Risk
2/4/2010
11:11 AM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Anatomy Of A Modern Hack

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.

In a just released report, IT security firm MANDIANT painfully breaks down the anatomy of the sophisticated threats targeting businesses and western governments. The company says the study is based on seven years of front-lines breach investigation for the public and private sector. It's worth a look.MANDIANT uses the newly vogue term Advanced Persistent Threat (APT) to describe the attacks detailed in the report. The company defines APT as an "orchestrated deployment of sophisticated and perpetual attacks that have systematically compromised computer networks in the public and private sector for years."

Sounds like scary stuff, and it is. According to MANDIANT, these attacks are broken down into seven phases. Paraphrased here: Phase 1, Reconnaissance: Attackers will watch and take notes on who in an organization they need to target, from administrative assistants to executives. Much of this information is gleaned from public Web sites.

Phase 2, The Initial Breach: They will use spear-phishing attacks to send those identified targets an attachment with an exploit that can be used to hijack the target's system. Any personal information the attacker knows about the source will be used to entice the target user to open the attachment.

Phase 3, Get a Network Backdoor: MANDIANT says the attackers will do what they can to get network administrative credentials. And they will also implant malware (that they centrally control) designed to avoid detection. These will be used to gain further access to more of the victim company's infrastructure.

Phase 4, Grab User Credentials: These credentials are used to log-on to end point systems, and siphon data. MANDIANT said the typical victim organization it studied has 40 systems compromised: some had more than 150. Phase 5, install attack utilities: Now the network is being peppered with backdoors, tools to grab passwords, steal emails, and footprint the network. Phase 6, Data Ex-filtration: Continuing to move about the infected network and increasing access rights to more sensitive systems, the attackers are now compressing stolen data - imagine anything from financial data, marketing plans, research and development information - and transferring that information to an external server under the attackers control. Phase 7, Maintain Persistence: The rest is a cat and mouse game: as the organization cleans and updates systems, the attackers establish additional footholds.

MANDIANT's report, M-Trends, gives a fascinating view into the modern attack that enterprises and government agencies face, including detailed, blind case studies. In fact, if you are a small business doing business with big business and the government - you may as well be a target, too.

Anyone interested in IT security should give it a read(registration required). If you are a security manager trying to convince your management how real and sophisticated IT threats are today: the case studies in the report are gold.

APT style attacks are blamed to be behind so-called Operation Aurora. At the time the news broke, I didn't see anything new in the Google attack. I still don't see anything "new" in MANDIANT's report. What we do have are highly-motivated, well trained and funded adversaries using social engineering, attack tools, software flaws, and low-and-slow attack strategies that we've been grappling with for more than a decade now.

But if it takes a flashy new acronym to get peoples' attention focused on the threats we face: APT it is.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0235
Published: 2015-01-28
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.