Advanced Persistent Threats not so advanced anymore, researchers find

Share this article:
Study indicates that SQL injection continues to be a pervasive threat
Researchers learned that specialized skills are no longer needed to carry out APTs.

The classic Advanced Persistent Threat (APT) – a moniker traditionally given to months or years-long cyber attacks against specifically targeted organizations – is not so advanced anymore, according to researchers with Imperva.

In a Tuesday report, aptly titled “The Non-Advanced Persistent Threat,” Imperva experts explored how compromising sensitive and confidential data in recent APTs is more efficient and streamlined, as opposed to elaborate, sophisticated and lengthy.

In the study, Imperva researchers focused on how attackers can rather seamlessly escalate privileges in organizations and steal the data from file servers, Microsoft SharePoint, or database servers, all without using zero-day vulnerabilities and other advanced exploits.

Attackers also use techniques such as poisoning the well, a tactic that involves introducing content to a shared folder that forces traffic to a compromised machine, or by being patient and taking advantage of employee mistakes.

“This [report] demonstrates the breadth of the insider threat problem,” Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Tuesday. “[An] example that comes to mind is data governance, where users may hold excessive rights to access data.”

The researchers studied attacks against entities using Microsoft NT LAN Manager (NTLM) authentication protocols – which are in decline, but still widely used – to demonstrate how straightforward it is to create lateral movement within an organization's data center, and escalate privileges, Shteiman said.

“NTLM is not as widely used as it used to be; however, many applications still use NTLM as the default authentication protocol,” Shteiman said. “NTLM is on the decline for a long while, mostly because of the security flaws [that attackers exploit].

Some of those flaws are fairly serious, such as a technique known as pass the hash, an attack that enables authentication to a server without knowing the plaintext password, and a technique known as NTLM Relay, an attack that permits access to resources without the need for valid credentials.

But before attackers go about exploiting the flaws, they gather information via spear phishing emails, according to the report, which explains that the NTLM exploits are then used to establish a backdoor in organizations and help gain access to coveted data.

Part of the solution involves shifting away from NTLM, Shteiman said.

“Microsoft and other vendors have switched to 'Kerberos' and other techniques that have better authentication, and, in some cases, incorporate encryption,” Shteiman said. “That is generally a good idea, but not flawless. As NTLM is phased out, hackers are moving to analyze the current authentication methods and keep finding flaws in those – hence why we encourage monitoring data access regardless of the protocol used.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.