Countless organisations have fallen prey to cyber attacks - from high profile retailers to enterprises and government agencies. Some attacks have been high profile, for example the December 2013 data breach at Target (the third largest retailer in the U.S.) that compromised tens of millions of customer accounts. Others went under the radar, lacking the fantastic numbers to merit a full-scale media exposé, but damaging nonetheless.
Like enterprises, government agencies around the globe are at risk to this sort of attack and exposure too - some would even argue they are targeted more frequently. In 2013, the U.S. Department of Energy (DOE) was attacked through an unpatched server, resulting in the personal information of its employees being compromised.
In 2014 we will certainly see more of these stories. The unfortunate reality is the CyberSecurity landscape is not the same as it once was. No longer are we protecting against a piece of malicious code - we are defending against persistent adversaries. Every company, large or small, and every government agency has information that could be of value to a hacker - and if they decide to go after it, chances are good they will find a way to get it.
This is an attack method known as "advanced persistent threats," or APTs, which strategically target those in possession of valuable data or access to that data, and relentlessly attempt to steal it. The attacks tend to be professionally organised, sometimes by nation-states, and are highly focused on gaining complete control of networks in order to access the data they are interested in. Though every targeted attack is different, they do tend to follow predictable patterns, which is crucial for your defence.
Predictable pattern of APT's
First is the discovery portion of the attack. If it were a traditional robbery, you might call this "casing the joint." It might be in the form of a targeted phishing email or a widely broadcast piece of spam - or even striking up conversations with government employees via social media. The idea is to get a picture of the defences the target is employing, and gain access to the system.
Next, the adversary moves to stage two: distribute. In this step, the payload is delivered. This payload is typically custom-made for the particular government agency itís targeting, and is designed to be stealthy, stable and at times, sophisticated. The easiest distribution method is through third party applications, like Adobe or Flash, as vulnerabilities in those third party applications are so often left unpatched. They also might be delivered via malicious USBs, if the attacker has physical access, via SQL injection, or any number of other methods.
In stage three, the payload is exploited, or triggered, within the system so that the malware can execute. In some cases, the malware will be self-executing - for example, from a malicious webpage. Other times, it might require a user to open an attachment or malicious link. Quite often, attackers will scale their attack, starting at easy-to-exploit (and easy to fix!) vulnerabilities, then scaling up to less common, harder to execute vulnerabilities until they find an opening that gives them the access and control theyíre looking for.
After access and control of a machine has been gained, the attacker moves on to stage four, where they escalate the attack to additional machines, often with lateral moves, across the network and gain complete control of the system. The payload will connect back to the attacker, often piggybacking legitimate or trusted communications, and will verify that the desired degree of control has been reached without detection.
With control of the system, the attacker will begin to execute their larger mission. Whether they set out to steal data or use the system to leapfrog to a secondary system, such as that of your partner, client, customer, or even another government agency, the attacker will now be able to achieve their original end goal without interference.
By the time the attack reaches this final stage, it could have been going on for hours, days, or even months. The exact attack payloads, the timeline, and the goals change with every attacker, likewise with every attack. Yet the attackers who execute an APT methodology are persistent - hence the name - and if they can get in, they will.
EMPLOY A TARGETED DEFENCE
The persistent nature of these adversaries is discouraging to say the least. But that doesnít mean the cause is hopeless. There are a number of steps that government agencies and companies alike can take to reduce risk and minimise the chances that an attacker can be successful.
First, and foremost, is user education. Your users must know their role in the process, and how to recognise common attack methods including spear phishing, malicious links, and malware-infested websites. Make sure that they understand what actions to take if they suspect their machine may have been compromised, or they have been the target of such an attack.
Second, work to reduce your exploitable surface area. This starts with patching - particularly third party applications. Ensure your endpoints are managed and secured, preferably with multiple security technologies such as anti-malware, firewalls, anti-phishing, and other such technologies. And, make sure you are running the latest versions of software and operating systems. You could also employ application whitelisting to ensure that only known, safe applications are allowed to execute on the machine.
Finally, watch for attacks. If youíre not looking for it, an attack can easily masquerade as legitimate activity. A watchful IT department can catch suspicious activity before it has a chance to do significant damage. Monitor assets whilst ensuring that activities and events are logged or analysed. Make sure users are not added to groups where they do not belong, or have privileges beyond their needs, and watch out for large or unusual data transfers.
Targeted threats are common, but itís surprising how effective basic steps can be at preventing them from affecting your agency. While itís easy to claim that time or budget constraints will limit defence capabilities and practices, the time and budget necessary to clean up after a successful attack is far greater.
Please feel free to contact us about the topics discussed and if you would like further information.