The Next Gen Cyber Crimes

The Next Gen Cyber Crimes

Cyber threats are emerging rapidly not only in complexity but also on scale. In recent years, a new class of threat, the “Advanced Persistent Threat” (APT) has emerged. First described by the U.S. Air Force in 2006, APTs originally denoted cyber espionage in which nation-states infiltrated foreign government/contractor networks to steal national security secrets and defense data.

The attacker’s objective may be the theft of sensitive and proprietary information or exploitation fraud. They combine advanced technology with traditional intelligence gathering to gain entry to a network.

Threat Characteristics

APT objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. Few of the them are

  • Highly Organized Attackers: Typically a group of skilled hackers, working in a coordinated way
  • Significant Resources: Well-resourced from both financial and technical perspectives. This provides them with the ability to work for a long period, and have access (by development or procurement) to zero-day vulnerabilities and attack tools.
  • Persistent Campaign: They persistently attack their targets and they repeatedly adapt their efforts to complete the job when a previous attempt fails.
  • Stealth Operation: Possessing the ability to stay undetected, and interacting just enough to achieve the defined objectives. For example, they may use zero-day exploits to avoid signature-based detection, and encryption to obfuscate network traffic.

  APT1

 

How does APT Operate

While no two APT’s are exactly alike, however they typically follow few common steps on broader scale. A typical ATP attack will have the following six phases.

  1. Reconnaissance: Attacker gathers information about the target organization to identify vulnerabilities and the best targeting method. This information is often gathered via opensource intelligence (OSINT) tools, data mining/big data analytics tools and social engineering techniques
  2. Preparation & Delivery: The attacker develops and tests attack tools and techniques. There are two types of delivery mechanisms: direct and indirect delivery.
    1. For direct delivery, the attackers send exploits to their targets via various social engineering techniques, such as spear phishing.
    2. Indirect delivery is stealthy. The use of watering hole attacks have been seen in such several APT campaigns
  3. Intrusion: the attacker get a first unauthorized access to the target’s network, Common attack methods include: emails with embedded links to websites with zero-day malware downloads; emails with file attachments in common formats like Office or PDFs that include zero-day attack code
  4. Advance Access: Upon successfully establishing a backdoor, APT actors use Command and Control (C2) mechanisms to take control of the compromised computers. Generally Remote access tools (RATs), Tor anonymity & Social networking sites are used by attackers.
  5. Data Gathering: Start identifying and collecting valuable info which further helps in gain escalated privileges, compromising additional systems & performing internal reconnaissance.
  6. Data Exfiltration: The data is funneled to an internal staging server where it is compressed and often encrypted for transmission to external locations under the attackers’ control. Attackers use secure channels like SSL, TLS etc for the transmission process.

Being a multi layered attack approach; common firewall and IDS technology are inadequate to defend these attacks. Signature-based detection methods, such as antivirus products, don’t work well against APTs because the exploits are not always known. Organization needs multi-layered protection at all stages of the attack lifecycle. A comprehensive defense must guard against both inbound & outbound threats. Few Important technologies to be used as part of the protection include

Attack Stages

Attack Counter Measures

Reconnaissance

Firewall, Patch Management

Preparation & Delivery

Content Filtering, IDP, Anti-virus

Intrusion

HIDS, Advance Malware protection

Advance Access

Event Anomaly Detection, SIEM

Data Gathering

IDP,HIDS, Event Anomaly Detection

Data Exfiltration

Data Loss Prevention

Add to Favorites