Attacks/Breaches
1/27/2010
02:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Anatomy Of A Targeted, Persistent Attack

New report provides an inside look at real attacks that infiltrated, camped out, and stole intellectual property and proprietary information -- and their links to China

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn't comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

Most of the APT attack cases that Mandiant has worked on for the past few years have had ties to China: "The vast majority of APT activity observed by MANDIANT has been linked to China," the report says. And existing security tools are no match for these attacks -- only 24 percent of the malware used in the attacks Mandiant has investigated were detected by security software, the report says.

"The fact that there is more activity around this [threat] in the past two to three weeks is good. Hopefully, this continues and gets people talking about being aware of it," says Michael Malin, executive vice president at Mandiant. "The APT is a reality; it's out there ... it's not just a government or defense issue. We're seeing it at the commercial level, as well."

As a matter of fact, Mandiant has worked with 10 percent of Fortune 100 companies on APT attacks in their organizations, according to Malin. "And we've responded to computer security incidents at 20 percent of Fortune 100 [companies]," including APT and payment card attacks.

It's not that these attacks are anything new. A published report in the Christian Science Monitor this week revealed a wave of APT attacks that occurred in 2008 against the oil industry, including Marathon Oil, ExxonMobil, and ConocoPhillips, all of which didn't realize the extent of the damage until 2009, when the FBI told them "proprietary" data had been siphoned from their computers. It's more that regulatory -- business pressures are now forcing companies like Google to own up to their victimization, security experts say.

Mandiant's Malin says APT attacks are waged by teams of hackers who go after different levels of the infrastructure: "They are going after the network level, or the host-based level," he says. "There's a lot of coordination."

And sometimes the teams don't even know the other is already inside the victim's network. Even so, they typically are working for the same cause, usually espionage, he says. And once they are in, they don't need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.

"From a security point of view, there's no magic bullet" to these attacks, says Alan Shimel, CEO of The CISO Group. "Nothing is going to make you immune."

The most effective way to shut down such an attack, however, is to uncover and block the command and control (C&C) conduit between the compromised systems and the attackers, says Gunter Ollmann, vice president of research for Damballa. "Then they have to go to their backup systems and reinfect the host," Ollmann says. "The Achilles' heel is their C&C. They require interactive access to the systems to control them and to target and extricate information ... by detecting and denying that, you've muted the attack."

APT attacks typically have a correlation between political or business activity or events, Mandiant's Malin says. And they often are waged as a campaign for a specific type of information or intelligence. For example, in one series of attacks on local, state, and federal agencies that Mandiant worked on, which was featured in the report, the attackers were after counter-terrorism intelligence.

Malware used in APT attacks is basically hidden in plain sight, in a low-profile, camouflaged manner. Mandiant says the average file size is a relatively diminutive 121.85 kilobytes, and that only 10 percent of any of these backdoor programs were "packed," a technique that can be easily spotted. But more advanced attackers do pack their malware in. Among the most common file names for the malware: svchost.exe, iexplore.exe, iprinp.dll, and winzf32.dll -- all of which wouldn't raise any red flags and could easily be overlooked. Most of these attackers evade anomaly detection by using outbound HTTP connections, as well as process injection.

Mandiant's report also drew some connections between these attacks and China: The attackers mostly work during daytime hours in China, which is nighttime in the U.S., the report says. "APT-associated activity typically occurs on any given weeknight except for foreign and major U.S. holidays," the report says. "This indicates the attackers know when new information may be available for exfiltration." Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web