The term advanced persistent threat (APT) has been used frequently over the last 18 months, triggered initially by the attack on Google, then refreshed by intrusions into other high-profile companies, including RSA and Lockheed Martin.
These attacks proved that no company is immune, even with cutting-edge security measures in place. But while organizations should understand how APTs work, it is important for them to also remember that they face constant attacks that are not APT-related, mostly by mass malware. With an understanding of both of these attack methods, organizations can more effectively harden their systems and reduce their susceptibility to all attacks, avoiding costly data breaches.
APT refers to a special class of attack, typically by a person or group that has the technical skills to overcome state-of-the-art computer defenses and sufficient monetary resources to continue an attack as long as necessary to achieve the desired goal: gaining access to the private information of a company or organization.
APT-style attackers are capable of using sophisticated methods to breach the target’s network, but as we’ve seen, they often do not have to resort to high-tech methods of intrusion. This happens when their reconnaissance work indicates that the target is vulnerable to a simple, well-known attack, or when they were able to purchase access from a third party such as a botnet vendor.
Nevertheless they are capable of developing or purchasing zero-day vulnerabilities, for which there is no fix available, if a well-defended target makes it necessary. The level of sophistication in this attack phase depends on the anticipated ability of the target’s infrastructure to withstand the available exploits.
APTs usually start their attacks targeting specific individuals inside the organization and often use social engineering techniques, convincing a misled, but otherwise innocent accomplice, to activate an exploit inside the company network. Attackers send emails to a few targets that were identified during the reconnaissance phase. The emails are well-written about a subject that is of interest to the recipient, potentially sent using the name of a known contact. Usually an email attachment carries the exploit code and will trigger a vulnerability when opening the attachment to gain control over the machine.
Well-designed exploits are able to install a customized control program without the target noticing anything different in the operation of the machine.
The installed control program is another piece of varying sophistication adapted to the security technology in place on the target’s machine. Typically, the program will know how to evade common anti-virus solutions by using encoding techniques that make its binary structure unknown. It will have ways to ensure that it will survive a system reboot by registering a restart routine, and will have robust ways of communicating with its command-and-control center. This will happen many times using the encrypted HTTPS protocol, which provides both privacy and stealth to the attacker.
Once the malicious code is safely installed on the machine, the intruder can then use the new control capabilities to decrypt passwords for the local users and investigate the surrounding accessible machines in the network. At this point, the hacker wants to grow laterally, infecting as many machines as possible, gathering more usernames and passwords, and establishing as many footholds in as many departments as possible to gain access to the targeted information. The degree of stealth used in these activities depends again on the results of prior knowledge about the internal monitoring processes and can be quite low, as many companies do not apply the same level of scrutiny on internal network traffic as on external traffic.
But before rushing to implement the latest technology to address APTs, organizations should realize that most attacks are not the result of APTs, but are due to a whole different class of attacker. We are talking about the mass-malware installer that indiscriminately attempts to exploit any machine connected to the internet. This attacker is interested in commanding a large network of machines (a botnet) and using it to generate money. There is an underground market for machines to be used for sending spam, launching DDoS attacks and perpetrating pay-per-install schemes that can be quite lucrative.
Defense against both APTs and mass malware has to be engaged on multiple levels. Machines themselves have to be hardened to withstand simple mass-malware attacks, as a side effect forcing even APT attacks to bring their best game. Hardening means running on the latest patch levels and configuring the operating systems own defenses as tightly as possible.
This type of protection is becoming more important than ever, as we are faced with an increasingly mobile business user base, which frequently leaves the corporate network and so cannot depend on network security alone anymore. Conversely, network security will have to deploy new monitoring devices that are aware of external malware controller centers, and are capable of baselining existing network traffic and alerting malware attributed deviations.