In the F5 and Ponemon report, The Evolving Role of CISOs and their Importance to the Business, security leaders were asked to rank their top threats to their security ecosystem. The number one answer was advanced persistent threats (ranked 8.8 out of 10). We’ve already talked about why CISOs should manage the most likely damaging threats first. But that’s not to say that there aren’t other real monsters lurking out there.
Many in the industry say advanced persistent threat or APT, but it can sometimes refer to a specific group, the entire spectrum of advanced attack techniques, or even specific nation-state hackers. In this case, we’re talking about the attackers themselves, not the general threat. As the acronym APT implies, they are technically skilled, advanced attackers who are willing to spend a lot of time trying to get you. What “getting you” means can vary because advanced attackers don’t smash and grab like the usual cybercrooks. They aren’t going to jam ransomware or cryptomining malware on your systems (although they may disguise their attacks as smash and grab). Instead, they focus on big prizes: high value data, espionage, sabotage. These professionals are either looking for a big payoff or are hired to do a job. Recently, we’ve seen more and more advanced attacks into the supply chains such as IT and Telecom service companies.1 Medical facilities have also seen a fair bit of attention lately from advanced attackers.2 Sometimes an organization is not even the final objective, just a step along the way.
Advanced attackers are known for their exotic and complex techniques, but they will only expend that time and effort if they’re truly necessary. (Even a sick wolf can kill a lamb.) If a basic phish, a known exploit, or a guessed default password will do the job, advanced attackers will use those first. Why expend extra effort or risk exposure of cutting-edge techniques if they don’t have to? This is why it’s important to secure yourself against the basics before worrying about advanced attacks.
One thing advanced attackers always do is their homework. They perform a lot of reconnaissance, both online and offline. As we’ve been saying from early on, reconnaissance is where attackers spend the most amount of time. They collect data about your employees and organization on social media, scrutinize your entire visible Internet footprint, and delve into your partners and customers. One trick to learn which technologies are being used within an organization is to peruse the specific skill requirements in an organization’s job postings. For specifics on how this kind of recon is done, see our report on phishing and open source intelligence gathering. Naturally advanced attackers will also uncover any and every workable vulnerability on your perimeter. They are likely to look long and hard at web applications since those are ripe fruits for attack, often full of numerous vulnerabilities. With this information, they can profile individuals and systems for specific targeted attacks with a high likelihood of success.
Another common advanced tactic is the use of stealth. Advanced attackers will work hard not to trip alarms or set off intrusion detection systems. They will disguise and test their malware against all known virus scanners to ensure it isn’t detected. Once they break in, they’ll also work diligently to disable logging and alerting mechanisms to ensure no evidence of their actions remain. In some cases, they’ll even plant evidence to point the finger at someone else to cover their tracks or try to frame another group.3 Advanced attackers will also try to distract the security and IT teams with denial-of-service attacks when they’re pulling off their major moves against you.4
These attackers are experienced and trained, so naturally they use superior tools than those used by your average script kiddie. Many of them have hand-rolled their attack kits and exploits, although some will also make use of commercial penetration test tools.5 All that hard work spying on an organization pays off in the creation of made-to-order spear phishing emails and hand-rolled exploits. As for the human targets, they typically include executives, high-level developers, and sysadmins.6
Advanced attackers prefer stealth, and what could be stealthier than impersonating a legitimate user by hijacking their login credentials? The go-to method is spear phishing, often with a booby-trapped Microsoft Office attachment. For example, a resume with something that enables remote code execution (many are available). Other methods include abusing the organization’s trust relationships and hacking in via partners or suppliers. An attacker’s extensive reconnaissance also may have uncovered a previously unknown way into an organization, perhaps via a test network or a routing mistake. An attacker can also use remote employees—discovered via the recon phase—by hacking them at home and riding their VPN connection into the network. Because advanced attackers are willing to put in the work, they also can go physical, sneaking into a facility or office to plant a network tap on the inside. Lastly, advanced attackers can use unpublished exploits (zero-days), although they are often reluctant to use them since zero-day exploits are expensive.7
Once advanced attackers gain a foothold on a targeted network, they will work to cover up their tracks, disable alerting systems, and level up their access. Remember, the advanced attacker is usually going after admin access. If an attacker gets inside the network by any means, they will use techniques like pass the hash,8 stealing SSH keys,9 or cracking locally stored password repositories to escalate their privileges.
If their goal isn’t immediately achievable, advanced attackers have also been known to lurk inside targeted networks. Like in the recon phase, they will carefully observe and figure out the lay of the land. This means tracking data flows, searching for critical data repositories, and identifying key individuals. If part of their goal is to steal data, then they will work to exfiltrate it in an undetectable manner, such as hiding within DNS requests.10 They may also plant bespoke malware that’s undetectable to anti-virus software11 to maintain presence on the target network. As described earlier, they may also plant fake clues12 to incriminate other potential attackers in an effort to confuse responders or place the blame elsewhere.
To defend against advanced attackers, you need to begin with strong basic defenses. The first step is to know what you have in terms of software, users, and data repositories. Indeed, one of the most advanced of the advanced attackers in the world, the US National Security Agency, once bragged, “We put the time in ...to know [that network] better than the people who designed it and the people who are securing it...” adding, “You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”13
The next basic defense is to employ strong authentication, at least for privileged users, and employ the principle of least privilege to limit those privileged users wherever you can. Remember, if the advanced attacker’s goal is to go after privileged users, then you need to reduce your target footprint.
The third basic defense is to monitor the heck out of that access. And by monitor, I mean don’t just log, but have someone or something intelligent looking at those logs, in real time, if possible. The real power of monitoring is in the correlation. A sysadmin logging into a domain controller is mildly suspicious; a sysadmin logging into a web server from the Internet and then logging into a domain controller a few seconds later bears investigation. Also, since advanced attackers try to shut off monitoring, checking for the absence of logging events (and they should be constantly flowing on healthy networks) should also sound an alarm.
The fourth basic defense is vulnerability management. Critical vulnerabilities need to be identified, prioritized, and patched in an expedient manner. Since the attackers, both basic and advanced, are looking for you to drop your guard, you need to move faster than they do. It’s usually not feasible to patch things quickly and thoroughly enough, but that is where firewalls, both next-generation and web application-aware, are useful.
Finally, if any of these things is too much for your organization’s budget, then consider outsourcing some of these functions to a security-as-a-service company. In addition to enabling you to leverage additional expertise, they also make it harder for an advanced attacker to circumvent your security processes since the provider is offsite.
Once you’ve done all these basic things, then you can look at some advanced defenses like deception to really confuse those advanced attackers.