• No results found

Advanced Persistent Threats

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Advanced Persistent Threats"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

White Paper

m86security.com

INTRODUCTION

Although most business leaders and IT managers believe their security technologies adequately defend against low-level threats, instances of Advanced Persistent Threats (APTs) have increased. APTs, which are combined, sustained attacks on an organiza- tion’s computer systems, have infiltrated several major IT companies, including Google, Adobe and Juniper, demonstrating the effectiveness of these methods.

Ask yourself:

• What would your employees do if they found a USB stick in the parking lot?

• How susceptible would they be to clicking on a link in a Phishing message?

• Would they approve the installation or update of a third-party browser plug-in?

• How frequently do you update all your desktop applications for vulnerability fixes?

All of these methods have been used in the initial stages of APT attacks on organizations. APTs pose serious new security con- cerns to organizations, especially if the tools and kits used to create them become commercialized similarly to attack toolkits.

This paper will outline the evolution of APTs, explain the motivation behind them, and determine best practices for defending against these threats.

Advanced Persistent Threats

About Advanced Persistent Threats ...2

Definition ...2

Anatomy of an APT ...2

Stages of an APT Attack...3

Case Study of an APT: Operation Aurora ...4

Remediation: Protecting Against Advanced Persistent Threats ...5

Best Practices ...5

Layer Security Technologies ...5

Be Proactive ...5

Protect the Initial Attack Point – Email (Blended Threats) ...5

Cover the Major Threat Vector, the Web Gateway ...6

Correlate Threat Information between Email & and the Web ...6

Set Network Activity Baselines ...7

Additional Preventative Steps ...7

About M86 Security ...8

CONTENTS

(2)

ABOUT ADVANCED PERSISTENT THREATS

Definition

The term “Advanced Persistent Threats” refers to a series of low-level attacks that were previously seen individually, but are now used collectively to launch highly-targeted, prolonged attacks. The goal is to gain maximum access and control into an organization.

Anatomy of an APT

An APT attack tries to penetrate an organization using any method available—both technical and physical. Examples of the individual attack components include:

• Blended email threats – These attacks spoof known email addresses and/or domains. Email messages are well-for- matted with no attachments, so they pass through spam and anti-virus scanner defenses running at the email gateway.

These emails include embedded URLs that link to an infected Web page. They typically use social engineering tech- niques to encourage users to click through.

• Legitimate websites hosting malware – These sites are usually linked from blended threats emails. Typically, employ- ees visit the legitimate site regularly for business-related tasks, and infections of the site may be limited to specific blocks of time—all to limit the possibility of detection. Cross-site scripting attacks and stolen FTP credentials are just two ways cybercriminals infect legitimate websites.

• Combination of malware tools – Back-door downloaders, key loggers, network scanners and password stealers may be combined for the purposes of installing malware. Malware used in an APT is low-level in terms of activity and is designed to escape detection. In addition, this dynamically-created malware evades anti-virus scanners by being the first/only example ever created or by using polymorphic viruses which constantly change to escape signature-based detection technologies.

• Infected workstations (bots) – These are the infected workstations inside the organization’s network. Once the mal- ware is inside the trusted network, infiltrating or compromising additional information such as credentials or confidential data is easier.

• Command & Control servers – Operated by the attacker, these remote servers communicate with bots, or infected workstations. They can be used as a collection point to which compromised data is uploaded or to control the

workstation’s actions. Most APT activity occurs outside of the normal U.S. workday, again to evade detection. Outbound communication between the bot and these C&C servers is called the C&C communication channel. Previously, this has been easy to spot because attackers used protocols such as RPC, but recently, this has become more complex through use of diverse methods such as Google Groups or Tweets. Today’s C&C networks are highly resilient and very difficult to track. The Internet makes it easy to host servers in other countries, routing data through them to avoid detection.

• Attack management console – This user interface is used to control all aspects of the APT process, and multiple attackers can work on the same target. The management console enables the attackers to control the actions of the in- fected bots through the C&C servers, install new malware on the bots, and assemble all aspects of the APT to measure the current success rate. The screenshot below shows an attack toolkit, which is similar to an APT attack console.

User Interface of Attack Toolkit — Crimepack

(3)

Stages of an APT Attack

Each attack is different and customized to its target for maximum success.

