Back to basics: How simple techniques can thwart complex APT attacks

Advanced Persistent Threats (APTs) are among the most insidious cyberattacks faced by businesses today. We’ve all heard of the Stuxnet worm, and other high-profile attacks including the 2014 Sony Pictures Entertainment hack, described by one observer as ‘the perfect APT’, and 2015’s Carbanak attack, which specifically targets financial institutions.

Will an APT affect your business? Well, ISACA’s 2015 Advanced Persistent Threat Awareness Study found that 74 per cent of respondents believe that they will be targeted by an APT, and 28 per cent had already been attacked. The trouble is, APTs are, by nature, hugely sophisticated. They’re designed to be stealthy and evade detection, enabling them to spread undetected across networks over weeks or even months.

It might seem that mitigating the risk of an APT means deploying highly sophisticated cybersecurity measures, out of reach of most ordinary organisations. Not so. In fact, you can go a long way towards mitigating the risk of an APT by going back to basics: understanding the fundamentals of how such an attack is planned and deployed, and how your organisation’s network structure can help or hinder such an attack. Understanding, in short, how to reduce the attack surface you have available to malicious hackers.

Understanding APT structures

However sophisticated they are, all APT attacks typically follow a similar path:

1. Reconnaissance

An information-gathering stag where attackers will typically will use a variety of techniques to gain an intelligent picture of what a business’s network actually looks like in order to establish what security policies and applications are already in place, or identify remote access capabilities that could provide them with access points.

  • Open Source Intelligence (OSINT) which involves scanning externally open services for vulnerabilities
  • Human Source Intelligence (HUSINT ) which involves targeting key employees for access information
  • Foot printing which involves identifying which versions of software or resources an organisation is using, and creating a profile of its network infrastructure through techniques such as banner grabs, SNMP sweeps and zone transfers.

2. Exploit delivery

Once an appropriate access point for targeting your network has been identified, the attackers deliver a malicious tool or application that enables them to penetrate your network. Chosen attack vectors can include email attachments, so-called ‘water-hole’ attacks, where the attackers compromise an existing website they know a target is likely to visit, or even physical delivery of the exploit on an infected USB stick.

3. Exploration and lateral expansion

Having succeeded in getting inside your network, the attackers’ next aim is to move laterally within your network, to ultimately get to your valuable business data. But this data is usually on another computer system, so the attacker needs to find a path to it. This lateral movement is where an APT’s persistence comes in. Exploration takes time – time during which individual users may reboot their systems, change their security signatures and otherwise make it difficult for the attacker to re-access their machines.

Therefore, attackers ideally aim to deploy software directly onto individual machines that will allow them to come back whenever they need to, even if the user has rebooted or patched it. The most common way to do this is via Remote Administrator Tools (RATs) – the same type of tools that are used for remote troubleshooting or helpdesk functions. The installation of a RAT gives attackers a backdoor to revisit compromised machines whenever they need to.

4. Exfiltration

Finally the attackers extract the valuable information they’ve been seeking, perhaps by blending it into benign traffic over HTTP, or encrypting it in ways that make it difficult to spot, such as over HTTPS.

Reducing your network attack surface

Whilst it is very difficult to prevent attackers from carrying out the first stage in their APT journey – after all, there’s nothing particularly secretive about many OSINT scanning techniques – it is possible to prevent them from laterally moving across your network in search of your valuable data, with some back-to-basics principles:

1. Segment your network

Break up your flat internal network into multiple zones, based on the use pattern and category of data processed within each zone. This segmentation then prevents the APT from jumping from one ‘stepping stone’ machine to another.

2. Place firewalls to filter traffic between those zones

‘Choke points’ – i.e. firewalls – must be placed between the zones to filter the traffic entering and exiting. In other words, firewalls must be placed on internal, lateral traffic paths, not just your network perimeter.

3. Write restrictive security policies for those firewalls to enforce

Gartner Research has suggested that 99 per cent of firewall breaches are caused by firewall misconfigurations, not firewall flaws. The message is clear – your firewalls absolutely must be configured accurately and intelligently, to analyse and block the kind of internal communications that signal APTs.

When you design your network’s segmentation, consider these two zone types that all networks should be split into. First, identify and define sensitive data zones that encompass systems handling and storing payment and credit card details, employee records, company financials, intellectual property, and regulated data.

Second, identify and define human user zones that contain human-accessible desktops, laptops, tablets and smartphones. You are probably already segmenting wireless-access zones, but wired-access desktops should also be segregated. Since an APT’s first point of attack is normally such a desktop, this segmentation then prevents the APT’s lateral movement.

If this sounds remarkably simple, that’s because it is. The important point to bear in mind is that no matter how sophisticated an APT is, it’s operating on your turf. Discovering the signs of an APT inside your network can be challenging, but with intelligent use of security basics, you will go a long way to preventing lateral exploration – and in turn stop the APT in its tracks.

Professor Avishai Wool, CTO at AlgoSec

Image Credit: Africa Studio / Shutterstock