Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/21/2011
06:25 PM
50%
50%

APT Or Not APT? Discovering Who Is Attacking The Network

Corporate networks face a variety of attacks every day, yet pinpointing the most serious attacks are no easy matter

Oil companies, Internet technology firms, defense contractors, and even computer-security firms have all been targeted by persistent adversaries bent on stealing intellectual property and sensitive business information.

Advanced persistent threats -- a term that's become much maligned since the media locked onto it -- describes attackers that are targeting specific companies and data, rather than searching for vulnerable targets of opportunity. Persistent attackers stole oil field exploration data from ExxonMobil, information on the Joint Strike Fighter from Lockheed Martin and Northrup Grumman, and sensitive data on SecurID tokens from RSA. For many in the industry, the question is no longer if they have been breached, but how deeply, says Richard Bejtlich, chief security officer of Mandiant.

"No one has been able to stop these guys, no one," he says. "They remain a problem for every company with valuable intellectual property."

Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow, says Toralv Dirro, security strategist for McAfee's Labs in the Europe, Middle Eeast and Africa region.

"If someone is a victim of a targeted attack, there are patterns," Dirro says. "They should really follow up on identifying those patterns."

In many cases, the patterns are not clear. Even "advanced" attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they've used standard cybercrime tools.

"It is never a case of, oh, they are using Poison Ivy, so it's APT -- everyone is using Poison Ivy," Mandiant's Bejtlich says. "It really comes down to a lot of analysis to figure out what is going on."

Attacks that link back to specific nations, especially China, could indicate the attack qualifies as an advanced persistent threat, but tracking the origin of attacks is notoriously unreliable. While the United States hosts the lion's share of command-and-control servers used for malicious attack -- both cybercrime and espionage -- most of the attacks are coming from China, says Bejtlich. The company tracks 12 Chinese groups responsible for much of the advanced persistent threat (APT) related attacks.

"The amount of activity you get from all the other people out there is swamped by the stuff coming out of China," he says.

Generally, however, there are some common components, say other security professionals. Advanced persistent threats typically are attacks that use an employee as a beachhead into the network, and then move laterally from computer to computer. Malicious programs that infiltrate a network are likely a sign that the attack is more than mere crimeware, says Anup Ghosh, CEO of browser security firm Invincea.

"They will move laterally, and that is a distinguishing feature," says Ghosh. "They will do internal recon of machines, where a typical banking Trojan will not."

Identifying the entry point -- where an attacker got into a company's network -- is a key aspect of identifying and responding to an advanced attack, says Sean Brady, director in RSA's identity and data protection group. Watching for the telltale signs of reconnaissance is almost impossible, because so much reconnaissance is done on social networks, Internet databases and other sources outside the control of company.

"Think about information that LinkedIn supplies," he says. "You can map a company just by information gained from LinkedIn, and that is not a knock against LinkedIn, that's just the information they provide as a social network."

Instead, companies should focus on employees, Brady says.

The attack against security giant RSA earlier this year, for example, started with two e-mail messages that appeared to carry an attached recruitment plan and ended by reportedly compromising the company's database of cryptographic seeds for its SecurID tokens. The targets of the e-mails were not executives but low-level employees, a tactic that shows that companies have to worry about protecting all potential entry points into their network, RSA stated in a report from an advanced threats working group that convened in July.

"The advanced threat is aimed at a specific targeted point of entry," says Brady."And targeting a specific individual, and the person is almost never the ultimate target."

Educating users and focusing on securing the end user can help both detect and mitigate persistent attacks. An industry confab held by RSA and TechAmerica created a roadmap for dealing with advanced persistent threats. Industry has to get used to a state of compromise, concluded the group in a report released in September. Because attacks have moved away from technology and moved to targeting people, companies that have a good awareness of the security situation will be able to counter advanced threats best.

"Remember, an advance threats always starts with an individual, with people," says Brady. "The best approach is to narrow the impact, and then work on a response plan to keep out the attacks."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.