It’s a well-known fact that nation states have almost unlimited cyber powers.
Nation states with unlimited military resources, technical know-how and political motivation gave rise to the infamous APT (“Advanced Persistent Threat”), meaning that an adversary with enough resources and motivation has the ability to hack anyone, regardless of their security mechanisms.
While both an APT campaign and a cybercriminal campaign pose significant threats, the underlying motive for the attacks greatly differ. APT campaigns are executed to collect information, to sabotage or perform other politically driven initiatives, whereas cybercriminals are often only after monetary gain. Given that APT has an almost mythical aura in the industry, many individuals assume that such powerful tool would not be directed towards an innocent commercial organization. APT hackers have proven that they can hack into proprietary air-gapped systems, so surely they can bypass any commercial security product. But if APT hackers do focus on SMBs, what can an SMB do to protect themselves?
On one hand we acknowledge the potential menacing threat and on other realize there’s nothing we can do about it. This realization justifies our inaction toward APT and is the reason we do not bother ourselves with it. Much like how we concern ourselves with protecting ourselves from a great white shark, simply because it can “devour” us, yet more people die from bee stings than by shark attacks. We turn a blind eye to the real threat simply because we have a more plausible scapegoat to focus on.
Although APT campaigns have been in strong force since the beginning of 2016, their main penetration vector was not through some highly secretive zero-day backdoor hardware manipulation. In reality, APT campaigns were distributed in many cases through old-fashioned email.
For example, in June, researchers from Palo Alto Networks discovered a targeted attack against an individual working for the Foreign Ministry of Uzbekistan in China. A spear-phishing email was sent to a diplomat bearing an infected word document carrying the well-known NetTraveler Trojan. Then, earlier this year, researchers from the same company identified a cyber-espionage campaign linked to an Iranian hacking group that focused on government and other high-value targets across the world that has been going on for the past nine years. The attacker managed to compromise a Gmail account used by Israeli officials and used it to send emails with malicious Word and PowerPoint files to an Israeli industrial organization. Additionally, similar malicious emails were sent to a US government official.
The list goes on and on. No matter how advance the malware used to target these organizations or individuals, it was still, in many cases, delivered by email. APTs work their down the supply chain to lower level employees, until the find a weak link and exploit it to then get to their intended target. Sophisticated cyber-crime campaigns have used the same method, as in the famous Target breach, that started when a less secure HVAC vendor was breached by a spear phishing email. This then allowed the hackers to utilize a maintenance link the vendor had as a backdoor to Target’s IT system, and, ultimately, their point of sale devices.
In our interconnected world, almost anyone can be used as a “bridge” to access more lucrative targets. But, if an organization maintains strict email security, it will most likely prevent most of the malware from coming in, regardless of the source, motivation and capabilities.
So, how can a SMB prepare for a possible APT attack? The same as it should prepare for its day-to-day threats. The bottom line is the same – take care of your basic security. Make sure the likely threats vectors, such as email, web etc., are covered (driven by cost effective calculation) and that the height of your protective fence is at least as high as your neighbors.