(4)

Example below: How APTs spread through an organization and how they are controlled

The attacker’s C&C server is the external point which controls the overall attack. It can be a single server or multiple cascading servers, which are difficult to track and neutralize.

Case Study of an APT: Operation Aurora

Widely reported in the press, operation Aurora was the first major disclosure of a widespread series of APT attacks. We believe Operation Aurora started in mid-2009 and was first publicly disclosed by Google in a blog post on Jan. 12, 2010. Other organizations, including Juniper, Adobe and Rackspace followed with their own disclosures.

The goal of the attack was to access and potentially modify source code repositories at the affected high-tech, security and defense companies. The ability to modify and infect a backdoor into the source code could be a larger prize for cybercriminals than financial or design documents.

Operation Aurora followed the typical stages of an APT (as previously defined). Detailed steps in this case include:

1. Employees with the most access to proprietary data were identified first, after which their social networks were investigated and compromised. This enabled cybercriminals to send blended threats emails to them from “trusted friends”, improving chances that they would click on links inside the messages.

2. Email links led to an infected website, initiating the initial malware infection. This occurred through a vulnerability in Internet Explorer versions 6, 7 and 8 that allowed remote code to be executed on the target machine.

3. With a backdoor into the organization, the attackers were able to move laterally from the infected workstation, identifying other vulnerable targets that could be compromised and infected to eliminate a single point of failure.

4. They began to scan systems to obtain higher level security privileges.

5. In the discovery phase, the compromised credentials were used to try to access the master details of selected Gmail ac- counts of known Chinese dissidents. Now that the attackers were ”inside” the network of target organizations, vulnerabilities found in the Perforce source code system were used to directly access source code for the organizations’ products. This was a potentially serious problem because the source code could have been deployed to thousands of the organization’s customers, giving the attackers a backdoor to those as well.

(5)

REMEDIATION: PROTECTING AGAINST ADVANCED PERSISTENT THREATS

Today, APTs are widespread and frequently used. Organizations need to determine their risk levels and note their most valuable resources to plan how to defend themselves effectively. The following diagram provides a basic outline for protecting your organization.

Best Practices

Multi-faceted attacks require multi-faceted responses. Ideally, solutions that can correlate threat information to maximize attack intelligence will provide an optimal defense.

1. Layer multiple technologies for the best possible defense.

2. Combine proactive and reactive security controls to maximize coverage.

3. Deploy security controls as early as possible at the network perimeter or in the cloud—before threat infiltrates your network.

4. Deploy coverage against blended threats at the email security gateway to prevent compromised emails from reaching user inboxes.

5. Deploy appropriate security controls at the Web gateway.

6. Use solutions that correlate threat information between email and Web gateways as well as vendors who use collective intel- ligence to share information on attacks.

7. Establish baseline network activity so you can recognize irregular behavior and traffic earlier.

Layer Security Technologies

Build as many defenses as possible by layering security technologies such as desktop malware protection and email and Web gateway security. Look for suspicious network activity—especially to unknown external hosts. Though you might not block the initial infection, awareness of the threat will go a long way to stopping an APT as soon as possible. A great pre-emptive step includes having an effective way to process log information and spot unusual activity across all layers.

Be Proactive

Today’s threats involve dynamically-created malware or Polymorphic viruses that are designed to evade reactive security controls.

Highly innovative proactive controls can detect and block suspicious behavior exhibited through email or the Web to successfully detect new and emerging threats. Best-in-class security solutions layer reactive controls for speed with proactive controls to close the threat window. Look for technologies such as M86’s patented Real-time Code Analysis and behavioral analysis.

Ensure proactive controls are running on all the data your users access, as they are accessing it, to maximize coverage. A high proportion of malware comes from legitimate websites.

Protect the Initial Attack Point: Email (Blended Threats)

Typically, the first vector tried in an attack is email. Are proactive security controls on your email gateway scanning specifically for blended threats?

(6)

Blended Email Threats are blocked at the email gateway, or correlated information is sent to the Web gateway for blocking.

Cover the Major Threat Vector: the Web Gateway

When an unsuspecting user clicks a link in a blended threat email, the actual attack occurs through the Web, necessitating a secure Web gateway (SWG) solution. The SWG should include proactive security controls that analyze all content moving through the Web gateway, like are within the M86 SWG. All users, whether on the network at headquarters and remote workers should be covered. Hybrid Web services extend 100% of the security coverage offered on-premises to remote and external users.

