News & Commentary

3/18/2015
09:35 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
Google+
LinkedIn
RSS
50%
50%

The Anatomy of Advanced Persistent Threats

The only way to keep intruders away is to use multiple security mechanisms.

We’ve all heard the acronym APT (advanced persistent threat) for the past couple of years, especially coupled with high profile cyberattacks such as the ones on Sony and Anthem. However, security experts agree that advanced persistent threats are getting more sophisticated with each reported incident.

In 2006, there was only a single reported APT attack; by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes.

A lot has changed from that first reported incident in 2006, when U.S. Air Force Colonel Greg Rattray was cited using the expression “advanced persistent threats” to refer to data-exfiltration Trojans. Nowadays, it has become common practice for cybercriminals to orchestrate covert targeted attacks on government or private institutions, motivated either by a form of activism or good old-fashioned government espionage.

Step-by-Step Approach

Obviously, the first stage of any attack is target acquisition. Depending on the motive behind the attack, the victim could either be a Fortune 500 company or anyone with some information deemed of interest to the attacker(s).

The next step involves footprinting the target to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.

After collecting sufficient information, attackers will usually procure some core malware sample and re-engineer it to suit their purpose. However, for an APT to be successful, it shouldn’t use old code, as it can be spotted by security solutions.

Next, the attackers phish a company employee and try to get him or her to open a malicious attachment or click a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office.

From that point, it’s a matter of capturing admin privileges or domain credentials and exploring the network from inside to determine high-profile assets and set up permanent (hence the term “persistent”) backdoor users for data exfiltration.

After they have sufficiently expanded their access, attackers typically take a final step that involves covering their tracks to make sure no alarms will go off during a security audit. If all goes according to plan and their actions are not detected, the attackers could use the already established backdoors whenever they choose to covertly access the network again. After all, why would they stop peeking into a network when they’re confident they can’t be detected?

The Rising Threat

If it hasn’t already become clear that APTs are a significant threat, then pick up a newspaper and read about recent cyberattacks that have caused millions, if not hundreds of millions, of dollars in losses. So far, we have been fortunate that most attacks have focused on either gaining sensitive documents or credentials.

The same APT lifecycle could succeed on a nuclear power plant or water treatment and distribution plant. It might have serious consequences that go beyond just the financial. Considering that some new attacks have been reported to be government-sponsored and aimed at collecting intelligence from other nations, there’s bound to be some collateral damage in the form of disrupted power grids or network communications.

With the rise of interconnected devices and the Internet of Things, the possibilities for new attack vectors are endless, as these smart devices are not yet properly regulated either by legislation or security best practices. While it’s estimated that the growth of IoT will peak in 2015, enterprise segments will gain momentum and account for 46% of device shipments this year.

If these estimates hold, APTs will likely take advantage of vulnerabilities found in technology standards and exploit them to penetrate enterprise networks. Of course, all this is based on the assumption that IT security standards will not see improvements over time and will continue to allow IoT devices to be unmanaged when connected to company networks.

Mitigation

In terms of IoT, attempts are being made at passing laws and regulations to police the massive amount of smart devices that hit the market with either poor security or privacy mechanisms. The Federal Trade Commission has already issued a new report calling for strong data security and breach notification legislation. However, there are also sector-specific laws such as HIPAA, which already provides privacy protection for the healthcare system.

Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash. The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions.

Of course, none of these will guarantee 100% protection, but they will increase the cost of attack and make it harder for burglars to engage in footprinting. Constantly cycling security mechanisms at random intervals will also confuse attackers, as they’ll have to go back to network assessment from scratch. This buys a company valuable time to investigate any anomaly that might have occurred when cybercriminals were assessing the state of the network.

Conclusion

APTs will stay in the spotlight, as they have proven highly successful at making a serious mess at Fortune 500 companies. Considering that new U.S. regulations demand companies work closely with government agencies and report any network or data breaches within 30 days, 2015 will probably be the year with the highest count of advanced persistent threats. 

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.