08:23 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly

Study: Nation-States Are Primary Drivers Behind APTs

Most enterprises still ineffective in defending themselves from sophisticated attacks, Fortinet report says

Advanced persistent threats are generally created by nation-states and are most frequently used for cyberespionage, according to a new study published Tuesday.

According to FortiGuard Labs' report -- "Threats on the Horizon: The Rise of the Advanced Persistent Threat" -- the APT has become a tool of the trade for government-sponsored intelligence gathering.

"There are only a few groups globally that have the capability, skills, funding and infrastructure to launch an APT," the report states. China, Israel, Russia, and the United States are the most capable, but it is likely that other countries are also at least researching the tactic, if not creating APTs yet, Fortinet says.

While early analysis of APTs -- and even the definition of the term -- touched on a wide range of perpetrators and scenarios for sophisticated attacks, it is now apparent that the level of skill and resources required to create an APT severely limits the number of attackers who could potentially launch them, says Richard Henderson, security strategist at FortiGuard Labs and one of the authors of the report.

"What we're seeing is that these attacks are being used primarily for cyberespionage at the state level," Henderson says. "Nation-states are using them mostly these days as a means of collecting intelligence."

What defines today's APT is its level of sophistication and ability to stay hidden for long periods of time, enabling the attacker to use it as an ongoing tap into the information systems of rival governments or foreign businesses, Henderson says. While early examples, such as Stuxnet, may have been tools of sabotage, today's APTs are more likely to lie quietly and collect data.

"APTs don't have a typical attack pattern," the report says. "Once malware is in place on a target computer, it can lay dormant for months or years at a time. This becomes especially concerning when thinking about APTs from a national infrastructure standpoint. It's very possible that a site, such as a major city power grid, is compromised right now and the malware is just waiting for someone to press a button."

While APTs are, by definition, sophisticated and multilayered, they virtually always begin with a simple compromise, such as a phishing attack or website infection, Henderson observes. Companies reported more than 142 million unsuccessful hacking attempts in the first half of 2013 alone, according to the report; users were tricked into trying to visit a potentially malicious website more than 3.14 billion times.

Yet most enterprises still don't do a very good job of protecting themselves from this type of first-level attack, Henderson says.

"One of the things that surprised me most in the report is how poor companies are in teaching employees how to recognize the signs of an attack," Henderson states. "It is still fairly easy for any attacker to find out who you are and send you a convincing fake message from your boss' boss, telling you to go to link or access a malicious site."

And email is not the only means of infection, Henderson observes. "Watering holes, drive-by downloads, PDF infections -- these are infections that can happen without any action by the user."

Preventing this sort of user-level infection is the first step in defending against APTs, Henderson says, but IT organizations need to step up their games as well. "Companies still aren't making patching a priority," he notes. "They are worried about interrupting business continuity, but they are waiting too long to make their updates."

The recent Citadel infection at NBC.com exploited a vulnerability that had been disclosed just two weeks before, Henderson observes. "In that case, a zero-day wasn't needed," he notes. "The attackers got the advantage just by moving faster than the defenders on a known vulnerability."

The best defense against APTs is to know where your sensitive data is kept and how it moves in and out of the network, Henderson advises. "Encryption is a good first step, but you should know where your data is being moved to, and watch the data leaving your network. A sympathetic insider can do a lot of damage."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.