Advertisment

Keeping Advanced Persistent Threats At Bay

author-image
PCQ Bureau
New Update

The concept behind advanced persistent threats (APTs) isn't new. Cybercriminals have been relying on software to leverage attacks that steal data or disrupt systems since the dawn of the computer age. So what distinguishes modern APTs from previous malware? Its distinguishing factors are sophistication and stealth, along with diverse attack vectors, copious resources and relentless perseverance. While the nature and intention of APTs are as diverse as their creators, they share common components: They often rely on zero-day threats - or undiscovered vulnerabilities for which there are no known fixes. To make an entrance, APTs execute in tandem with targeted social engineering campaigns and personalized spear-phishing attacks. Once an APT has penetrated an organization's defenses, it moves through the target's infrastructure to execute its mission.

Advertisment

Unlike other mass distributed threats, APTs keep low profiles, sometimes lying dormant for months or even years. In light of their inherent stealth capabilities, APTs are difficult to pin down and just as challenging to source to any given attacker or location. Because APTs incorporate features designed to evade detection and security mechanisms, they have experienced a sharp uptick and are continuing an exponential upward trajectory. In the first half of 2013, companies have reported 4.45 million blocked phishing e-mails, 142 million unsuccessful hacking attempts and 3.14 billion attempts to trick users into visiting a potentially malicious Web site. And those are just the ones that get caught!

Who is behind these attacks?

APTs require a high level of technical prowess and extensive resources for development and distribution and have quickly become the tool-of-choice for nation states interested in cyber espionage and cyber warfare activities. The most notorious players featured in government reports include China, Russia, Syria, North Korea and Iran. More of a shock: The Unites States is also behind numerous cyberattacks. A New York Times report reveals the infamous APT Stuxnet was the brainchild of the U.S. Two other rogue attacks, dubbed Duqu and Flame, also share similar code and characteristics to Stuxnet, indicating they are likely sourced to the same creators. With backing from the world's most powerful nations, APTs are now routinely sourced to high-profile, widely publicized and increasingly destructive attacks against governments and multi-national corporations.

Staging an attack

First things first, though: The attacker needs a plan. A target is selected through a determination of whom the attackers wish to infiltrate and what they intend to steal. The APT operators conduct extensive background research on the victim, leveraging a medley of social media, search engines, employee activity, and public and online phone directories to concoct an effective social engineering attack. Once an attack strategy has been developed, it's a matter of execution. Attackers will make an initial entry, typically in the form of a phishing e-mail with an infected attachment that plants remote-operated malware on the victim's machine. That malware exploits vulnerabilities on victim's computers to gain deeper access into the network that houses privileged information.

Once the exploit gains a foothold, it spreads to compromise other computers and servers on the network. And as soon as the exploit has access to all facets of the network, exfiltrating sensitive data is easy. Target data can include personally identifying information such as passwords, e-mail accounts, names and addresses, as well as critical proprietary information such as intellectual property, blue prints and source code.

Advertisment

The operators behind the APT may choose to stick around on the target's network - even after the data is stolen and their mission is complete - to maintain surveillance on the victim's network and look for more valuable data.

To successfully execute complex attacks, cybercriminals rely on an array of tools, such as malware codes coupled with social engineering exploits and phishing and spear-phishing attacks. As mentioned earlier, APTs almost always employ zero-day threats and other exploits to gain control of a victim's computer. To gain a stronger advantage, APT operators will recruit insiders to assist in the attack's execution. Stuxnet, for example, required sympathetic insiders to strategically place and utilize the USB drives that ultimately infected the networks of the uranium enrichment plant targets. Attackers have also successfully forged SSL certificates to replicate legitimate sites and compromise visitors.

With their stealth and seemingly impenetrable technical sophistication, it's not surprising APTs are going after bigger targets these days. APTs have been behind numerous attacks on multi-national technology firms such as RSA, the security division of EMC, Google, Adobe, as well as U.S. and international governments and media firms. It's only a matter of time before APTs become the weapon-of-choice in attacks against critical infrastructure - water and sewage treatment plants, traffic light systems and the electrical grid - which are increasingly being placed online to reduce costs and accelerate efficiencies.

Advertisment

Myriad of security options

What options are there for organizations attempting to defend themselves against this treacherous wave of APTs? Despite the technical prowess and stealth of APTs, organizations still have myriad security options at their disposal:

- Organizations can forge security partnerships and alliances to create more defensive layers while establishing a broader foundation of security intelligence.

- Educating employees on best security practices around e-mail, Web and social media behavior is a necessary defense policy that will reduce the "weakest link" element so often exploited by APT operators.

- End users need to incorporate a mix of security solutions. Among the most salient are network segregation, Web-filtering and reputation, intrusion prevention and application control mechanisms. Also important: whitelisting, blacklisting, cloud-based sandboxing, robust endpoint control/AV and data-loss prevention (DLP) technologies.

- Security-minded organizations must also consider proactive patching, role-based restrictions of administrative rights, network access control (NAC) and two-factor authentication.

- To reduce risk even further, USB drive restrictions should be added to the mix with limited access to cloud-based file-sharing.

While defensive strategies are more nuanced and complex, APT operators are a few steps ahead. There is no fool proof solution, but leveraging the right combination of education, partnerships and security strategies will significantly improve your organization's ability to keep APTs out.

Advertisment