General security

When APTs Attack

Patrick Clawson
February 5, 2014 by
Patrick Clawson

Countless organizations have fallen prey to cyber attacks - from high profile retailers to enterprises and government agencies. Some attacks have been high profile, like last year's Adobe attack that compromised tens of millions of customer accounts, leading to other sites, including Facebook, to force users who may have been compromised to reset their passwords. Others went under the radar, lacking the fantastic numbers to merit a full-scale media exposé.

Like enterprises, government agencies are of course at risk for this sort of attack and exposure too – some would argue they are targeted more frequently. In 2013, the U.S. Department of Energy (DOE) was attacked through an unpatched server and the personally identifying information of its employees was compromised and that's just one example.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Over the next year, we will certainly see more of these stories. The unfortunate reality is the cyber security landscape is not the same as it once was. No longer are we protecting against a piece of malicious code – we are defending against persistent adversaries. Every company, large or small, and every government agency, community or national, has information that could be of value to a hacker – and if they decide to go after it, chances are good they will find a way to get it.

This is an attack method known as "advanced persistent threats," or APTs, which strategically target those in possession of valuable data or access to that data, and relentlessly attempt to steal it. Frustratingly small numbers of victims ever discover the true identity of their hacker. The attacks tend to be professionally organized, sometimes by nation-states, and are highly focused on gaining complete control of networks in order to access the data they are interested in. Though every targeted attack is different, they do tend to follow predictable patterns, which is crucial for your defense against them.

Predictable Pattern of APTs

First is the discovery portion of the attack. If it were a traditional robbery, you might call this "casing the joint." It might be in the form of a targeted phishing email or a widely broadcast piece of spam – or even striking up conversations with government employees via social media. The idea is to get a picture of the defenses the target is employing and gain initial access to the system.

Next, the adversary moves to stage two: distribute. In this step, the payload is delivered. This payload is typically custom-made for the particular government agency it's targeting, and is designed to be stealthy, stable and at times, sophisticated. The easiest distribution method is through third party applications, like Adobe or Flash, as vulnerabilities in those third party applications so often are left unpatched. They also might be delivered via malicious USBs, if the attacker has physical access, via SQL injection, or any number of other methods.

In stage three, the payload is exploited, or triggered, within the system so that the malware can execute. In some cases, the malware will be self-executing – for example, if executed from a malicious webpage. Other times, it might require a user to open an attachment or malicious link. Often times, attackers will scale their attack, starting at easy-to-exploit (and easy to fix!) vulnerabilities, and scaling up to less common, harder to execute vulnerabilities until they find an opening that gives them the access and control they're looking for.

After access and control of a machine has been gained, the attacker moves on to stage four, where they escalate the attack to additional machines, often with lateral moves, across the network and gain complete control of the system. The payload will connect back to the attacker, often piggybacking legitimate or trusted communications, and will verify that the desired degree of control has been reached without detection.

With control of the system, the attacker will begin to execute their larger mission. Whether they set out to steal data or use the system to leapfrog to a secondary system, such as that of your partner, client, customer or even another government agency, the attacker will now be able to achieve their original end goal without interference.

By the time the attack reaches this final stage, it could have been going on for hours, days or even months. The exact attack payloads, the timeline and the goals change with every attacker and every attack. But the attackers who execute an APT methodology are persistent – hence the name – and if they can get in, they will.

Employ a Targeted Defense

The persistent nature of these adversaries is discouraging to say the least. But that doesn't mean the cause is hopeless. There are a number of steps that government agencies and companies alike can take to reduce risk and minimize the chances that an attacker can be successful.

First, and most importantly, is user education. Your users must know their role in the process and how to recognize common attack methods, including spear phishing, malicious links and malware-infested websites. Make sure that they understand what actions to take if they suspect their machine may have been compromised or they have been the target of such an attack.

Second, work to reduce your exploitable surface area. This starts with patching – particularly third party applications. Ensure your endpoints are managed and secured, preferably with multiple security technologies such as anti-malware, firewalls, anti-phishing and others. And, make sure you are running the latest versions of software and operating systems. You could also employ application whitelisting to ensure that only known, safe applications are allowed to execute on the machine.

Finally, watch for attacks. If you're not looking for it, an attack can easily masquerade as legitimate activity. But a watchful IT department can catch suspicious activity before it has a chance to do significant damage. Monitor assets and ensure that activities are logged and analyzed. Watch to ensure users are not added to groups where they do not belong, and look for large or unusual data transfers.

Targeted threats are common, but it's surprising how effective basic steps can be at preventing them from affecting your agency. While it's easy to claim that time and budget constraints will limit defense capabilities and practices, the time and budget necessary to clean up after a successful attack is far greater.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Patrick Clawson serves as Chairman and CEO of Lumension, where he is responsible for leading the company's overall strategic direction to drive revenue growth and profitability as well as overseeing the day-today operations.

Patrick Clawson
Patrick Clawson

Patrick J. Clawson brings more than 20 years of software industry experience and has a successful track record of running high tech companies. He has extensive experience in both domestic and international sales, marketing, and operations with companies in the information security sector. He is a frequent speaker, publication contributor, and blogger on information security. He may be reached at