An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long time. APT attackers are data stealers and target high value information. Unlike other attacks where the intruders sneaks in and gets out as quick as possible, an APT attacker remains inside the network and gets ongoing access to data by creating a ghost infrastructure. The intruder remains in the network without being detected and distributes malware that remains unidentifed. In reality the APT attacker is the technology version of Kevin Bacon from the movie hollow man.
In the world dominated by cloud technologies, Specialized cloud APT (Advanced Persistent Threats) like Mini Dionis use mutli-dropper like phishing, voicemails to drop highly engineered exploits/threats on cloud users. These droppers use cloud based storage to drop a payload, which might exist within a private or public cloud where an organization is connected to. This makes sure malicious traffic originating from genuine cloud services are difficult to be detected. Nailing down the perpetrators becomes a hard task.Advent of these kind of threats or malwares only makes job of IT security staff harder. They would need to employ the following techniques to stay ahead of the curve.
Have cloud based security technologies at the best "hardened" level (e.g. - security groups), access control lists on the cloud and clearly define inbound and outbound access rights.
One should have specialized process watchers, endpoint protection suites installed on the instances which give constant on the go remediation and would alert security team in case of suspicious event or process, have a specialized recognized cyber security company watch your cloud instances through their SIEM, and create correlational rules which would enable you to see an attack while it is in progress itself. (This can be achieved if the target company that you are hiring to do this job uses right technology with mix of very good cyber security engineers)
Clearly define information, classify, and define controls around the instances based on their classification level. For example if one of the instances you classify as confidential you would want it to have best possible controls in terms of authentication/authorization/encryption etc., but getting the right classification level of your instance or application is a very important step.
Lastly but not least make sure the team always is aware of latest threat vectors and they do participate in different online trainings, conferences or are aware of security community discussions on cloud based threat vectors from groups like BlackHat or DefCon.
Do you have the ammunition to go on war with cloud based APTs?