Vulnerabilities / Threats
9/14/2011
12:42 PM
50%
50%

Social Engineering Leads APT Attack Vectors

Combat advanced persistent threats with more adaptive user training and by acknowledging that networks today exist in a state of constant compromise, say experts.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
The number-one advanced persistent threat (APT) attack vector is now not technology, but social engineering. Furthermore, security is no longer about trying to keep all intruders outside of the network perimeter, but rather acknowledging that security today involves living in a state of constant compromise.

Those are some key findings that came out of a summit held in Washington last week by RSA, the security division of EMC, as well as TechAmerica, a technology trade association. The summit involved about 100 "c-level" managers--CIOs, CTOs, and a few CEOs--plus senior lawyers, all drawn from large, well-known businesses and government agencies, who were gathered to discuss the best way to combat APTs.

"It wasn't some vendor-driven thing," said Eddie Schwartz, CSO of RSA, in an interview. Rather, he said, it was aimed at updating current approaches to security, in light of the types of advanced--and oftentimes, persistent and hard-to-detect--threats that have successfully exploited numerous organizations, including RSA.

One of the summit's major findings is that social engineering attacks are now the primary threat vector used to compromise businesses and government agencies. But as employees have become much more of a risk, what hasn't changed, said Schwartz, is "the degree to which anything had been done about it, or investments shifted, or program emphasis shifted, versus just spending money on perimeter security technologies."

Another interesting finding from the summit was that many businesses and government agencies said that while pursuing a "zero breach tolerance" approach was nice in theory, it's now unrealistic. "A more realistic [approach] would be accepting the fact that you live in a world of compromise, and understanding that you have to work in that world, and work in a mode of triage, instead of constantly trying to push back hordes at the gate," said Schwartz.

One driver for that more pragmatic worldview has been the emergence of targeted malware that is, in some cases, just hours old. Combating this type of APT can be incredibly difficult, because all it takes is one employee to open a seemingly innocuous--yet really malicious--attachment, and the business can be compromised.

Attackers' ability to hit big businesses and government agencies with never-before-seen malware implies that attackers often benefit from significant resources. "This increased agility on the part of attackers shows a very high level of resources available to them, where they can have people who are very responsive to the defenses of large organization ... and be able to work around those organizations on a case by case basis," said Schwartz. "So they're highly focused, and very agile to what the target is trying to do to defend itself."

What can be done to deal with these types of attacks? Given the threat posed by social engineering, Schwartz said that one of the more innovative--and adaptive--approaches described was wargaming, in which employees face real-world tests, such as their ability to avoid a spear-phishing attack. Fail the test, and they're called into a room to see, as a group, what the consequences of that attack would have been--both for them, and their employer.

Another strategy that could help organizations better resist APTs would be some form of information sharing, such as crowdsourcing attack data. "Today's attackers are better at real-time intelligence sharing than we, the targets are. In other words, they're better at gathering open source intelligence about us, organizing the data, and collaborating with each other, than we are at defending ourselves," said Schwartz.

Unfortunately, sharing information between defenders faces numerous hurdles, including the need for indemnification against liability, some sort of underlying technical infrastructure, as well as the current lack of "a standard set of nouns, verbs, and adjectives" to describe security attacks, said Schwartz. "Really, there aren't these types of lexicons today for communicating at machine speed about these types of problems."

Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JuneSanchez
50%
50%
JuneSanchez,
User Rank: Apprentice
10/8/2011 | 8:16:06 PM
re: Social Engineering Leads APT Attack Vectors
Great Article. After watching the social engineering experts from Ioactive Mike Ridpath (@ridpath) and Matias Brutti (@freedomcoder) talk on Social Engineering myself and few others within my company are in the process of creating more adaptive user training.

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.