With the rise in advanced persistent threats (APTs) we’ve seen over the past few years, has risen a myth that these threats are all about malware. This is not the case. A huge percentage of successful APT attacks have used legitimate log-in credentials to accomplish their malfeasance.
“In fact, APT experts Mandiant found that nearly half compromised devices were not infected with malware at all,” says Jayson O’Reilly, director of sales and innovation at DRS. “Malware infection is only a small part of a highly sophisticated attack.”
He says to remember that in this type of attack, threat actors will usually breach the network, plant some sophisticated malware, and lurk around, scoping out the network, until they have found what they are after and have exfiltrated that data.
“There are several phases to an APT. Firstly, choosing a target. Some cyber criminals will be after something highly specific – proprietary information, blue prints and similar, while some will be just after a good payload, and will trawl the Web looking for companies that have exploitable systems in place.”
Once the target has been chosen, the criminals employ various surveying tools to formulate a clear picture of the potential victim’s systems and infrastructure. “This will include any exploitable ports or services, as well as domain, internal DNS and DHCP servers, the network, internal IP address ranges, and suchlike,” says O’Reilly.
“Now that the attackers have a thorough knowledge of their victim’s vulnerabilities and systems, they can plan the actual attack. This will involve buying or designing specific malicious code to perpetrate the attack.”
In order to plant the malware on the network, attackers usually make use of spear-phishing techniques, he says. “Spear phishing consists of an email that purports to be from a person or business that is familiar to the recipient, but is from the threat actors themselves. Once the mail has been opened, you can’t ‘unring the bell’, and the damage is done.”
Next, he says, comes the stealing of administrative privileges. “In the vast majority of attacks, threat actors try to get their hands on admin credentials, and eventually domain-level admin credentials too. Now that the hackers are safely ensconced on the network, they can take their time to explore. The malware they have implanted will look around for additional network access and vulnerabilities, and talk to the command-and-control (CnC) servers to receive any further instructions. In many cases the malicious code will establish extra points of compromise to guarantee that the breach can continue if one point is closed.”
O’Reilly says once the hacker has ensured himself of reliable network access, they can gather information, such as personal details or credentials, user names and passwords. The malware will gather information on a staging server, then exfiltrate the data off the network, and bring it under his control. The threat actor will cover his tracks, and remove evidence of the breach, but will ensure the network is still compromised, so he can return at will.
“It is for this reason that it is important to remember that hackers are constantly evolving, and focusing on the malware alone will leave your business hugely vulnerable. Businesses who hope to prevent this, need to focus on each stage of the attack, and recognise the underlying phases.”
Behind the scenes
DRS is an ICT services and solutions provider that offers ingenious security services with a portfolio that covers customer needs from the creation of security strategy to the daily operation of point security products. DRS partners with market-leading technology providers to ensure the best possible infrastructure and adds the services to ensure that the chosen products are effectively implemented and operate efficiently.
The company specialises in providing innovation and agility in the areas of information security, IT risk management and IT governance, focusing on key areas ranging from Anti-Malware Protection, Desktop Firewall/ Host IPS for PC’s, Content Filtering to Perimeter Firewalls, Intrusion Detection and Prevention, Vulnerability and Configuration Management, Security Event Consolidation and correlation and even Data Loss Prevention, Network Access Control, Encryption and even more.
DRS is a specialist in the effective implementation of many industry-leading technologies such as Air Defense, AccessData. ArcSight and many more. We strive to excel in all domains remaining entrepreneurial.