Advanced persistent threats (APTs) are more dangerous than ever, says a researcher at Intel-owned security firm...
A study of the March 2013 shutdown of South Korean computer networks at several major broadcasters and banks provided insights into how attackers avoid detection.
“Although APTs tend to re-use malware code and techniques, the advanced encryption and obfuscation methods are different for every attack,” said Ryan Sherstobitoff, senior security researcher at McAfee.
“They obfuscate very heavily to evade detection,” Sherstobitoff told attendees of the McAfee Focus 2013 customer and partner conference in Las Vegas.
But the discovery of an encryption key enabled researchers to link a series of attacks against South Korean targets over a four-year period, culminating in the March 2013 attack.
“Preparation over a long period of time is what enabled the attacker to shut down thousands of computers on a single day,” said Sherstobitoff.
The attacker also went to great lengths to set up two fictitious hacktivist groups to evade identification and create the impression that the various attacks over the four-year period were unrelated.
Read more about APTs
- How context-aware security can improve enterprise APT detection
- Opinion: The APT1 aftermath and information sharing
- Privileged accounts key to most APT attacks, says Cyber-Ark
- AT&T takes APTs seriously
- Conducting APT detection when Elirks, other backdoors hide traffic
- Half of UK networks vulnerable to APTs
- APTs: Are they really a concern for all businesses?
- Hardening the network against targeted APT attacks
Anatomy of an attack
The malware used against commercial and military targets was introduced into the target networks through compromising bulletin board software used by legitimate sites.
“The attacker compromised websites known to be visited by people in the target network; a technique known as water-holing and commonly used in by APT-style attackers,” said Sherstobitoff.
Once the malware was installed on the target network, it searched directories for keywords like “secret” and reported back to command and control servers using encrypted internet relay chat (IRC) channels.
Armed with a snapshot of directories on the target network, the attacker was able to copy only selected files, never generating large volumes of traffic that would trigger alerts.
Although chiefly aimed at military networks in South Korea and documents relating to joint US exercises, the same attack methods are used against commercial organisations, said Sherstobitoff.
Research also indicates that cybercrime and espionage campaigns sponsored by nation states are increasing in number and sophistication.
Sharing threat information
To make the indicators of compromise (IOCs) found in the South Korean research more widely available, McAfee turned to the OpenIOC format for disseminating threat information.
“OpenIOC provides an open source XML-based framework for sharing threat intelligence,” said James Walter, senior manager of security research at McAfee.
By using OpenIOC, he said, organisations using security products that consume that data can automate defence activities based on that data.
Security products from multiple suppliers are designed to consume OpenIOC data, including McAfee’s host intrusion prevention system and network security platform, said Walter.
Counter APT measures
At a separate news conference, Phil Ferraro, chief information security officer of the Sands hotel group, said leading-edge technologies capable of learning and taking action are vital in defending against APTs.
A former US federal government CISO, Ferraro said APTs demand that organisations have the capacity to keep up to speed with the latest attack methods and detection evasion capabilities.
“No one is immune from APTs because they go after all industries,” he said. “Tapping into threat intelligence is crucial to learn how attackers are likely to come at you.”
According to Malcolm Harkins, chief privacy officer at Intel, it is important to know what attackers are likely to target and how they are likely to attempt to access it.
“The ‘what’ and ‘how’ are more important than the ‘who’ because they can be used to formulate defence strategies,” he said.
Budget, technologies and partners
Ferraro said the most effective way for information security professionals to get budget for the technology they need is to tell the board how such an attack could impact the business.
“Tell the board how a breach could cause damage to the reputation of the brand and adversely affect share value,” he said.
But Harkins said dealing with APTs is not a simple as plugging in a network appliance, isolating networks or conducting awareness training.
“There is no silver bullet; it requires an integrated set of overlapping technologies that can learn, correlate information across the organisation, identify indicators of compromise and take action,” he said.
Ferraro said organisations also need to look at the security practices of their partners. “Attackers typically go after the weakest point, which may be a business partner,” he said.
Dangers of consumerisation
Consumerisation is another typical area of vulnerability, he said, as employees increasingly use their own devices for work purposes and organisations open up bring your own device (BYOD) programmes.
“I have always ensured that I have a mobile device management system in place that provides an encrypted container to separate personal from business activities on the device,” Ferraro said.
This approach, said Ferraro, enables employees to use the device as they please, but the business retains the capability to set stringent access requirements and wipe corporate data if necessary.