Advanced Persistant Threats are are out there. Beware.

October 31, 2014 6:46 am Tags: , , No Comments 0

It’s 9pm and Sarah, a systems administrator at a Fortune 1000 company, is working late again. But, tonight is a bit different than her typical stay-late-to-catch-up routine. She has found an unusual process running on the network. After further investigation, she identifies that this unauthorized program is talking to hundreds of computers in the company. Some computers appear to be keystroke capturing while others appear to be sending data to a machine in China. She checks anti-virus, NIDS, and other security infrastructure – none have detected this activity. She calls the company’s security team and escalates to her manager. Company systems are clearly compromised and data exfiltration is underway.

Final data forensics reveal that the company was compromised for more than 24 months prior to Sarah’s discovery. The firm fell victim to a sophisticated attack known as Advanced Persistent Threat or “APT.” Despite what news headlines may indicate, these type of attacks are not just targeted at large retailers. Any company with sensitive financial information or intellectual property make perfect targets.

Who is the threat?

Nation States are the primary developers and executors of APT code, although its use in organized crime is growing at a significant rate (what would Al Capone think?). “Commodity” actors, or hackers for hire are also in the mix. APT “kits,” often originally developed by Nation State employees, are widely available for sale on the black market.

How do APTs penetrate your environment?

We reference the ways APT penetrate systems by the number of days vulnerabilities are discovered relative to the time in which it has been exploited. For example, Zero-day exploits take advantage of unknown vulnerabilities in software. The vendor has had zero days to patch the flaw because it was unknown. The vulnerability is essentially discovered on the same day as the APT, day zero. Half day refers to exploits that take advantage of software vulnerabilities that are known to the vendor, but haven’t been patched.

Are these attack strategies affective?

These actors spend significant resources researching popular and company specific software as well as supply chain solutions, looking for vulnerabilities that can be exploited for zero-day and half-day attacks. They then weaponize these vulnerabilities as a way to target your company or sell it on the black market to the highest bidder. Unfortunately, security tools are not programmed to find these exposures – they simply don’t know about them. Attacks using these techniques go undetected for months, giving attackers ample time to fortify their access into your network.

Why are you selected as a target?

There are several reasons:

  • Intellectual property attack: You could have intellectual property that the bad guy is interested in.
  • Technology attack: You could have systems, infrastructure, scope or geographic reach that the bad guy needs in order to execute an infiltration.
  • Launch point: The bad guy could just want to use your network to attack other companies.

The post How Advanced Persistent Threats Happen: On Any Given Evening (Part 1) appeared first on Beyond Bandwidth.