Risk
2/4/2010
11:11 AM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Anatomy Of A Modern Hack

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.MANDIANT uses the newly vogue term Advanced Persistent Threat (APT) to describe the attacks detailed in the report. The company defines APT as an "orchestrated deployment of sophisticated and perpetual attacks that have systematically compromised computer networks in the public and private sector for years."

Sounds like scary stuff, and it is. According to MANDIANT, these attacks are broken down into seven phases. Paraphrased here: Phase 1, Reconnaissance: Attackers will watch and take notes on who in an organization they need to target, from administrative assistants to executives. Much of this information is gleaned from public Web sites.

Phase 2, The Initial Breach: They will use spear-phishing attacks to send those identified targets an attachment with an exploit that can be used to hijack the target's system. Any personal information the attacker knows about the source will be used to entice the target user to open the attachment.

Phase 3, Get a Network Backdoor: MANDIANT says the attackers will do what they can to get network administrative credentials. And they will also implant malware (that they centrally control) designed to avoid detection. These will be used to gain further access to more of the victim company's infrastructure.

Phase 4, Grab User Credentials: These credentials are used to log-on to end point systems, and siphon data. MANDIANT said the typical victim organization it studied has 40 systems compromised: some had more than 150. Phase 5, install attack utilities: Now the network is being peppered with backdoors, tools to grab passwords, steal emails, and footprint the network. Phase 6, Data Ex-filtration: Continuing to move about the infected network and increasing access rights to more sensitive systems, the attackers are now compressing stolen data - imagine anything from financial data, marketing plans, research and development information - and transferring that information to an external server under the attackers control. Phase 7, Maintain Persistence: The rest is a cat and mouse game: as the organization cleans and updates systems, the attackers establish additional footholds.

MANDIANT's report, M-Trends, gives a fascinating view into the modern attack that enterprises and government agencies face, including detailed, blind case studies. In fact, if you are a small business doing business with big business and the government - you may as well be a target, too.

Anyone interested in IT security should give it a read(registration required). If you are a security manager trying to convince your management how real and sophisticated IT threats are today: the case studies in the report are gold.

APT style attacks are blamed to be behind so-called Operation Aurora. At the time the news broke, I didn't see anything new in the Google attack. I still don't see anything "new" in MANDIANT's report. What we do have are highly-motivated, well trained and funded adversaries using social engineering, attack tools, software flaws, and low-and-slow attack strategies that we've been grappling with for more than a decade now.

But if it takes a flashy new acronym to get peoples' attention focused on the threats we face: APT it is.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio