Cyber House of Horrors: Advanced Persistent Threats

As a rule, hackers are a lazy crowd. Given a choice between a well-protected target and an easy one, they’ll attack the easy one every time. Similarly, they would much rather download a hacking tool off the Dark Web than code one themselves.

Rules, however, are made to be broken – as any hacker would be the first to tell you. Sometimes attackers are far from lazy.

In particular, government-sponsored cyberattack forces and organized crime-driven attacks tend to be well-funded, professionally staffed, and on the cutting edge of technical prowess. Such attackers only go after especially valuable prizes: banking infrastructure or cyberespionage targets, to name the most obvious examples.

The good news: such threats are few and far between. Yet while these threats may be rare, they make up for their infrequency with their appallingly competent abilities. Of all our cyber horrors, these are among the most frightening.

Understanding the Advanced Persistent Threat

spyvsspyThe cybersecurity community calls such threats Advanced Persistent Threats, or APTs. They use advanced technology and techniques, often inventing new attack methods for each carefully selected target.

APTs aren’t fishing expeditions the way common phishing or ransomware attacks are, looking for one gullible or vulnerable victim in a sea of more savvy users. On the contrary, these actors typically single out a particular victim, and then build the attack around its weaknesses over time.

In fact, time is another essential characteristic of the APT. This attacker’s technique is one of stealth and patience, rather than the smash-and-grab common among less sophisticated hacks.

APTs generally take a careful, step-by-step approach. First, they introduce malware to an organization, often by a spear phishing attack – but even for air-gapped systems (sensitive systems kept off of the network), APTs have even more sophisticated techniques that include compromised USB flash drives and other off-the-network tricks.

Once the malware is present, it moves around the network, looking for further vulnerabilities as it tries to find its way to more valuable targets within the organization.

At some point it ‘phones home’ – in other words, the malware establishes a command and control link back to the attacker, giving the attacker the ability to control or even update the malware.

Eventually the malware – either the original code or more likely new, custom code the attacker has introduced over time – finds its way to the target system. At that point it’s time for exfiltration: stealing the money or secrets or other high-valuable data. Shrewd APTs continue to adjust their malware to extend the infiltration, often for months or even years.

Anatomy of an APT

Among the most frightening APTs known to cybersecurity researchers is ProjectSauron. The threat actor behind ProjectSauron uses the latest, cutting edge techniques designed to enable long-term campaigns through stealthy survival mechanisms, coupled with multiple exfiltration methods.

In other words, ProjectSauron is among the most sophisticated malware the cybersecurity community has ever seen. This malware lives entirely in server memory, leaving no trace for normal detection software to identify. It can even infect computers that aren’t connected to a network.

How to Deal with APTs

Your first line of defense: preventing the original infiltration. Good luck with that – if you’re a desirable target, the fact of the matter is your organization has already been compromised. You just may not know it yet.

If prevention won’t work, the next step is detection. Clearly, you can’t deal with a threat unless you can spot the tracks it leaves in your systems. There’s bad news here as well: APTs have been getting better at hiding. Malware files masquerade as benign ones – when there are files at all. Some APTs like ProjectSauron reside entirely in memory.

Once you find the malware (assuming you can), then you’ll want to eradicate it. If detection is a cat-and-mouse game with the attacker, then eradication is an all-out Spy-vs-Spy battle. The best APTs feature malware that continues to change itself while it spreads, effectively acting like an antibiotic-resistant disease.

Perhaps the most important countermeasure is mitigation. Realize that APT malware is likely in your organization, so do what you can to reduce the possible damage. Segmenting your network is an essential mitigation technique, especially application-level crypto-segmentation from a vendor like Certes Networks.

The Intellyx Take

The final step – one that many organizations don’t even consider – is counterattack. After all, when the two parties involved in an APT attack are government organizations, such tit-for-tat is simply part of the world we live in.

But even for enterprises, the best defense is often a good offense. The individuals behind an APT may be difficult to identify, but their organization is easier to uncover than the lone wolf hacker, as there are only so many serious APTs out there.

Beware, however, of the fact that many counterattack measures may themselves be illegal. In many cases, working with law enforcement is a better option – but taking that route when the perpetrator is, say, a Russian organized crime group may be a fruitless exercise.

If you’re careful, however, there are legal counterattack measures that will at least slow down the attackers, typically by exposing them. APTs require a curtain of secrecy to operate. If you can pull back this curtain, sometimes you can force the cockroaches to scurry.

Join our Webinar, The Cyber House of Horrors: Securing the Expanding Enterprise Attack Surface, with Certes Networks on October 31, 8:00 PDT / 11:00 EDT / 15:00 GMT.

Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this paper. Image source: Paul van de Velde.

SHARE THIS:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.