Threat Intelligence

What We Learned from APTs in the Current Year

October 30, 2013 by

Early this year we witnessed major IT firms suffering from data breaches of one kind or another, and they have come out in the open about the breaches, as well. A couple of examples are Apple and Twitter. It's going to be costly if the enterprises play according to the old book of rules—develop and deliver. The threat landscape has seen remarkable changes, especially with the cloud being the major form of technology sought after these days. Security threats have seen a marked evolution from botnets and spywares to advanced malwares and APTs. Firms such as Mozilla, Google, Facebook, and many others realized this simple fact and have started bounty programs to detect and prevent security breaches. Attacks have been engineered to steal trade secrets, insider information, authentication credentials, and other personal information of the targeted enterprises.

Gone are the days when an enterprise could be secured by a network-centric approach based on perimeter security. APTs have arrived and it's all about data now! Hardly ever do we see any data-centric security approaches these days. In my previous two articles here, I have explained about APTs and how to crack their maze. Today, I am going to find out what we can learn from these APT-based attacks and what alternative approaches an enterprise needs to follow to combat them more effectively.

Who Is Attacking Us?

Gone are the days when a cybercriminal was the only form of attacker that the security desk had to fight with. These days we have various forms of attackers other than cybercriminals: hacktivists, governments, individuals, fame-seekers, etc. Hacktivists are the ones who initiate a cyber-war to voice their opinions. Governments, on the other hand, are interested to find out the trade secrets for economic reasons or even the defense secrets of a particular nation. Fame-seekers are the ones who hack with no monetary reason—heck, no target either—and launch cyber-attacks in a wildcard manner so they can later boast on social networking sites about their so-called "achievement."

Do You Trust Your Partners?

APTs these days are so sophisticated that, instead of attacking their target directly, they sometimes route their attack via a partner organization in order to find easier entry points against an organization with strict perimeter security. For example, a multinational company, XYZ Inc., is partnered with a vendor like PQR LLC for certain tasks. As a partner, PQR LLC would have a privileged access to the premise of XYZ Inc. It's easier for an attacker to route the attack via PQR LLC to gain an additional privilege in the early stages of the attack than to attack XYZ Inc. directly.

What Percentage of the Population Do You Cover?

It's an obsolete idea that hackers target "only" nuclear bases. Nowadays, the attacks are wide-ranging and it is the coverage of world population using your products that matters. Why? The reasoning is simple: more people, more victims, and higher profit.

Where Is Your Weakest Link?

Many researchers have pressed the line, "The organization's security is as strong as its weakest link." In most cases where data breaches happened, it took just one system to enter the premises in order to leverage the access levels and cause considerable damage to the infrastructure. The weakest links can be any of the BYODs, freedom of access from a home PC, or even a misconfigured wi-fi access point.

Did You Check Your Environments Thoroughly?

Most enterprises shy away from regularly scanning and assessing the security of their production environments for fear of causing some troubles to their customer-facing environments. Several attacks this year embedded themselves on the servers and then exfiltrated information through them! Checking on the production environment as well as staging environments is critical, so that if any anomalous behavior is found, it can be immediately investigated.

Did You Think of the Bishop's Trap?

Every organization actively safeguards all the servers, the perimeter, and the network, so the attackers evolved a targeted attack like spear phishing into a bishop trap attack, where they initiate an APT by finding exploitable vulnerabilities on the website of the enterprise. Employees tend to visit the employer's website; that's when they fall in to the bishop's trap laid by the attackers.

Are You Aware of the Kill Chain?

The kill chain is nothing but the sequence of events following an APT infection. Enterprise managers may spend a fortune in securing the most critical infrastructure while sometimes neglecting the lower-valued assets. An initial APT infection in most cases starts with low-valued assets and then follows a sequence of interactions and actions leading to the critical infrastructure. This shows that APTs are slow and take time to complete the kill chain, as designed by the attacker.

These are few lessons learned from real-time APTs this year. In the following section, let's examine the alternative approaches to safeguard the infrastructure from these kinds of attacks. I agree that we cannot plug in all the loopholes existing in the enterprise. But, we can reduce the attack surface, making it difficult for the APT to embed them before causing any infection.

As we have seen in the previous articles on APT here, the main target of the APT attack is to exfiltrate the data. Traditional concepts of network IPS, firewalls, and web gateways are weak against APTs because they don't target infrastructure, but the data residing within the infrastructure. Traditional data security models rely on signature-based detection, which is weak against newer attacks whose signatures aren't present. Even keeping current settings for matching signatures leads to lot of false positives, which forces security admins to reduce the settings in order to not miss legitimate data coming in as false positives. This provides an open door for newer signatures to go undetected and cause an initial infection. Experts suggest that an effective data-centric security model should contain multiple layers of implementation. These layers should cover various aspects surrounding the data, such as the OS, drive volumes, databases, application and user endpoints. The security blueprint must also have encryption key management policies, multilevel access controls and automation built in to the premise of the data.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

An organization moving to the cloud must look into these key aspects to prevent data theft and have maximum control over the data residing in the cloud in order to take immediate action in an event of emergency. These key principles will not interfere in any business operations, but in fact will provide an increased level of security to the data. It's high time that enterprises give equal importance to end-user as well as data security in the current threat landscape to minimize any event of data breach.


Karthik is a cyber security researcher at Infosec Institute and works for Cyber Security and Privacy Foundation (a non-profit organization) as a researcher, in India. He finds deep interest in Information security as a whole, and is particularly interested in VA/PT and serving to the cause for Nation's Security.