Incident Response, TDR

Advanced Persistent Threats not so advanced anymore, researchers find


The classic Advanced Persistent Threat (APT) – a moniker traditionally given to months or years-long cyber attacks against specifically targeted organizations – is not so advanced anymore, according to researchers with Imperva.

In a Tuesday report, aptly titled “The Non-Advanced Persistent Threat,” Imperva experts explored how compromising sensitive and confidential data in recent APTs is more efficient and streamlined, as opposed to elaborate, sophisticated and lengthy.

In the study, Imperva researchers focused on how attackers can rather seamlessly escalate privileges in organizations and steal the data from file servers, Microsoft SharePoint, or database servers, all without using zero-day vulnerabilities and other advanced exploits.

Attackers also use techniques such as poisoning the well, a tactic that involves introducing content to a shared folder that forces traffic to a compromised machine, or by being patient and taking advantage of employee mistakes.

“This [report] demonstrates the breadth of the insider threat problem,” Barry Shteiman, director of security strategy with Imperva, told on Tuesday. “[An] example that comes to mind is data governance, where users may hold excessive rights to access data.”

The researchers studied attacks against entities using Microsoft NT LAN Manager (NTLM) authentication protocols – which are in decline, but still widely used – to demonstrate how straightforward it is to create lateral movement within an organization's data center, and escalate privileges, Shteiman said.

“NTLM is not as widely used as it used to be; however, many applications still use NTLM as the default authentication protocol,” Shteiman said. “NTLM is on the decline for a long while, mostly because of the security flaws [that attackers exploit].

Some of those flaws are fairly serious, such as a technique known as pass the hash, an attack that enables authentication to a server without knowing the plaintext password, and a technique known as NTLM Relay, an attack that permits access to resources without the need for valid credentials.

But before attackers go about exploiting the flaws, they gather information via spear phishing emails, according to the report, which explains that the NTLM exploits are then used to establish a backdoor in organizations and help gain access to coveted data.

Part of the solution involves shifting away from NTLM, Shteiman said.

“Microsoft and other vendors have switched to 'Kerberos' and other techniques that have better authentication, and, in some cases, incorporate encryption,” Shteiman said. “That is generally a good idea, but not flawless. As NTLM is phased out, hackers are moving to analyze the current authentication methods and keep finding flaws in those – hence why we encourage monitoring data access regardless of the protocol used.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.