Dissecting an APT attack
New APT cases crop up monthly these days. What can we learn from them?
An advanced persistent threat (APT) attack is a little like a bed bug infestation: If you have one, you can sanitize everything and put protective measures in place, but there's a good chance they'll be back. New APT cases crop up monthly these days. What can we learn from them, and how can we protect ourselves?
Advanced persistent threats could be a misnomer, argues Ron Gula, co-founder and CEO at Tenable Network Security, a Columbia, Md.-based provider of network monitoring. “When APT was first bought out, I pooh-poohed it,” he says. “I said it was no different than The Cuckoo's Egg.” In that book, Cliff Stoll, an astronomer turned systems manager at Lawrence Berkeley National Laboratory, tracked a hacker who penetrated the lab's system via a telephone modem connection in 1986.
Intelligent, persistent intruders have been lodging themselves in victims' networks for years, experts acknowledge. These days, though, their motives are more focused. They are after the target's data – which they can use for political or financial gain – and their techniques are methodological.
They move from reconnaissance (looking for weaknesses) through initial compromise, establishing a foothold, and then privilege escalation. They move laterally through the network, gaining access to more systems, and establish backdoors to ensure that they can get back in later on. At various points along this process, they will steal data from under the administrator's nose.
Attackers can stay in a network for a long time. Twenty years after Stoll stalked his attacker (who turned out to be at a university in Bremen, West Germany), Mandiant (purchased for more than $1 billion by FireEye in December 2013) began stalking another intruder through multiple networks around the world. Seven years later, the New York-based cybersecurity firm published its APT1 report, describing the activities of what it believed was the Chinese People's Liberation Army's Unit 61398. It revealed that the group stayed inside a target's network for a year on average – and sometimes for more than three years.
The attacks typically use targeted spear-phishing emails with malware to gain a foothold in the system, says Mandiant senior consultant John Foscue. “It's 75 percent phishing emails and 25 percent people going to a bad website," he says. "Or someone forgot about a server sitting under a desk somewhere that hasn't been patched in five years.”