News & Commentary

3/18/2015
09:35 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
Google+
LinkedIn
RSS
50%
50%

The Anatomy of Advanced Persistent Threats

The only way to keep intruders away is to use multiple security mechanisms.

We’ve all heard the acronym APT (advanced persistent threat) for the past couple of years, especially coupled with high profile cyberattacks such as the ones on Sony and Anthem. However, security experts agree that advanced persistent threats are getting more sophisticated with each reported incident.

In 2006, there was only a single reported APT attack; by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes.

A lot has changed from that first reported incident in 2006, when U.S. Air Force Colonel Greg Rattray was cited using the expression “advanced persistent threats” to refer to data-exfiltration Trojans. Nowadays, it has become common practice for cybercriminals to orchestrate covert targeted attacks on government or private institutions, motivated either by a form of activism or good old-fashioned government espionage.

Step-by-Step Approach

Obviously, the first stage of any attack is target acquisition. Depending on the motive behind the attack, the victim could either be a Fortune 500 company or anyone with some information deemed of interest to the attacker(s).

The next step involves footprinting the target to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.

After collecting sufficient information, attackers will usually procure some core malware sample and re-engineer it to suit their purpose. However, for an APT to be successful, it shouldn’t use old code, as it can be spotted by security solutions.

Next, the attackers phish a company employee and try to get him or her to open a malicious attachment or click a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office.

From that point, it’s a matter of capturing admin privileges or domain credentials and exploring the network from inside to determine high-profile assets and set up permanent (hence the term “persistent”) backdoor users for data exfiltration.

After they have sufficiently expanded their access, attackers typically take a final step that involves covering their tracks to make sure no alarms will go off during a security audit. If all goes according to plan and their actions are not detected, the attackers could use the already established backdoors whenever they choose to covertly access the network again. After all, why would they stop peeking into a network when they’re confident they can’t be detected?

The Rising Threat

If it hasn’t already become clear that APTs are a significant threat, then pick up a newspaper and read about recent cyberattacks that have caused millions, if not hundreds of millions, of dollars in losses. So far, we have been fortunate that most attacks have focused on either gaining sensitive documents or credentials.

The same APT lifecycle could succeed on a nuclear power plant or water treatment and distribution plant. It might have serious consequences that go beyond just the financial. Considering that some new attacks have been reported to be government-sponsored and aimed at collecting intelligence from other nations, there’s bound to be some collateral damage in the form of disrupted power grids or network communications.

With the rise of interconnected devices and the Internet of Things, the possibilities for new attack vectors are endless, as these smart devices are not yet properly regulated either by legislation or security best practices. While it’s estimated that the growth of IoT will peak in 2015, enterprise segments will gain momentum and account for 46% of device shipments this year.

If these estimates hold, APTs will likely take advantage of vulnerabilities found in technology standards and exploit them to penetrate enterprise networks. Of course, all this is based on the assumption that IT security standards will not see improvements over time and will continue to allow IoT devices to be unmanaged when connected to company networks.

Mitigation

In terms of IoT, attempts are being made at passing laws and regulations to police the massive amount of smart devices that hit the market with either poor security or privacy mechanisms. The Federal Trade Commission has already issued a new report calling for strong data security and breach notification legislation. However, there are also sector-specific laws such as HIPAA, which already provides privacy protection for the healthcare system.

Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash. The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions.

Of course, none of these will guarantee 100% protection, but they will increase the cost of attack and make it harder for burglars to engage in footprinting. Constantly cycling security mechanisms at random intervals will also confuse attackers, as they’ll have to go back to network assessment from scratch. This buys a company valuable time to investigate any anomaly that might have occurred when cybercriminals were assessing the state of the network.

Conclusion

APTs will stay in the spotlight, as they have proven highly successful at making a serious mess at Fortune 500 companies. Considering that new U.S. regulations demand companies work closely with government agencies and report any network or data breaches within 30 days, 2015 will probably be the year with the highest count of advanced persistent threats. 

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.