Security solutions that reside on the desktop provide few, if any, proactive security controls. So catching threats earlier at the gateway is ideal (though these solutions aren’t always used). Evaluate your current endpoint security solutions. How many proactive capabilities do they have? How effective are they in independent tests?

Correlate Threat Information between Email and the Web

Consider a scenario in which an email gateway detected low levels of activity that could be a possible attack. The Web gateway also detected low levels of suspicious traffic. Individually, these solutions might not act on this information (to prevent overblocking). But correlating this data between both gateways would trigger a block. The power of correlation moves to a whole new level if a vendor is able to correlate across an entire customer base.

(7)

Cycle of threat data received from customer installations and third party feeds, correlated and analyzed at M86 Security Labs and then fed back out to installed products.

An organization running email and Web security solutions from a single vendor doubles the advantage they get from this threat data correlation. It can use the updated threat data to maximize coverage, minimize attack windows and secure the organization from coordinated APTs.

Set Network Activity Baselines

APTs will generate irregular network traffic from internal computers to external command and control (C&C) servers. C&C traffic can use a number of ports and applications. Traditionally RPC channels have been used, Google groups, Twitter and other seemingly legitimate protocols and applications have been used as well. Recognizing this C&C traffic is an important step in mitigating APTs. So knowing the volume of your traffic and the external hosts/applications typically used will help you spot abnormal activity—possibly an infected internal workstation that’s communicating externally. Analyzing firewall logs is a good way to get started, but there are many tools and products that can assist.

Additional Preventative Steps

Ways an administrator can help prevent APTs include:

1. Keep applications up to date

Most vulnerabilities target outdated browsers like Internet Explorer 6 and 7, and old versions of applications like Adobe Flash and Adobe Reader. Most recent updates to these applications address many of the vulnerabilities that continue to be exploited.

2. Disable administrative rights for most users

It’s been proven that by eliminating user administrative privileges, 90% of Windows 7 vulnerabilities would be mitigated.

3. Conduct sensitive tasks such as financial transactions on another system

If members of your organization conduct e-Banking on your network, we strongly encourage they do so on a separate computer on a separate network. Many of the headline-making e-Banking business thefts occur when a user account is compromised by an information-stealing Trojan. Another option is to arm employees with a Linux live CD for use with sensitive transactions.

4. Educate users

Never underestimate the power of user education. Ensure your employees can recognize social engineering, Phishing, Man-in-the-middle malware, etc. And institute a policy regarding external devices such as USB sticks.

(8)

TRY BEFORE YOU BUY

M86 Security offers free product trials and evaluations. Simply contact us or visit www.m86security.com/downloads

ABOUT M86 SECURITY

M86 Security is the global expert in real-time threat protection and the industry’s leading Secure Web Gateway provider. The company’s appliance, software, and Software as a Service (SaaS) solutions for Web and email security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand.

References

Download now ( PDF - 8 Page - 1.62 MB )

Related documents

An Analysis of Governance Policies and Practices in one School District Regarding English Learners

Recent research indicated that three factors possibly contribute to this problem, which affected the almost 2,000 English-learning students in the district’s high school

McAfee SaaS Endpoint Protection Suite

Because of the real-time nature of cloud products, you have access to the latest technology and protection against the newest threats.(With McAfee’s Global Threat Intelligence –

STEALTHWATCH MANAGEMENT CONSOLE

Through the SLIC Threat Feed, Lancope correlates real-time intelligence on global threats with suspicious network activity to alert on hosts infected with advanced malware,

Hsc Phy Pendulum Prac

For a pendulum in simple harmonic motion (shm) with a small deviation angle, period of oscillation depends only upon the pendulum length and the acceleration due to gravity..

Superior protection from Internet threats and control over unsafe web usage

By integrating application control, zero-day exploit scanning, anti-malware scanning, Advanced Persistent Threat (APT) detection, real-time web reputation, URL filtering,

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Extending to the Network Security Management Malicious Code Advanced Threat Analysis Local Threat Intelligence Reputation Intelligence. Protection Across

Systematic Investment Plans Mba Project

Since the time equity markets have been engulfed by volatility, the most frequently heard advice is that best way to invest in equities is “invest via the systematic investment

Manager s Short Final Report

it is my strong belief that the focus on intellectual Capital and employee equity ownership will continue to drive good investment performance.. indeed, in my experience,