2015 saw a multitude of high-profile data breaches making headlines – from the massive compromises of healthcare vendors Anthem and Premera to hacktivism attacks like Ashley Madison and even major attacks targeting government agencies as was the case with OPM. While these breaches differ in methodology, motivation, and outcomes, the main lesson learned following many of these high-profile breaches is that enterprises are still not implementing effective solutions to actually detect threats or suspicious behavior. We keep witnessing a significant number of companies being compromised by advanced threats, but if we put the power and effort into actual detection and analysis – rather than fighting fires – we can be able to stop these breaches in their tracks.
So why do these incidents continue to happen at record pace? Unfortunately, security awareness and education are lacking to the point that many companies just don’t know when it’s happening to them. Furthermore, many are not practicing defense in depth. From a technological standpoint, most companies are still focused on applying protections at the network layer, often at the expense of deploying new endpoint technologies to bolster and complete defense. When you develop a defense in depth strategy, you need to examine the whole stack, from application to network to endpoint to user, but the endpoint aspect is still very much neglected from an IT security standpoint. And of course – for threats both advanced and otherwise – companies must ensure that they are practicing strong security hygiene and covering the basics of information security.
“APT” vs. Advanced Threats
In many cases, today’s attacks continue to succeed because they are becoming more advanced and developing techniques to circumvent traditional security measures. In my opinion, “APT” is a marketing term that is too commonly thrown around to make certain threats look fancy or highly sophisticated – like Heartbleed, for example. However, there are some real advanced threats that go beyond the typical APT hype; a major example being those capable of conducting intelligence gathering at a wide scale. Today, attackers can gather a lot more information about their victims and use that intelligence to make their attacks increasingly targeted and successful – this is an example of a truly advanced threat. Hackers can better understand the company and its employees through this advanced research, and therefore, they know how to target specific end users and fool them into falling for a scam. It’s not uncommon for today’s phishing emails to look legitimate – many no longer contain obvious red flags like problematic writing or typos throughout.
In my role as Principal Threat Researcher for Digital Guardian, my team works with customers to recognize and avoid sophisticated phishing attacks. Some of these attacks are so well-written and precise that it’s very easy for end users to be fooled. These attacks are more dangerous for a company now as a result.
We’ve seen many of these attacks targeting financial institutions, like banks and credit unions from around the world. Some of the latest attacks against banks are coming from emails that look like remittance advice. These emails are so targeted that they are often addressed to the specific bank manager, notifying them that remittance has arrived and asking the recipient to validate acceptance by opening a document. Then, when the document is opened, it looks real and asks to “enable macros.” Once that command is accepted, the hackers immediately get access to the corporate network.
Another characteristic of today’s more advanced threats is their stealth. More attacks are being seen using techniques to redact information from logs while on the host system. Additionally they can break log systems so no local information is available. They’ll also use encryption a lot – attackers often encrypt what they are exfiltrating and how they communicate. Doing so enables attackers to bypass firewalls and inspections on devices; if companies try to inspect for this activity, the attackers will usually detect it by checking the signatures on the encrypted sessions.
Attackers will also identify and target the networks of administrators within an organization. This way, once they find and compromise an admin who has access to the environment, they use that account information to get details on the company’s infrastructure while masking themselves as that user. They will use the same credentials and demonstrate the same activity/behavior to blend in, all the while stealthily stealing sensitive data.
While attacks are growing in their abilities to trick victims and evade detection, most attacks today still use off-the-shelf exploit kits, or those commonly sold on the black market/deep web. In the more advanced cases, these exploit kits are often modified or updated with new features to better mask their activity and avoid detection. A recent example of this can be seen with the Android.Bankosy Trojan, which was discovered in 2014 but was just updated to intercept voice calls to steal single use passcodes used for two-factor authentication (the very solution put in place at many banks to defend against account hijacking attacks). In fact, some of the biggest attacks going on today are a combination of a handful of updated exploit kits – Neutrino, Dridex and others born from original off-the-shelf kits. Most attackers today won’t develop their own new technologies or exploit kits, so to save time and efforts, they’ll use one that’s readily available and customize as needed.
Defending Against Increasingly Advanced Threats
These are highly common examples of targeted attacks being carried out today and how easy it can be for companies to fall victim. Of course, there are also common security mistakes that can make attacks more likely to succeed, such as:
- Not investing in the right areas of detection.
- Not having enough operational procedures or the right resources to back the proper level of detection. For example, if Sony Pictures had an operational team in place responsible for continuous monitoring, then they would have seen the massive amount of data leaving the corporate environment.
- Being flooded with too much information, while not being able to manage or have the right, qualified people to understand what they’re looking at.
- Not having a proper operational environment.
- Not understanding or not having visibility into their most critical assets. If there’s data you don’t have to monitor or protect, you can invest less time in securing those assets compared to the information that is critical to a company’s success and reputation. You should be investing your time guarding the crown jewels, and doing so properly.
Getting the security basics right remains critically important as well. In my opinion, there’s too much focus on zero-day when most of IT still can’t manage to control one-hundred-day vulnerabilities. Senior management is urged to invest in zero-day defenses, but the real trouble is in managing day-to-day operations. For example, companies struggle to enable patch management and update machines, which becomes part of operational security. Businesses then end up having IT security teams spend far too much time on things they shouldn’t, and it’s a quick path to being vulnerable as a company.
The best way to prevent advanced threats isn’t technology, but rather, end user education and training. Organizations should continuously and proactively train users to be aware of their environment – whether by identifying suspicious activity or detecting malicious links or emails. Traditionally, IT departments rely heavily on users notifying them of problems on their machines or when something bad is happening. The user is the biggest source of information for corporate IT security, acting as on-the-ground intelligence into what’s really going on in the environment.
From a technological standpoint, there are solutions that can add a lot of value to your advanced threat defenses. Endpoint security should be prioritized to properly detect and prevent advanced threats, since endpoints (and the users that operate them) are often the first target in an attack. Having visibility and control at the endpoint allows IT teams to detect potential attacks based on user and device behavior and new mechanics. Network devices are a good start, but there is only so much you can do without breaking workflows when analyzing some of the encryption support network technologies have.
Lastly, organizations should build better reporting and detection solutions – like a SIEM or a type of event aggregation solution that can correlate events and detect patterns that are not typical of normal operation. By looking for a change in traffic or if machines are behaving unusually, IT teams will be able to detect when an organization is being targeted before the damage is done.
While it can be easy to dismiss APTs as marketing hype, as security professionals we should remember that there are many examples of advanced threats operating in the wild – threats that require addressing with new methods in order to be secure in today's environment.