Small and big organizations often face targeted attacks. APT groups improve the quality of their operations, causing more serious damage. Timely detection and response, training of personnel, advanced training of information security department employees help reduce the risks associated with targeted attacks.
The growth dynamics of APT (Advanced Persistent Threat) attacks has been declining over the past few years, but the damage is growing. The pandemic shifted the focus and opened new entry points for attackers. The attack surface for many businesses has recently expanded.
How does a targeted attack differ from an APT? Who is targeted most often? What are the protective measures? Is it possible to reliably protect employees working remotely? In this article, I will touch upon these, and other issues related to modern targeted attacks, give examples, and provide valuable recommendations on how to stay safe.
What is the difference between a targeted attack and an APT?
Most often, these things are equated. However, security experts do not always agree with this. APT attacks usually imply higher complexity, longer preparation, a more thorough study of vulnerabilities, etc. A targeted attack is not always very difficult, for example, when a social network account is attacked by a brute-force attack or phishing.
It is important to note that there are APT attacks, and there are incidents caused by APT attacks. It is difficult to immediately identify that you are dealing with an APT. We can talk about this only after the development of the attack when it shows clear APT signs.
Examples of APT attacks
Chinese hackers actively exploited vulnerabilities in the Microsoft Exchange Server software. Gaining control over the domain creates good conditions for gaining a strong foothold in the system. Another example is Iran that monitors its citizens and political activists with the help of compromised applications.
When talking about an attack on a company or industry sector, the same toolkits are often used. There is a big problem associated with the lack of information exchange between companies. When a specific sector is attacked, victims post almost identical cases in which the same information is called differently. In this case, using the MITRE classification can help. Sad, but not all companies use it.
To make APT attacks successful, hackers use various tactics:
· Social engineering
· Brute-force attacks
· Supply chain attacks
· After-updates back-doors
As to goals that cybercriminals pursue during APT attacks, these are often money, corporate secrets, customer data, reputational damage, and destruction of infrastructure.
Is it important to know who exactly attacked you? Undoubtedly, yes. Since, based on the past attacks of this group, one can estimate and understand how hackers can move inside the perimeter, how they will try to secure themselves, what traces they can leave.
Targeted attack techniques
As to the methods that cybercriminals use in targeted attacks, the most problematic factors here are:
· Social engineering.
· Weak employee passwords.
· Social network intelligence gathering.
· Contractors, since some of them may have no information security policies.
Current trends include:
· Attacks with the help of instant messengers.
· Phone calls to employees.
· Due to the pandemic, home computers and remote desktops have become frequent entry points.
Today, it is especially important to conduct a security audit as often as possible. It is desirable to do it on a daily basis. Actually, this is an ongoing process, which, unfortunately, not every organization can afford. So, I advise selecting an audit frequency based on the selected enterprise threat model.
Breaking through any perimeter and getting into the infrastructure is surmountable for an attacker with a sufficient level of knowledge and experience, and most APT groups meet these requirements. So, when we talk about protection against APT attacks, everything is spinning around monitoring, detection time, and response time.
Advanced protection against targeted attacks
The construction of protection depends on the budget, human resources, business processes, and the company's threat model.
As a rule, this is a complex process that involves:
· Perimeter protection
· Network monitoring
· Threat intelligence
· Detection and response services from vendors
· Network traffic analysis (NTA)
· Security Information and Event Management (SIEM)
· Security operations center
· Endpoint detection and response (EDR)
I would like to highlight the importance of traffic control, not only external but also internal, as well as high-quality network segmentation.
Companies also expect vendor support in analyzing incidents and assistance in working with their products.
Qualified personnel and employee training
High qualification of an attacker requires high qualification on the part of an information security specialist. At the moment, we do not have enough qualified employees.
It is worth emphasizing the great importance of the desire of a security specialist to develop his skills both independently and at the expense of the company's capabilities. Enterprises should support the regular professional development of information security specialists.
To protect employees from social engineering methods, I recommend conducting regular cyber hygiene drills and regular “pentests” for employees. The penalties will not work if employees refuse to learn or if it is difficult for them. You can end up creating malicious insiders acting against the interests of the company.
It is important to present information in an easy and playful manner, reduce training stages, and take into account the segmentation of employees (accountant, security guard, IT specialist, etc.). Soft blocking can often help. It draws the employee's attention to the fact that he visits a suspicious website or tries to open an unsafe file.
There is no universal protection against social engineering because attackers will find new schemes, and employees will inevitably make mistakes. In any case, training plays an important role in reducing risks since every employee of the company is responsible for security.
How to protect a remote workplace?
Here I would like to highlight the risk-oriented approach. Business IT infrastructure is always a diverse environment that consists of various operating systems and programs; therefore, EDR is recommended as it is an effective approach backed by properly written policies. EDR and VPN can be combined. You should focus on protecting against threats and not on what the user is doing.
Remotely working employees should be given corporate laptops that are already configured and fully comply with the company's security policy. You can also route employees’ traffic through the company systems. Yes, traffic volumes will increase, but you will be able to monitor it, filter, and collect logs.
What if an attacker can bypass the EDR?
A set of different measures always works better. It should include layered protection, process monitoring, and correct network segmentation. In case an APT group penetrates the infrastructure, it is necessary to lengthen the “kill chain” as much as possible, complicate the work of hackers and force them to use different techniques and tactics. This will increase the chances of identifying the attacker faster. You can also use specialized anti-APT products that can be cloud integrated. They make life harder for cybercriminals.
What should be the first step when an APT attack is suspected?
It is recommended to limit the area of compromise. A well-tuned sandbox that supports behavioral analysis can help here. It is also recommended to combine virtual sandboxes with physical ones. The sandbox environment should try to mimic the real corporate infrastructure.
What is the difference between a pentest and a custom APT attack on a company?
If we take a penetration test and an APT attack, then APT is most comparable to the actions of Red Teams. It involves a long preparation, the formation of a threat model, carefully considered choice of techniques and tactics relevant to the company, and overall a more comprehensive and focused approach. Pentest is not intended to be long or persistent.
What is the role of an insider in an APT attack?
Insiders are a big problem. The level of access of the employee is of great importance, as well as the role of the security service of the company, not only the information security department. New employees should be given limited access to critical infrastructure elements, and cyber hygiene training should be provided.
Is a 100% secure architecture possible?
It is impossible to be fully protected. The budgeting factor plays an important role. The cost of an attack always correlates with the cost of protection. By addressing specific critical risks of a company, you can build such a security system that it would be unprofitable for an attacker to conduct an attack.
As it is impossible to avoid incidents, you need to have a good detection and response plan and not be afraid of incidents. In any situation, it is important to react quickly and improve your response plan.
Again, it is impossible to protect against all targeted attacks. Here, it is important to identify the attack as soon as possible. There are many points for attackers to penetrate your network. Layered protection based on the set of measures that depends on the specific threat model of the company will be the most effective.
Some problems that need to be addressed:
· Little or no data on incidents, information comes only through published cases.
· No exchange of information between companies about APT attacks.