The Changing Face Of Advanced Persistent Threats

APTs and targeted attacks are becoming more mainstream. Is your enterprise ready?

Critical Infrastructure In The Crosshairs

With its initial targeting of Iran's nuclear research facilities, the Stuxnet virus focused world attention on the dangers of a cyber attack on critical infrastructure. So far, however, damaging attacks on infrastructure are rare. In August 2012, attackers corrupted the hard drives on 30,000 computers at Mideast oil conglomerate Saudi Aramco in an attempt to hinder oil production. Several times in the last three years, attackers have compromised South Korean servers and, after initiating denial-of-service attacks or data exfiltration, deleted data on the systems. While such data wiping is destructive, it falls short of the seriousness of a Stuxnet-type attack, says Symantec's O'Murchu.

"It is easy to write a Trojan to wipe a hard drive -- it's an easy way for people to make noise -- and that activity could continue in the future," he says. "More targeted attacks like what we saw with Stuxnet are unlikely, however, unless something political is going on, like a war." Still, energy utilities and industrial control systems are so vulnerable and slow to plug the flaws in their systems that attackers will likely test their capabilities against them, says Kaspersky's Baumgartner. Already, researchers have pointed out serious vulnerabilities in these systems -- and the Shodan Internet port-scanning database has revealed how often those systems are connected to the Internet.

"Because critical infrastructure around the world is widely thought to be lagging a decade behind in security practices, there seems to be much more future risk there," Baumgartner says. "The [industrial control system] space is currently a strong attraction for some of the same attackers finding new motivations and some new attackers altogether."

Industrial control systems often can't be easily fixed, says Andrew Ginter, VP for Waterfall Security Solutions, a maker of unidirectional gateways for industrial networks. While business networks must adapt to aggressive change, utility and industrial-control networks are focused on stability, and that's a problem in responding to attacks. "How do you manage a reliability-critical network for a multibillion asset?" Ginter says. "You focus on engineering change control; every change is a threat to safety, so the first question that people ask on a network like that is, 'How likely is it that this change will kill an employee?'"

Faster, Stealthier Exploitation

Expect attackers to be stealthier and better prepared, and for them to focus on improving their automation and analysis capabilities, so they can monitor network traffic and build a better model of network weaknesses to find the valuable information in the network, says Vann Abernethy, senior product manager for DDoS mitigation firm NSFocus. "If you are a cyber defender, the guy who is attacking you probably knows more about your defenses than you do," Abernethy says.

The groups behind targeted attacks will be faster to turn vulnerabilities -- whether zero-day flaws or just unpatched software issues -- into live exploits. Researchers at security consultancy and testing firm NSS Labs, for example, detected attacks on the recent Android "master key" vulnerability (CVE-2013-4787) within days of the public report of the software flaw, says Frank Artes, the firm's research VP. The company has also seen growing innovation in exfiltrating data. For instance, some new exploits put stolen data in the padding used to fill out the packets in common communications protocols.

"We have seen extreme advances in getting exfiltrated data out," Artes says. "We are seeing really talented stuff. Complete violations of the RFCs, but at the same rate, brilliant."

While security firms often talk about an arms race between attackers and defenders, APTs sometimes give the attackers an edge, making targeted attacks hard to detect and even harder to stop. However, attribution of attackers will become more reliable as companies and nations gather more intelligence on the actors and agencies involved, says CrowdStrike's Alperovitch.

"They say you have to be 100% right all the time on defense, and the attackers only have to be right once," he says. "But for attribution, it's the reverse." He adds that a focus on fallible human adversaries, rather than just the technologies they create, will eventually give defenders a leg up.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5