The problem of dealing with targeted attacks

Strategies for mitigating advanced persistent threats are woefully lacking, explains Nick Black, technical director at Trend Micro.

Tags: Trend Micro Incorporated
  • E-Mail
The problem of dealing with targeted attacks Nick Black from Trend Micro says that organisations are still too outwards focussed.
By  Nick Black Published  April 17, 2013

Strategies for mitigating advanced persistent threats are woefully lacking, explains Nick Black, technical director at Trend Micro.

Targeted attacks or APT-style threats have been gaining much publicity since the watershed year of 2010, when the world first heard about the Stuxnet virus and the Operation Aurora breach of Google by Chinese hackers. Awareness of such threats among security professionals is now pretty high, but unfortunately strategies for mitigating them are in many cases woefully inadequate.

The main problem is that organisations are still too outward focused, unaware that they may already have been hit by a silent, persistent and laser-focused attack. What many people don’t appreciate is that Advanced Persistent Threats (APTs) often do not really contain particularly sophisticated malware – instead it is the social engineering techniques used to make that first all-important incursion which can really be called ‘advanced’.

Individual targets

Cyber criminals today will typically target an individual in an organisation, using information gleaned from social networks and elsewhere in crafting their email to make it appear more convincing. It’s often a senior ranking member of the firm, because there will be more publicly available information about these people. Attacks can also begin in the physical world. For example, in the US, cyber gangs left ‘parking tickets’ – on which were printed URLs – on selected car windscreens.

Those recipients who subsequently entered the URLs at their PC in the hope of paying the fine or complaining about it, would have their machine infiltrated by malware. When the attackers combine physical world presence with online attacks they may gain the trust of even the most guarded manager. The malware in question is usually a zero-day threat, eg one which has the best chance of evading traditional defences, but is certainly far from remarkable or sophisticated. Once inside, the bad guys will move laterally in the organisation, jumping from machine to machine in search of an admin password and ultimately the server where the key data resides. It’s all very quiet and carried out over long periods of time in order to stay under the radar.

The biggest mistake IT teams make is viewing the perimetre as an impenetrable wall, which, if they focus all their efforts on it, will keep out the bad stuff and ensure the internal network is safe from harm. They certainly need to keep investing in perimeter defences and end user education, but must view this layer nowadays as porous, because if an attacker spends enough time and money they will eventually get in.
The perimeter is a noise filter of sorts but in reality multiple layers of defence are needed including around core servers.

Virtual patching is also essential, shielding from known vulnerabilities at the network layer is an important step as it will send an alert if an attacker is trying to exploit a known vulnerability in the organisation. Also important are tools to analyse network traffic and sandbox any suspect threats. If there’s zero day malware, unique to that attack, then custom defences will need to be crafted to deal with it. In the past your defences didn’t have to be spectacular but just better than the next guy’s, the rationale being that attackers always go for the lowest hanging fruit. That logic has been turned on its head by cyber gangs laser-focused on your organisation alone.

What is an APT?

Advanced persistent threat (APT) is commonly used to refer to cyber threats that utilise a variety of intelligence gathering techniques to access sensitive information. Recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code

Competitions