The year 2015 saw a multitude of high-profile data breaches making headlines – from the data loss at healthcare vendors Anthem and Premera and hacktivism against Ashley Madison, to major attacks targeting government agencies such as OPM. While these breaches differ in methodology, motivation and outcome, they all confirm that organizations are still not implementing effective solutions to actually detect threats or suspicious behavior. The frustrating part of all this is that if these businesses put effort into detection and analysis – rather than simply fighting fires – they could stop these breaches in their tracks.
So why do these incidents continue to happen at record pace? Unfortunately, security awareness and education are lacking to the point that many companies just don’t know when they’re being attacked. What’s more, many are not practicing defense in depth. From a technological standpoint, most companies are still focused on applying protections at the network layer, often at the expense of deploying new endpoint technologies to bolster and complete defense.
Unfortunately, the endpoint aspect is still very much neglected from an IT security standpoint. For threats both advanced and otherwise – companies must ensure that they are practicing strong security hygiene and covering the basics of information security.
‘APT’ vs. Advanced Threats
In many cases, today’s attacks continue to succeed because they are becoming more advanced, using techniques that attempt to circumvent traditional security measures. That said, ‘APT’ has become a marketing term that is too commonly thrown around and used to make certain threats look fancy or highly sophisticated – take Heartbleed, for example.
There are some ‘real’ advanced threats that go beyond the typical APT hype, such as those capable of conducting intelligence gathering on a wide scale. Today, hackers can gather a lot more information about their victims and use that intelligence to make their attacks increasingly targeted and successful – this is an example of a truly advanced threat. With the right research, hackers can target specific end-users and fool them into falling for a scam. It’s not uncommon for today’s phishing emails to look legitimate – many no longer contain obvious red flags like poor grammar or typos.
Today, much of the work in threat protection is focused on helping employees recognize and avoid sophisticated phishing attacks. And with good reason – some of these attacks are so well-written and precise that it’s very easy for end users to be fooled. Many phishing campaigns target financial institutions. Some of the latest attacks against banks stem from emails that look like remittance advice. These emails are so highly targeted that they are often addressed to the specific bank manager, notifying them that remittance has arrived and asking the recipient to validate their acceptance by opening a document. When the document is opened, it looks real and asks the user to “enable macros”. Once the macro command is accepted, the hacker immediately gains access to the corporate network.
Another characteristic of truly advanced threats is their stealth. More and more attacks are using techniques to redact information in logs while on the host system. They can also damage log systems so that no local information is available. Encryption is also heavily relied upon – attackers often encrypt both their communications and the data that they are exfiltrating. Doing so enables them to bypass firewalls and device inspection; if a company tried to inspect the activity, the attackers can detect it by checking the signatures on the encrypted sessions.
Attackers will also identify and target the network administrators within an organization. This way, they can use the admin’s account information to gather information about the company’s infrastructure while masking themselves as that user. They will use the same credentials and demonstrate the same behavior as the admin, all the while stealing sensitive data.
While attackers are increasingly able to trick victims and evade detection, most attacks today still use off-the-shelf exploit kits, commonly sold on the black market or dark web. In the more advanced cases, these exploit kits may be modified to add new features that help the attacker mask their activity and avoid detection. A recent example of this is the Android.Bankosy Trojan, which was originally discovered in 2014, but was more recently updated to intercept phone calls to steal one-time passcodes. In fact, some of the most prolific attacks going on today use a combination of updated exploit kits – Neutrino, Dridex and others were all born from a handful of off-the-shelf kits. Most attackers today save time and effort developing new technologies or exploit kits from scratch by using one that’s readily available and customizable.
Defending Against Increasingly Advanced Threats
With these more advanced attacks, it has become relatively easy for companies and individuals to fall victim. Of course, there are also common security mistakes that can make attacks more likely to succeed, such as:
- Not investing in the right areas of detection
- Not having the operational procedures or the right resources in place to support the detection technologies
- Being flooded with too much information
- Not having an appropriate operational environment
- Not understanding or having visibility into their most critical assets
It is important to note that it is still very important to get the security basics right. Unfortunately, the industry has a tendency to focus too much on classifying APTs and zero-days, when the majority of businesses struggle to fix one-hundred-day vulnerabilities. Senior management is urged to invest heavily in APT defenses at the expense of efficient day-to-day operations. Businesses end up having IT security teams spending far too much time on things they shouldn’t, and it’s a quick path to being vulnerable as a company.
The best way to prevent advanced threats isn’t with expensive APT technology, but rather, end-user education and training. Organizations should continuously and proactively train users to be aware of their environment – whether by identifying suspicious activity or detecting malicious links or emails. Traditionally, IT departments rely on users notifying them of problems on their machines or when something bad is happening. The user is the biggest source of information for corporate IT security, acting as on-the-ground intelligence into what’s really going on.