When APTs Attack
Countless organizations have fallen prey to cyber attacks - from high profile retailers to enterprises and government agencies. Some attacks have been high profile, like last year's Adobe attack that compromised tens of millions of customer accounts, leading to other sites, including Facebook, to force users who may have been compromised to reset their passwords. Others went under the radar, lacking the fantastic numbers to merit a full-scale media exposé.
Like enterprises, government agencies are of course at risk for this sort of attack and exposure too – some would argue they are targeted more frequently. In 2013, the U.S. Department of Energy (DOE) was attacked through an unpatched server and the personally identifying information of its employees was compromised and that's just one example.
What should you learn next?
Over the next year, we will certainly see more of these stories. The unfortunate reality is the cyber security landscape is not the same as it once was. No longer are we protecting against a piece of malicious code – we are defending against persistent adversaries. Every company, large or small, and every government agency, community or national, has information that could be of value to a hacker – and if they decide to go after it, chances are good they will find a way to get it.
This is an attack method known as "advanced persistent threats," or APTs, which strategically target those in possession of valuable data or access to that data, and relentlessly attempt to steal it. Frustratingly small numbers of victims ever discover the true identity of their hacker. The attacks tend to be professionally organized, sometimes by nation-states, and are highly focused on gaining complete control of networks in order to access the data they are interested in. Though every targeted attack is different, they do tend to follow predictable patterns, which is crucial for your defense against them.
Predictable Pattern of APTs
First is the discovery portion of the attack. If it were a traditional robbery, you might call this "casing the joint." It might be in the form of a targeted phishing email or a widely broadcast piece of spam – or even striking up conversations with government employees via social media. The idea is to get a picture of the defenses the target is employing and gain initial access to the system.
Next, the adversary moves to stage two: distribute. In this step, the payload is delivered. This payload is typically custom-made for the particular government agency it's targeting, and is designed to be stealthy, stable and at times, sophisticated. The easiest distribution method is through third party applications, like Adobe or Flash, as vulnerabilities in those third party applications so often are left unpatched. They also might be delivered via malicious USBs, if the attacker has physical access, via SQL injection, or any number of other methods.
In stage three, the payload is exploited, or triggered, within the system so that the malware can execute. In some cases, the malware will be self-executing – for example, if executed from a malicious webpage. Other times, it might require a user to open an attachment or malicious link. Often times, attackers will scale their attack, starting at easy-to-exploit (and easy to fix!) vulnerabilities, and scaling up to less common, harder to execute vulnerabilities until they find an opening that gives them the access and control they're looking for.
After access and control of a machine has been gained, the attacker moves on to stage four, where they escalate the attack to additional machines, often with lateral moves, across the network and gain complete control of the system. The payload will connect back to the attacker, often piggybacking legitimate or trusted communications, and will verify that the desired degree of control has been reached without detection.
With control of the system, the attacker will begin to execute their larger mission. Whether they set out to steal data or use the system to leapfrog to a secondary system, such as that of your partner, client, customer or even another government agency, the attacker will now be able to achieve their original end goal without interference.
By the time the attack reaches this final stage, it could have been going on for hours, days or even months. The exact attack payloads, the timeline and the goals change with every attacker and every attack. But the attackers who execute an APT methodology are persistent – hence the name – and if they can get in, they will.
Employ a Targeted Defense
The persistent nature of these adversaries is discouraging to say the least. But that doesn't mean the cause is hopeless. There are a number of steps that government agencies and companies alike can take to reduce risk and minimize the chances that an attacker can be successful.
First, and most importantly, is user education. Your users must know their role in the process and how to recognize common attack methods, including spear phishing, malicious links and malware-infested websites. Make sure that they understand what actions to take if they suspect their machine may have been compromised or they have been the target of such an attack.
Second, work to reduce your exploitable surface area. This starts with patching – particularly third party applications. Ensure your endpoints are managed and secured, preferably with multiple security technologies such as anti-malware, firewalls, anti-phishing and others. And, make sure you are running the latest versions of software and operating systems. You could also employ application whitelisting to ensure that only known, safe applications are allowed to execute on the machine.
Finally, watch for attacks. If you're not looking for it, an attack can easily masquerade as legitimate activity. But a watchful IT department can catch suspicious activity before it has a chance to do significant damage. Monitor assets and ensure that activities are logged and analyzed. Watch to ensure users are not added to groups where they do not belong, and look for large or unusual data transfers.
Targeted threats are common, but it's surprising how effective basic steps can be at preventing them from affecting your agency. While it's easy to claim that time and budget constraints will limit defense capabilities and practices, the time and budget necessary to clean up after a successful attack is far greater.
Patrick Clawson serves as Chairman and CEO of Lumension, where he is responsible for leading the company's overall strategic direction to drive revenue growth and profitability as well as overseeing the day-today operations.
In this Series
- When APTs Attack
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security