This page contains a Flash digital edition of a book.
Advanced Persistent Threats: Is Your Enterprise Protected?


20 BY KEVIN BEAVER


“Even with traditional anti-malware controls, the risks are still present, especially during targeted attacks.”


M


ALWARE FOR sale! Botnets for hire! It appears anything goes these days in the increasingly monetized world of cybercrime.


“Simplistic” viruses no longer affect just one or two machines—hackers now threaten the entire enterprise network. The evasion techniques used by today’s innovative malware are demonstrated by adversaries known as advanced persistent threats (APTs), which are much more complex and, therefore, harder to detect and eradicate. Even with traditional anti-malware controls, the risks are still present, especially during targeted attacks.


The Ugly Truth Recently, I worked on a project that involved an APT attack


on a highly visible organization that is key to the well-being of the U.S. The compromise had been detected a couple of years earlier and was assumed to have been cleaned up. Instead, we found tens of thousands of Windows-based computers being controlled by command-and-control servers with IP addresses originating in a not-so-friendly country. It was ugly—very ugly. The attack took dozens of internal IT staffers offline for months, not to mention the time and cost associated with our team of external incident- response experts and forensics investigators. Modern malware from APTs is deployed and spread


through Windows (and other) systems using a process similar to that in Figure 1.


STEP 1 STEP 2 STEP 3 STEP 4 STEP 5


Figure 1: APT Attack Process


Initial malware (a.k.a. dropper) is installed via phishing, social engineering, or direct exploration of an existing vulnerability.


The dropper executes and disables existing security controls and ensures the system is exploitable.


Subsequent malware (a.k.a. crimeware) is downloaded, installed, and continually updated.


Crimeware combs the victim system for sensitive configuration setting, authentication information, etc. and send it out encrypted to avoid detection.


Crimeware communicates with external CnC servers, which now “own” the victim system and use it facilitate further attacks.


In the Blink of an Eye All of these steps can take place over a very short time,


so organizations can go from a network of vulnerable Windows systems—including missing patches, dated malware protection and eager users raring to click any old Web link—to a wholly owned subsidiary of Hackers-R-Us in a single day.


Uncover Network Weaknesses With a Comprehensive Security Assessment


Our Security Assessment can provide a better understanding of your organization’s current security- focused infrastructure and present recommendations on how to meet today’s needs and challenges.


Call your Account Manager to schedule a Security Assessment today! 1.800.369.1047


Attackers evade further detection and takedowns by


using “disposable” command-and-control servers that simply fail over to other systems when needed. Resilience is just as much a part of these malware networks as it is in the most critical business environments.


Communication Is Critical The APT project revealed just how critical team communications can be—especially during and after an infection is discovered. If enterprises don’t have the proper buy-in and oversight at the top, reasonable communication among all the teams involved, and a well-documented incident-response plan, the organization will continually struggle to clean up the problem. That’s exactly what happened in this situation. If IT administrators, security and forensics teams don’t truly understand the essence of this modern malware, it can easily get in the way of daily tasks and hinder detection, eradication and recovery processes. Perhaps it’s time to step back and think about this


whole APT thing. Start by reevaluating the organization’s existing security architecture. Are layered defenses being used to their full potential? Is Web application security in place throughout the environment, or are the applications facilitating attacks? Would endpoint controls or stronger network segmentation help? Regardless of the cause of these attacks, one thing is for


sure—the “detect and react” mode of operation just isn’t cutting it. And since there are no simple answers to this new threat, it’s up to enterprise admins to keep things in check as much as possible.


WWW.MOREDIRECT.COM


VOLUME 3 • ISSUE 4


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36