An Advanced Persistent Threat Reality Check

  /     /     /  
Publicated : 22/11/2024   Category : security


An Advanced Persistent Threat Reality Check


Prevention is often futile, so how you manage the aftermath of discovering an intrusion can make all the difference in proper remediation



Most victims of targeted attacks that originate from so-called advanced persistent threat (APT) attackers have been under siege for so long by the time they discover it that forensics investigators cant even trace the original machine that was infected.
The majority of the 120 victim organizations that enlisted the help of Mandiant in the past 18 months were first hit by the targeted attack two years before, according to Kevin Mandia, founder and CEO of Mandiant, which today published its annual report on APT, MTrends: When Prevention Fails.
And theres the danger of making it harder to track or contain the perpetrators if the victim organization shares its malware sample with its antivirus company too soon. If youre good at this, you dont share with vendors, only with your industry brethren, Mandia says, like the defense industry typically does. Malware has a shelf life. If you share it [with too many parties], people take action and it changes the tools of the bad guy.
Thats because once a signature is released for a piece of malware, the bad guys quickly reinvent it with a new variant via the backdoors they typically place in the victim organization that keeps their foothold strong. All youve done by sharing is change the fingerprint and made the problem worse, Mandia says. Their response is just that fast, he says.
At one Fortune 50 company that Mandiant was working with in the wake of a targeted attack, around 100 people gathered one Sunday to remediate the network. But the companys antivirus vendor updated one piece of the malware, which then destroyed the remediation drill altogether, Mandia says. The attackers were responding to the AV update, he says.
Eddie Schwartz, chief security officer at NetWitness, concurs that you shouldnt hand off malware samples until your breach investigation is completed. Submitting to AV vendors early takes the control of the incident out of your hands because of how the APT operates, commonly activating secondary systems when primary ones are discovered, Schwartz says. And a virus definition update would wipe out the malware you were analyzing, thus requiring you start your investigation all over again.
Its not about preventing a targeted attack from the ATP adversary, which typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can. Its more like a game of chess, where businesses and government agencies have to assume the ATP perpetrators are inside and focus on predicting, detecting, and responding to their moves, according to Mandiants report.
The biggest shift during the past year is the volume of these attacks and the wider scope of industries being targeted. Mandia says he believes these attacks mostly go under the radar screen; his firm sees only about 2 percent of them. In the past 18 months, 42 percent of these victims were commercial firms, with law firms surprisingly representing 10 percent of that sector. Law firms are getting absolutely hammered, he says, but no one knows for sure why.
Its possible these firms have become collateral damage from other hacks that resulted in access to the firms email addresses or other information, according to Mandia. We havent seen a pattern to explain it, he says.
And the initial attack vector for most of the cases Mandiant investigated were either email-borne or from improperly remediated cases where the attackers were still inside even though the victim had thought it had eradicated them.
We see a number of APT attacks in our work with customers, NetWitness Schwartz says. The volume of victims has gone up across the board, as well as the number of platform-independent vectors for exploitation, which is far more worrisome. The public hears about very few of the actual compromises of organizations.
And even more disconcerting is that victim organizations arent likely to be able to discern everything the victims stole or accessed by APT actors. We dont see them doing keyword searches, so we cant tell that they are searching for this or that, Mandia says. These attackers typically are cagier about what they are actually after: It appears they are rewarded by the volume of information they grab, he says.
A real APT never really damages anything. They tweak a log file here and there ... They are stealing stuff, but you still have your copy. You never see them taint it, he says.
Mandiant has witnessed APT attackers stealing PKI credentials and even hacking smartcard readers to grab credentials to various systems.
We have seen cybercriminals successfully bypass two-factor authentication in banking systems for years. Likewise, a common activity for Zeus is to steal any local PKI certs it finds, NetWitness Schwartz says. A great example [is] the Kneber Zeus botnet we reported on in 2010. There also have been multiple pieces of malware in the recent past that have been legitimately signed, which points to the theft and use of software certs: Stuxnet is a great example here.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
An Advanced Persistent Threat Reality Check