Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 22nd, 2012 in Cybercrime by Simply Security | Be the first to comment | Tags: cybercrime

Where a regular data breach might be compared to a mugging, an APT has more in common with the efforts of a playground bully dedicated to making classmates miserable in any way possible.

The term advanced persistent threats (APTs) gets thrown around frequently, with some experts dismissing it as a cybersecurity marketing buzzword and others warning that such attacks present a danger above and beyond what many may have seen.

Recently, though, many analysts have renewed calls for caution, noting that, while APTs may take less technically sophisticated approaches than certain attacks, they can also be harder to detect and ultimately more damaging than other approaches. An InfoWorld column by Roger Grimes warned of the unique danger of APTs and offered five signs that suggest such an attack may have occurred, while other security commentators have sought to draw attention to the phenomenon in the past several months.

APTs: Emphasis on persistent
Despite the name, APTs do not necessarily rely on particularly “advanced” methods, but rather stand out due to their dedication to finding the most effective method of infiltrating a specific target. Such attacks carefully assess their target and often use an array of physical and digital attack vectors to enter an organization’s IT infrastructure and establish a foothold, according to the National Institute of Standards and Technology definition. The goal of such a threat is to disrupt an organization’s operations, steal its information or undermine its mission.

“The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives,” according to the NIST definition.

In other words, the attack is sustained persistently in a way that fundamentally challenges a specific organization. Where a regular data breach might be compared to a mugging, an APT has more in common with the efforts of a playground bully dedicated to making classmates miserable in any way possible. APTs can be psychological, technological and altogether unpredictable in their methods.

"The difficult thing about APTs is that they exploit employee knowledge gaps, process weaknesses, and technology vulnerabilities in random combinations," Jon Oltsik, Enterprise Strategy Group senior principal analyst, told InformationWeek. "Patient, well-resourced, and highly skilled adversaries take their time to figure out where we are most vulnerable and then use this knowledge as a weapon against us. You could do 99 things right, and the bad guys will find and leverage the one thing you do wrong."

Detecting APTs
According to InfoWorld’s Grimes, APT engineers leave different signs of an attack than ordinary hackers because they tend to approach a company through gradual infiltration rather than blunt force. As a result, they can be hard to spot. CSO Online has noted that more than 90 percent of APT intrusions are not discovered by the victims directly, but rather through third-party notifications. By looking for unexpected patterns or volume of activity in legitimate processes, however, it may be possible to identify an APT, Grimes said.

He pointed to increases in restricted access log-ons late at night, unexpected information flows and unexpected data bundles as three likely signs of an APT attack. Attackers often begin by targeting an authentication database to steal credentials and reuse them, and, since cybercriminals reside in all parts of the world, they may be active at unusual times.

When preparing to move data, APT attackers are likely to bundle it somewhere on a server, a pattern data security professionals might be able to spot by looking for data in unusual places or compression formats, Grimes said. The best indicator, he noted, is the occurrence of unexpected data transfers. He recommended monitoring baseline traffic to help spot aberrations and advocated for monitoring data flows to or from unexpected locations – watching for email logins from a foreign country, for instance.

Widespread backdoor Trojans are another telltale sign of an APT attack, Grimes said, since they enable access to a compromised machine even if a victim’s login credentials change. Such Trojans generally accompany social engineering schemes, which is why an uptick in targeted spear phishing attempts can also be an indicator of an APT attack. If multiple executives are being tricked into opening dangerous attachments, it may be a sign to check for other symptoms of an APT attack, Grimes warned.

A final indicator Grimes identified is the presence of pass-the-hash hacking tools, which help cybercriminals more efficiently crack massive sets of stolen passwords.. Hackers often forget to delete such tools, and their presence is strong evidence an attack may have occurred.

Dealing with an APT attack requires a more fine-tuned awareness than many other security issues because the hackers in question are generally more dedicated to their purpose and more clever in their approaches. According to InformationWeek, the organizations that best handle APTs prepare for incidents by educating employees, limiting access to valuable data and developing response plans.

Security News from SimplySecurity.com by Trend Micro