APT campaigns have become popular with cyber crime syndicates because they’re so effective. ‘Conventional information security defences don’t work,’ according to security firm Mandiant. Panelists at the recent Cornerstones of Trust event in San Francisco agreed that traditional, perimeter-based security was useless against the APTs. ‘Aurora and similar attacks mean organizations that depend on a perimeter-based strategy are victims and will remain so,’ said Gary Terrell, CISO at Adobe.
Along with Google, Adobe was among about 30 companies targeted by Operation Aurora late last year.
APT-style attacks have clear yet simple objectives: 1. to circumvent cyber security efforts 2. to gain access 3. to steal information and 4. to maintain a foothold for future exploits. The motives behind these attacks vary:
•For Intellectual Property – Aurora’s purpose was to steal Google’s source code;
•For political reasons – Ghostnet’s objective was to infiltrate the ministries and embassies of various countries;
•For industrial espionage – Night Dragon stole information about the oil and gas reserves of various companies and countries; or
•For money – the Nimkey banking Trojan stole carbon trading credits.
HOW THEY GET IN
The campaigns typically start with reconnaissance, where the attackers research the target organisation, its personnel, markets, hierarchy, policies and culture. They capture the names of target users in a unit or the whole organization, based on job title, function or presumed system access privileges. Then they use social engineering techniques – information and connections on LinkedIn and Facebook - to find out more about their target users, their colleagues, connections and personal information.
Equipped with this intelligence, they disguise their spear-phishing emails so targets think they’re from colleagues, managers or other trusted sources, and open rather than delete them. Often specific attachments like meeting minutes, an agenda for an upcoming conference or a spreadsheet of salary plans are included for added ‘legitimacy’. Spear phishing emails are highly effective because they appear to be from known senders, they address recipients by name, and they mention something specific of relevance or interest to them. It’s no wonder they get in.
ONCE THEY’RE IN
Once they’ve gained access the real game starts. APTs use exploits in Microsoft Office, Adobe and other programs to insert custom Trojans into the email attachments. When the attachment is opened, the Trojan enters the user’s PC, gains access to the network and ‘calls home’ (beacons) to signal its successful penetration back to its masters. It then establishes backdoors to enable installation of more malware like network scanners and password stealers, to broaden the attack across the enterprise.
WHY ARE THEY ‘INVISIBLE’?
In many cases, all this occurs without detection. It’s like a slow infection that gradually penetrates every part of the host’s body, yet the host may not present with any obvious symptoms. The question is though: how does the Trojan get past your defence systems in the first place? It’s a case of Trojan design vs defence capability:
•APT Trojans are custom-built, zero-day malware specifically designed to evade your current IDS systems and AV software;
•APT Trojans often replace legitimate system programs with counterfeit versions so you don’t see them;
•Security staff can’t see the extent of the attack because it’s distributed, low level and has no obvious ‘symptoms’; and
•Even if staff were to see isolated activity, they couldn’t connect the dots to see the context or extent of the attack, due to blind spots between disjointed security systems.
Other refined, hard-to-detect elements in APT attacks add to the challenge:
•Spear-phishing emails that dupe users into connecting to a website that hosts the Trojan;
•SQL-injection attacks on the organisation’s web servers which allow Trojans to be installed;
•Using insiders (people) to access the desired information; and
•Using hackers masquerading as computer technicians at distant branch offices to gain entry to the network.