Fighting Off an Advanced Persistent Threat

It’s 11:30 pm. One of the employees of your boutique marketing firm is working feverishly to finish a presentation that is due to be given first thing in the morning. An instant message chat request pops up from his Facebook account: “Hey bud! I know you love Ironman, check out this IronMan 2 video. It’s awesome!” The employee clicks the link, but the browser crashes. Nothing else of interest happens. 

Eager to get his work done, he returns to his chart data, and thinks nothing more of it. Unfortunately, that exchange actually was the beginning of a data breach. The link wasn’t to a movie trailer, but to a specially crafted web site that was designed to inject attack software into a victim’s system. Because the employee was using his work laptop, the attacker was able to use a foothold gained in the employee’s system to access the primary business network the next day. Now the attacker has persistent access to the primary business network.

Over the next few days, the attacker leverages that access to place back doors into several locations throughout the network. This way, should the business close one entry point, the attacker can use another. When ready, the attacker will use the access gained within this small business to infiltrate the real target: a Fortune 100 international pharmaceutical company. The main target relies on this small firm for marketing support. Within a few days, the attacker has full access to his or her target network and begins downloading intellectual property, sales lists, marketing plans, and drug research. 

The Advanced Persistent Threat Defined

Meet the Advanced Persistent Threat, or APT. Essentially, the APT is a cyber attacker (motivated by money, or hoping to gain a competitive edge, or even sponsored by a government) who is well funded, skilled, patient, and (of course) persistent. However, the attack techniques generally don’t have to be that advanced; hackers and criminals have been using these same infiltration methods for years, and the threat of cyber attacks has existed for decades.

The term APT began making headlines earlier this year when Google revealed that it had been compromised by systems originating in China in what has been dubbed “Operation Aurora”. The attackers used targeted phishing e-mails to trick workers into clicking on a link that led them to a maliciously crafted web site. That web site then used an exploit to infect the victims’ systems through a vulnerability in a web browser, in this case Internet Explorer. From there, the attackers gained access to systems deeper within Google’s systems.

It’s important to note that the best we can tell from what was released publicly is that there wasn’t anything entirely new in the Aurora attacks. They may have tweaked some of the attack software to be more effective, but essentially we saw the Aurora attacks as the same mix of social engineering and technical attack techniques that we’ve seen for years.

So what has changed? The nature of the attackers themselves. They’re better trained. They are better funded. And they have more motivation to infiltrate business systems. These attackers include criminal organizations, industrial spies, and foreign governments all looking to steal intellectual property and data that can be sold on the underground market.

When you read about cyber attacks and APTs, one term you are likely to hear over and over is going to be ‘malware.’ Malware is a catchall term that refers to everything from software used to attack system vulnerabilities, known as exploits, to viruses and worms that spread on their own. However, APTs do not employ worms or viruses as their primary weapons. No. There is not much money to be made, or information gleaned, by corrupting data and downing systems just because it can be done. Modern attack techniques are much stealthier than the viruses that just want to replicate from system to system to clog communications and damage data. The malware APTs use attempts to fly under the radar of traditional antivirus and personal firewalls, as well as other defensive technologies.

The covertness of the attacks does not necessarily have anything to do with little known software vulnerabilities or powerful encryption breaking capabilities. It is more about how they will turn to a broad pallet of attack possibilities to achieve their objectives. For instance, they will try to penetrate their targets through web sites. They will probe and poke the corporate network. They’ll e-mail executives and even executive assistants with mail that, if clicked, could lead to compromise. They will glean social networking sites for data to sharpen their social engineering efforts. And if those techniques don’t work, they’ll try, just as they did in our example above, to attack a trusted partner to gain access.