Visit our Media
Wir bauen echte Partnerschaften mit unseren Kunden auf
The deadly potential of APT
In October 2010, the UK government highlighted cyber attacks as one of the three most serious threats facing the country (alongside terrorism and natural disasters such as pandemics), in its new national security strategy. Some eyebrows were raised, but the Foreign Secretary, William Hague, said that such attacks could pose “a major threat to our... economic welfare [and] national infrastructure.”
Yet to anyone working on the ground in this area, this emphasis on cyber security seems long overdue.
Through work we’ve done in recent years with government organisations and private companies operating in sectors including finance and defence, Context Information Security consultants have witnessed at first hand a rise in the number of sophisticated, targeted attacks on our clients.
The manifestation of these multi-faceted attacks is often referred to as an Advanced Persistent Threat (APT), because they may incorporate seemingly unlimited methods of attack and are usually carried out over an extended period. The attackers usually have a specific objective and attack repeatedly using different methods to achieve it.
These attacks are typically sponsored by organised crime or foreign governments, predominantly as a form of corporate or state espionage. Targets often include large private sector companies and government organisations; but smaller companies supplying services to them, such as legal or accountancy firms can also be victims. Attacks of this kind include the hacking of Google in January 2010, attributed to the Chinese government in documents published by WikiLeaks in December 2010.
An APT is particularly serious because attackers employ methods that circumvent conventional defences like firewalls, anti-virus software and intrusion detection or prevention systems. The techniques they use exploit ‘zero day’ (previously unpublicised) vulnerabilities in commonly used software; brought into play following an intelligence-gathering phase which identifies weaknesses in the target organisation’s security.
For example, they may use publicly available information such as that found on social networking websites to identify individual employees to be targeted in ‘spear phishing’ email campaigns. These individuals may then be contacted by the attacker using a fake email account to send malicious links, or attachments such as PDF or Microsoft Office files infected with malware or Trojans, to the unwitting recipient.
Upon visiting websites created by attackers for this purpose, or opening an infected attachment, a Trojan could be downloaded to the target individual’s computer. From here it could extract information held on the target company’s networks, or be used to gain control of IT assets elsewhere in the organisation, for various purposes including the theft of intellectual property or commercially sensitive information.
At the same time, an attacker is likely to pursue other lines of attack. Some may be based on relatively simple ploys, such as malware being hidden inside USB devices given to staff working for the target as gifts, or even left lying around in the car park or reception area of a target’s office. Other methods might entail more subtle social engineering: an attacker might pose as an employee of a target organisation, claim to be about to move countries and then befriend members of staff in that country via email, tricking them into revealing company information.
There could also be some use of bribery, coercion and theft as a means to obtain information or access to IT networks, although APT attacks are almost always based on patience and guile, rather than such crude methods.
This leaves even the most secure network architectures, with immaculate software patch management and industry standard policies, procedures and hardware builds vulnerable to these attacks, because attackers use malware and other techniques that are more sophisticated than the current set of security tools intended to combat them and that exploit previously undiscovered or uncorrected software security flaws. And the modus operandi of these attackers and the tools they use are capricious and becoming more sophisticated all the time.
Unfortunately, there is currently no 100% foolproof way to defend an organisation against this sort of attack. However, it is possible to outline the most important steps an organisation should take to defend itself.
They must:
- be alert, monitoring networks constantly for evidence that the organisation is being targeted or has been compromised;
- prepare and plan for use of the necessary tools and procedures when this occurs;
- when their infrastructure is compromised, react appropriately, using the necessary skills and knowledge to focus not just on the immediate clean-up process, but also on the lessons that can be taken and used to inform strategic counter-initiatives.
However, as APT is a new phenomenon in the field of information security and warfare, many organisations do not have this expertise. At present the most effective way to plug that skills gap is to commission the consultancy services of an industry specialist that is armed with the necessary expertise and experience.
For example, Context’s Targeted Attack Detection Services include intelligence-based network monitoring, available on a permanent or temporary basis. This kind of solution seeks to fight fire with fire, by providing a versatile defence in response to a multi-faceted attack. It is based on a combination of the best tools and techniques available and the experience and knowledge of our consultants; and utilises the very latest intelligence on real life threats and attack vectors.
Advanced behavioural analysis techniques are employed to identify malware and other common attack vectors operating on our clients’ networks. At the same time we search across a client’s infrastructure for evidence that reveals compromised systems and an attack in progress. This helps us to pinpoint where systems have been compromised and to establish which information has been extracted from the organisation.
In our experience, the best results often arise through collaboration with in-house security teams within major companies, particularly where there is a recognition that APT represents a serious and growing problem. Context seeks to create a network of knowledge gleaned from real life incidents that will enable participants to benefit from each others’ experiences, securely and anonymously.
APT is such a significant problem that there is currently no rational alternative. No single company, organisation or even government body has all the skills, experience or resources needed to tackle this problem alone. Only by working together and sharing expertise can we hope to counter these threats, to monitor and protect our critical national infrastructure and to safeguard the UK’s economic interests.
Wie wir helfen können
Wir sind ein eigenständiges Sicherheitsberatungsunterne-hmen, das sich auf den Bereich der technischen Sicherheit spezialisiert hat.
CAT
Unser Flagship-
Tool CAT ist für die
Ermittlung von
Anwendungsschwachstellen
bestens geeignet.
