Risk
2/4/2010
11:11 AM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Anatomy Of A Modern Hack

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.MANDIANT uses the newly vogue term Advanced Persistent Threat (APT) to describe the attacks detailed in the report. The company defines APT as an "orchestrated deployment of sophisticated and perpetual attacks that have systematically compromised computer networks in the public and private sector for years."

Sounds like scary stuff, and it is. According to MANDIANT, these attacks are broken down into seven phases. Paraphrased here: Phase 1, Reconnaissance: Attackers will watch and take notes on who in an organization they need to target, from administrative assistants to executives. Much of this information is gleaned from public Web sites.

Phase 2, The Initial Breach: They will use spear-phishing attacks to send those identified targets an attachment with an exploit that can be used to hijack the target's system. Any personal information the attacker knows about the source will be used to entice the target user to open the attachment.

Phase 3, Get a Network Backdoor: MANDIANT says the attackers will do what they can to get network administrative credentials. And they will also implant malware (that they centrally control) designed to avoid detection. These will be used to gain further access to more of the victim company's infrastructure.

Phase 4, Grab User Credentials: These credentials are used to log-on to end point systems, and siphon data. MANDIANT said the typical victim organization it studied has 40 systems compromised: some had more than 150. Phase 5, install attack utilities: Now the network is being peppered with backdoors, tools to grab passwords, steal emails, and footprint the network. Phase 6, Data Ex-filtration: Continuing to move about the infected network and increasing access rights to more sensitive systems, the attackers are now compressing stolen data - imagine anything from financial data, marketing plans, research and development information - and transferring that information to an external server under the attackers control. Phase 7, Maintain Persistence: The rest is a cat and mouse game: as the organization cleans and updates systems, the attackers establish additional footholds.

MANDIANT's report, M-Trends, gives a fascinating view into the modern attack that enterprises and government agencies face, including detailed, blind case studies. In fact, if you are a small business doing business with big business and the government - you may as well be a target, too.

Anyone interested in IT security should give it a read(registration required). If you are a security manager trying to convince your management how real and sophisticated IT threats are today: the case studies in the report are gold.

APT style attacks are blamed to be behind so-called Operation Aurora. At the time the news broke, I didn't see anything new in the Google attack. I still don't see anything "new" in MANDIANT's report. What we do have are highly-motivated, well trained and funded adversaries using social engineering, attack tools, software flaws, and low-and-slow attack strategies that we've been grappling with for more than a decade now.

But if it takes a flashy new acronym to get peoples' attention focused on the threats we face: APT it is.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio