Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/27/2011
04:32 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

An Advanced Persistent Threat Reality Check

Prevention is often futile, so how you manage the aftermath of discovering an intrusion can make all the difference in proper remediation

Most victims of targeted attacks that originate from so-called advanced persistent threat (APT) attackers have been under siege for so long by the time they discover it that forensics investigators can't even trace the original machine that was infected.

The majority of the 120 victim organizations that enlisted the help of Mandiant in the past 18 months were first hit by the targeted attack two years before, according to Kevin Mandia, founder and CEO of Mandiant, which today published its annual report on APT, "MTrends: When Prevention Fails."

And there's the danger of making it harder to track or contain the perpetrators if the victim organization shares its malware sample with its antivirus company too soon. "If you're good at this, you don't share with vendors, only with your industry brethren," Mandia says, like the defense industry typically does. "Malware has a shelf life. If you share it [with too many parties], people take action and it changes the tools of the bad guy."

That's because once a signature is released for a piece of malware, the bad guys quickly reinvent it with a new variant via the backdoors they typically place in the victim organization that keeps their foothold strong. "All you've done by sharing is change the fingerprint and made the problem worse," Mandia says. Their response is just that fast, he says.

At one Fortune 50 company that Mandiant was working with in the wake of a targeted attack, around 100 people gathered one Sunday to remediate the network. But the company's antivirus vendor updated one piece of the malware, which then "destroyed" the remediation drill altogether, Mandia says. "The attackers were responding to the AV update," he says.

Eddie Schwartz, chief security officer at NetWitness, concurs that you shouldn't hand off malware samples until your breach investigation is completed. "Submitting to AV vendors early takes the control of the incident out of your hands because of how the APT operates, commonly activating secondary systems when primary ones are discovered," Schwartz says. And a virus definition update would wipe out the malware you were analyzing, thus requiring you start your investigation all over again.

It's not about preventing a targeted attack from the ATP adversary, which typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can. It's more like a game of chess, where businesses and government agencies have to assume the ATP perpetrators are inside and focus on predicting, detecting, and responding to their moves, according to Mandiant's report.

The biggest shift during the past year is the volume of these attacks and the wider scope of industries being targeted. Mandia says he believes these attacks mostly go under the radar screen; his firm sees only about 2 percent of them. In the past 18 months, 42 percent of these victims were commercial firms, with law firms surprisingly representing 10 percent of that sector. "Law firms are getting absolutely hammered," he says, but no one knows for sure why.

It's possible these firms have become collateral damage from other hacks that resulted in access to the firm's email addresses or other information, according to Mandia. "We haven't seen a pattern" to explain it, he says.

And the initial attack vector for most of the cases Mandiant investigated were either email-borne or from improperly remediated cases where the attackers were still inside even though the victim had thought it had eradicated them.

"We see a number of APT attacks in our work with customers," NetWitness' Schwartz says. "The volume of victims has gone up across the board, as well as the number of platform-independent vectors for exploitation, which is far more worrisome. The public hears about very few of the actual compromises of organizations."

And even more disconcerting is that victim organizations aren't likely to be able to discern everything the victims stole or accessed by APT actors. "We don't see them doing keyword searches, so we can't tell that they are searching for this or that," Mandia says. These attackers typically are cagier about what they are actually after: It appears they are rewarded by the volume of information they grab, he says.

"A real APT never really damages anything. They tweak a log file here and there ... They are stealing stuff, but you still have your copy. You never see them taint it," he says.

Mandiant has witnessed APT attackers stealing PKI credentials and even hacking smartcard readers to grab credentials to various systems.

"We have seen cybercriminals successfully bypass two-factor authentication in banking systems for years. Likewise, a common activity for Zeus is to steal any local PKI certs it finds," NetWitness' Schwartz says. "A great example [is] the Kneber Zeus botnet we reported on in 2010. There also have been multiple pieces of malware in the recent past that have been legitimately signed, which points to the theft and use of software certs: Stuxnet is a great example here."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36388
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
CVE-2020-36389
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
CVE-2021-32575
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
CVE-2021-33557
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.