It was crucial to develop and execute a corporate security strategy along with the tactical tasks of remediating the breach.

During 2013 and in 2014, infamous cyberattacks resulting in significant data breaches occurred against notable companies such as Target Corporation, Home Depot, JP Morgan Chase, along with many others.

The legal repercussions from those events set off an avalanche of employee and customer lawsuits. Many banks subsequently filed suits against the afflicted organizations citing negligence and other allegations. Organizations did not view protecting employee data was…

Understanding Advanced Persistent Threats

Just what the heck is an Advanced Persistent Threat (APT) those security professionals are calling it? You may think it is some kind of cyber attack that keeps on happening over and over again, that is one way of thinking about it but why and who in the hell is doing it? This article will try to address the meaning of the cyber attack that affected Sony, Target, Home Depot and most recently Anthem. Other high profile breaches have also occurred and we have many that are ongoing and undetected. The What, Why and Who in regards to APT will be discussed in a layman’s perspective and not get too much into the weeds.

The What, Why and Who

An Advanced Persistent Threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The main purpose of an APT attack is to steal data rather than to cause damage. So what makes it so advanced is the ability of those perpetrators to gain access to an internal network in stealth mode undetectable stealing your crown jewel information blind.

When the term Advanced Persistent Threat (APT) is used in the context of cyber threats (or cyber attack) each component of the word is relevant.

The hacker can evade detection and the capability to gain and maintain access to well-protected networks and sensitive information contained within them. The hacker is generally adaptive and well resourced.

The persistent nature of the threat makes it difficult to prevent access to your computer network and, once the threat actor has successfully gained access to your system, very difficult to remove.

The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically.

An APT attack intends to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, infrastructure utilities, manufacturing and the financial industry. APTs are a well­ resourced, highly capable and relentless class of hacker increasingly referred to in the media, by IT security companies, victims, and law enforcement. Most hackers target indiscriminately and instead of persisting with a particular target draw their focus to more vulnerable targets. APTs, on the other hand, are not only well resourced and capable but persistent in their covert attempts to access sensitive information, such as intellectual property, negotiation strategies or political dynamite, from their chosen targets. The severe attacks are state-sponsored and or in conjunction with organized crime rings.

The sophistication of APT intrusion attempts varies and likely depends on the attacker’s objectives, the tools and techniques available to them, and the anticipated ability of their target both to detect and defend against an attack. The activity conducted by APTs is not necessarily sophisticated, but the attacker can upgrade their sophistication to gain or maintain access to computer systems of interest.

Who are these actors behind the APT attacks?
  • Nation-state actors such as China, Russia, and others
  • Organized criminal actors
  • Corporate espionage actors
  • Terrorists

Anatomy of an APT

In a simple attack, the intruder tries to get in and out as quickly as possible to avoid detection by the network’s intrusion detection system (IDS). Many highly sophisticated attacks are, not always, exercise the ability to penetrate a network from the outside, but infiltrate from within the organization. In an APT attack, the goal is not to get in acutely grab what you can and get out but to achieve chronic ongoing access. To maintain access without discovery, the intruder must continuously rewrite code and employ sophisticated evasion techniques. Some APTs are so involved that they require a full-time administrator.
An APT attacker often uses spear fishing, a type of social engineering, to gain access to the network through legitimate means. Once access has been achieved, the attacker establishes a back door.
The next step is to gather valid user credentials (especially official ones) and move laterally across the network, installing more backdoors. The back doors allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains hidden in plain sight.
The final step is the continual exfiltration of data over time which consists of millions of vital data from an organization.

The following diagram will illustrate the APT steps:

The historical timeline list of known breach events, the tally from 2004 to date. Information was obtained via extensive research, data mining and company disclosures but much work is yet to be done. For example, missing from the tally are the early days of the Internet that date back to 1998 where the earliest forms of APT were first reported. Then known as the “Moonlight Maze” attack, events affecting the Pentagon, Congress, National Aeronautics and Space Administration (NASA), the United States (US) Energy Department, research laboratories and private universities were the target.

Future Trends of APT

Areas of concern in 2015 will be continued escalation of breaches in the healthcare industry where this sector is a laggard closely followed by the utility, education, entertainment and retail sectors. These industries have not fully grasped the security investments that are necessary to protect their assets. Many breaches in the healthcare sectors are caused by poor security practices and not hiring the appropriate security staff with skills that are vital.

Other problem areas are the mobile devices where many apps in use are not secure nor the use of encryption and robust authentication methods utilized. Add to that the push to bring-your-own-device (BYOD) into the organizations adds yet other vectors of infiltration opportunities. Mobile devices offer a suitable platform for the APT actors to launch their attack since they virtually eliminate the perimeter firewall. These devices work inside and outside the organization and are difficult to control and track often beyond the reach of security infrastructure.

The cloud is another area of concern as APT has morphed into many forms having arrived from nearly every country and territory in the world. Almost 200 unique families of APT malware were discovered and escalating, with the United States the most frequently targeted country by far. The U.S. also had the broadest range of industry verticals singled out for an attack, from aerospace to retail. A sharp increase in Web-based attacks was noted, which is likely associated with increased use of social media, and users who are continuously connected to the Web. For example, a burst of Internet Explorer (IE) zero-days were used in “watering hole” attacks, in which hackers compromise a carefully selected website.

The damage associated with these threats are devastating. A successful attack can dramatically impact financial performance, brand reputation, and customer loyalty. APTs can jeopardize the well-being of any company that deals with sensitive and valuable information.