Highly Targeted Attacks and the Weakest Links
Here at Trend Micro, we have seen all kinds of cybercrime and digital threats. For the first-ever Cybersecurity Awareness Day in Singapore, one of my colleagues, Richard Sheng, has taken time out to explain what so-called “Advanced Persistent Threats” (a.k.a. APT) are. Singapore is one of the first Asian countries to come up with a strong cybersecurity agenda. As such, advanced persistent threats have captured the interest of its security practitioners.
How Advanced Persistent Threats Typically Work
The use of the term “advanced persistent threats” perhaps helps people grasp how sophisticated attacks staged by groups that intend to and are capable of targeting a specific organization are. Attacks under the umbrella term “advanced persistent threats” usually take longer to plan and execute as well as utilize a variety of tools compared with typical malware attacks that are relatively uncontrolled and do not criticize in terms of target.
Staging attacks classified as advanced persistent threats involves detailed reconnaissance work to gather information and to identify a particular target’s system and infrastructure weaknesses. To do this, attackers may rely on publicly available information, including data found in the target’s website or in its social networking accounts. This allows them to get a better idea on who in the company they should target as their attack’s point of entry. The information they gather includes employees’ names and their personal details (e.g., email addresses, social networking profiles, etc.) as well as the company’s IT policies, preferred OS, applications, software, and network structure.
Next, the attackers obtain access to their target’s system through ingenious social engineering ploys. At this point, the malware, as an attack tool, is executed. It then performs malicious payloads like information theft or denial of service (DoS) without being found out. Covering their tracks is thus very important because the attackers must stay under the radar until they get what they want (e.g., data theft, backdoor program installation). The malware they use should also have the ability to communicate with them in order to transmit information or intelligence.
Do Advanced Persistent Threats Really Depart from the Typical Attack Model?
From a security practitioner’s viewpoint, using the term “advanced persistent threats” to describe what we prefer to call “highly targeted attacks” does not help our cause to empower organizations to protect themselves against these threats.
In most cases, while highly targeted attacks are indeed persistent, in that these manage to intentionally stay undetected and while successfully executing their intended payload, these are hardly as advanced as the term “advanced persistent threats” suggests. As my colleague Paul Ferguson puts it, “Most of the targeted attacks that work are indeed persistent yet still build upon the usual weak link—the social engineering ploy where a human gets duped.” Take the following as examples:
- Google presented its findings at a security conference last year regarding the Aurora/HYDRAQ attack, revealing that, “a Google employee received a link from a person they trusted and instantly clicked on it, sending them to a malicious website, which downloaded malware”
- RSA revealed in a blog entry that the attackers in the breach suffered by the company sent two different phishing emails to employees, the subject heading reading “2011 Recruitment Plan”
What You Can Do to Prevent, Detect and Clean These Threats
- User Awareness on Security Best Practices and Policies – Create memorable and effective campaigns in-house that instill proper behavior in employees with regard to security.
- Multilayered Protection – Employ firewall, vulnerability assessment tools/devices, endpoint protection, data loss prevention solutions (since information is often the targeted asset), network scanning/management (since the attack tool needs to communicate with its owner), ideally with support.
- Patch Management – Stay informed on news about malware that exploit vulnerabilities, keep all OSs and applications updated with the latest versions and patches.
- Data Backup – Always back up sensitive information. Also, administrators are encouraged to use back-up and restore features or any solution that can restore any machine at any given time.
- Malware infection remediation – Use a solid security product that performs cleanup of malware traces and system modifications.
Thanks to my colleague Edgardo Diaz, Jr. for additional inputs on the above.
Post from: TrendLabs | Malware Blog – by Trend Micro
Highly Targeted Attacks and the Weakest Links
Spotlight
Cloud Computing
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
- Desktop virtualization can enhance security performance
- Cybersecurity cooperation becoming military necessity
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- FBI trying to train financial execs on cyber threats
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet