The term “Advanced Persistence Threat” fills news pages on a regular basis. According to ISACA APT Awareness Study, 93.6 per cent of respondents consider APTs to be a “very serious threat” for their companies.
However, many “APT” attacks, do not really fall under the ‘advanced’ category in terms of the attackers’ sophistication. A very recent exploit, combined with phishing or newly registered domains are rather “low-cost APTs”, for which we should probably introduce the new term “LCAPT” or just “LAPT” to distinguish these from genuine APTs.
Genuine APTs usually involves exclusive zero-day exploits, custom-made malware, complicated techniques of data exfiltration to bypass corporate IDS/DLP, and a preliminary compromise of several trusted third-parties of the victim. These attacks are extremely difficult or even impossible to detect. Cyber-mercenaries behind these attacks are not [only] Chinese army officers or Russian teenagers as many tend to think. They have legal, financial and banking industry experts, psychologists, and even ex-law enforcement officers amongst them. Business knowledge combined with advanced technical skills and the ability to fool law enforcement agencies by knowing their methodologies of work, make APT a very serious and costly problem.
Taking a closer look at the APT lifecycle will help to understand how APTs usually start. The very first step is to select the right approach to appropriate victims in the targeted company. Hackers perform very thorough due-diligence on their victims, carefully selecting those who have a necessary level of access to the data that they are looking for. APTs are different from other less sophisticated attacks by very well prepared attack scenarios that will work in 9 out of 10 cases.
Unfortunately, human psychology cannot be altered solely through security training and awareness; our basic instincts will always dominate our acquired skills. We were recently assisting a medium-size insurance company that decided to outsource cybersecurity management to a third-party provider, cutting the majority of internal security jobs. Security people received a very well prepared [fake] email from the management about their future placement and dismissal compensations. Everyone, including senior security experts who have been in the industry for dozen of years, clicked on the included link.
Once the victims are properly selected and the attack scenario is ready, it’s time to deliver a zero-day exploit to execute arbitrary code on victim’s machine, install a backdoor and start invisible expansion to other machines in the local network. Different to all existing Bug Bounties, zero-day exploits can earn researchers potentially hundreds of thousands of dollars. Usually, zero-days are outsourced to hacking teams specialized in exploit development. The most traded zero-days target vulnerabilities in client-side applications, such as browsers, Adobe Flash and Reader, or MS office.
One of the most important points is how to deliver the exploit and compromise the victim in such a way that both the victim and corporate security solutions won’t notice anything. Sometimes hackers start loud DDoS attacks or simple large-scale phishing attacks with known attack signatures that will flood corporate SIEM with messages and attract all of the attention. Therefore, if you are observing how well you have just blocked a large-scale intrusion to your network, be sure to check that it’s not a smoke screen to hide an APT.
Usually, the exploit is delivered as an attachment to an email or as a link to website. Email attachments are used less and less in APTs, hackers would rather send a legitimate URL which the victim will blindly and unquestionably trust, such as to your corporate website.
These days, companies have a great choice of advanced cybersecurity solutions to prevent, monitor and block network intrusions. According to Pricewaterhouse Coopers The Global State of Information Security® Survey 2015, 49 per cent of respondents spend money on specialized solutions to prevent and block APTs. However, often once a C-level manager is blocked and prevented from his daily work with a false-positive intrusion alert, all of these solutions are set into silent monitoring mode. Current business needs are much more important for the majority of top-level managers than potential security risks that they may theoretically face in the future.
Sometimes attackers won’t deliver their payload at the first click, they would rather reconfirm that the victim is using the “right” browser and OS version first, and then deliver the exploit with the second email and link.
A tiny vulnerability in your corporate website or its subdomain may ruin all the efforts you take to protect your company from APTs. Therefore, when planning your annual cybersecurity budget, don’t forget about regular website security audits, otherwise all other spending may suddenly become useless.[su_box title=”Ilia Kolochenko at High-Tech Bridge” style=”noise” box_color=”#336588″]
High-Tech Bridge is on the Online Trust Alliance (OTA) Online Trust Honor Roll for demonstrating exceptional data protection, privacy and security in an effort to better protect their customers and brand.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.