Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/18/2015
09:35 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
Google+
LinkedIn
RSS
50%
50%

The Anatomy of Advanced Persistent Threats

The only way to keep intruders away is to use multiple security mechanisms.

We’ve all heard the acronym APT (advanced persistent threat) for the past couple of years, especially coupled with high profile cyberattacks such as the ones on Sony and Anthem. However, security experts agree that advanced persistent threats are getting more sophisticated with each reported incident.

In 2006, there was only a single reported APT attack; by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes.

A lot has changed from that first reported incident in 2006, when U.S. Air Force Colonel Greg Rattray was cited using the expression “advanced persistent threats” to refer to data-exfiltration Trojans. Nowadays, it has become common practice for cybercriminals to orchestrate covert targeted attacks on government or private institutions, motivated either by a form of activism or good old-fashioned government espionage.

Step-by-Step Approach

Obviously, the first stage of any attack is target acquisition. Depending on the motive behind the attack, the victim could either be a Fortune 500 company or anyone with some information deemed of interest to the attacker(s).

The next step involves footprinting the target to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.

After collecting sufficient information, attackers will usually procure some core malware sample and re-engineer it to suit their purpose. However, for an APT to be successful, it shouldn’t use old code, as it can be spotted by security solutions.

Next, the attackers phish a company employee and try to get him or her to open a malicious attachment or click a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office.

From that point, it’s a matter of capturing admin privileges or domain credentials and exploring the network from inside to determine high-profile assets and set up permanent (hence the term “persistent”) backdoor users for data exfiltration.

After they have sufficiently expanded their access, attackers typically take a final step that involves covering their tracks to make sure no alarms will go off during a security audit. If all goes according to plan and their actions are not detected, the attackers could use the already established backdoors whenever they choose to covertly access the network again. After all, why would they stop peeking into a network when they’re confident they can’t be detected?

The Rising Threat

If it hasn’t already become clear that APTs are a significant threat, then pick up a newspaper and read about recent cyberattacks that have caused millions, if not hundreds of millions, of dollars in losses. So far, we have been fortunate that most attacks have focused on either gaining sensitive documents or credentials.

The same APT lifecycle could succeed on a nuclear power plant or water treatment and distribution plant. It might have serious consequences that go beyond just the financial. Considering that some new attacks have been reported to be government-sponsored and aimed at collecting intelligence from other nations, there’s bound to be some collateral damage in the form of disrupted power grids or network communications.

With the rise of interconnected devices and the Internet of Things, the possibilities for new attack vectors are endless, as these smart devices are not yet properly regulated either by legislation or security best practices. While it’s estimated that the growth of IoT will peak in 2015, enterprise segments will gain momentum and account for 46% of device shipments this year.

If these estimates hold, APTs will likely take advantage of vulnerabilities found in technology standards and exploit them to penetrate enterprise networks. Of course, all this is based on the assumption that IT security standards will not see improvements over time and will continue to allow IoT devices to be unmanaged when connected to company networks.

Mitigation

In terms of IoT, attempts are being made at passing laws and regulations to police the massive amount of smart devices that hit the market with either poor security or privacy mechanisms. The Federal Trade Commission has already issued a new report calling for strong data security and breach notification legislation. However, there are also sector-specific laws such as HIPAA, which already provides privacy protection for the healthcare system.

Coming up with a single bulletproof solution to protect against APTs is like hoping that one airbag on your car will save all its passengers in a crash. The only way to keep away any intruder is to use multiple security mechanisms that range from introspection of network traffic to events and log management and endpoint security solutions.

Of course, none of these will guarantee 100% protection, but they will increase the cost of attack and make it harder for burglars to engage in footprinting. Constantly cycling security mechanisms at random intervals will also confuse attackers, as they’ll have to go back to network assessment from scratch. This buys a company valuable time to investigate any anomaly that might have occurred when cybercriminals were assessing the state of the network.

Conclusion

APTs will stay in the spotlight, as they have proven highly successful at making a serious mess at Fortune 500 companies. Considering that new U.S. regulations demand companies work closely with government agencies and report any network or data breaches within 30 days, 2015 will probably be the year with the highest count of advanced persistent threats. 

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.