Targeted, Skilled Attacks Shaped 2010 Threats

  /     /     /  
Publicated : 22/11/2024   Category : security


Targeted, Skilled Attacks Shaped 2010 Threats


While high-profile breaches like that of Google and the Stuxnet worm served as a wake-up call for many organizations, attackers continue to mow through enterprises systems and networks



Even with the intense investigations and research in the wake of targeted attacks against Google, Adobe, Intel, and more than 20 other U.S. firms, then later this year with the Stuxnet worm, little progress has been made in thwarting or decreasing highly targeted attacks, including so-called advanced persistent threat (APT) attacks.
The Operation Aurora attacks, which appeared to have originated out of China, as well as the Stuxnet worm, which was aimed at disrupting Irans nuclear facilities by sabotaging its PLC equipment, were indeed game-changers this year. Googles public disclosure that it had been attacked and its intellectual property stolen was unprecedented in the emerging age of customer data breach disclosures. And Stuxnet appeared to be the work of a well-oiled machine made up of various players with different areas of expertise from zero-days to the intricacies of PLCs.
But even with all of the forensics work undertaken in the wake of
Aurora
,
Stuxnet
, and other skilled targeted attacks, plus the attention and awareness they have raised, these attacks represent only a small fraction of attacks that go undetected every day, security experts say.
My guess only is that we only have 10 to 15 percent visibility into what these bad guys are doing, says Kevin Mandia, CEO of Mandiant, a forensics firm that investigates APTs for mostly Fortune 100 and other large clients.
Aurora was nothing. It didnt put a dent in these attacks. Everyone says it raised awareness, but with all we saw prior to [Aurora] and after, theres been no dent in the activity. They keep mowing through peoples networks like a tank in a cornfield, Mandia says.
Plenty of misconceptions about APTs exist as well, including the theory that one group of attackers is typically behind this type of targeted intrusion. In fact, most APT victims have been infiltrated by multiple different attackers, most of whom arent aware of the others, according to Mandiant. We find multiple attack groups within an environment, says Christopher Glyer, a director at Mandiant.
In one case, Mandiant found eight different APT attacks from eight different groups going on in one victims network. There were eight concurrent ones in an environment. They dont appear to know about the other groups there [either], Glyer says.
Aurora was revealed when Google decided to go public and considered closing its doors in China and no longer censor search results there after the attack pilfered source code from the search giant. The Aurora attack on Google, Adobe, Intel, and others began with end users at the victim organizations getting duped by convincing spear-phishing messages with poisoned attachments.
Stuxnet, meanwhile, is the first-known malware attack to target power plant and factory floor systems, and it also opened the door to a whole new level of attack that could execute the unthinkable: manipulating and sabotaging power plants and other critical infrastructure systems. Its technically not considered an APT, but it does come with some similar characteristics, such as special tactics and intelligence. Experts point to some nation-state link due to its many layers of expertise and the sophistication of the attack.
Stuxnet was cool, Mandia says. We got our hands on it immediately ... You dont place four zero-days in an attack without being well-funded, he says. This was a real significant event.
Eddie Schwartz, chief security officer at NetWitness, says Stuxnet is an APT. Many would certainly disagree with me, but I do consider Stuxnet an APT. Its not really an APT by the classic definition pushed by many security pundits, but its definitely an advanced attack that required the use by the adversary of multiple tactics and intelligence sources, and its specifically targeted, so it needs to be treated with the same sort of defensive approach and cyberdoctrine as an APT, he says.
Meanwhile, forensics experts say when companies come forward voluntarily and disclose that theyve been victimized by these types of attacks, it can go a long way to help connect the dots with related attacks within other organizations, and possibly get investigators closer to the source. But voluntary disclosure, versus legally mandated disclosure, is rare and most experts say it will remain the exception.
NetWitness Schwartz says he wishes more organizations would go public with their APT experiences. Then many victim organizations would have a lot more evidence, which could bring to light ... the true source and intent of the attackers, Schwartz says.
But sharing also requires some analysis to put it into perspective. Even if organizations share that data, there has to be a trusted entity in the middle of all of that that has the technology and people to review that information, he says. They can then come to some conclusions that they can pass down to organizations.
Googles revelations about Aurora basically exposed the dirty, little secret thats been ongoing against federal agencies, defense contractors, and, in recent years, corporations. When a new company gets compromised [by an APT], the joke is, Welcome to the club, and what took you so long to join? Mandiants Glyer says. One big shift was Google publicly talking about what happened to them, which was very good for the industry … But I dont see a lot of other companies coming and talking about it even though they are being attacked all the time.
And you cant just patch to protect against an APT. Social engineering is a big weapon in the APT attackers toolkit, Mandiants Mandia notes. Its tough to stop these guys. They dont always use exploits, he says. To patch every system doesnt mean you wont be compromised by these guys if they are targeting you. Humans are exploiting their own networks via socially engineered attacks, he says.
Since September, Mandiant has seen 42 percent of APT victims from commercial firms, including cryptography and communications, automotive, space/satellite/imagery, mining, energy, law, investment banking, chemical, hospitality, law, technology, and media industries. Around 31 percent of the victims were defense contractors; 13 percent, nonprofits/think-tanks/nongovernment organizations; 7 percent, foreign governments; 5 percent, U.S. government agencies; and 2 percent, military.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Targeted, Skilled Attacks Shaped 2010 Threats