Advanced Persistent Threats

Similar documents
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Spear Phishing Attacks Why They are Successful and How to Stop Them

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

What Do You Mean My Cloud Data Isn t Secure?

Fighting Advanced Threats

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

24/7 Visibility into Advanced Malware on Networks and Endpoints

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

Content Security: Protect Your Network with Five Must-Haves

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Endpoint Security Management

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

The Hillstone and Trend Micro Joint Solution

isheriff CLOUD SECURITY

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

End-user Security Analytics Strengthens Protection with ArcSight

Analyzing HTTP/HTTPS Traffic Logs

Cisco Advanced Malware Protection

SANS Top 20 Critical Controls for Effective Cyber Defense

Streamlining Web and Security

Unknown threats in Sweden. Study publication August 27, 2014

ENABLING FAST RESPONSES THREAT MONITORING

CyberArk Privileged Threat Analytics. Solution Brief

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Integrated Threat & Security Management.

Protecting the Infrastructure: Symantec Web Gateway

ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS:

Beyond the Hype: Advanced Persistent Threats

10 Things Every Web Application Firewall Should Provide Share this ebook

IBM Security re-defines enterprise endpoint protection against advanced malware

Securing Cloud-Based

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

When less is more (Spear-Phishing and Other Methods to Steal Data) Alexander Raczyński

Defending Against. Phishing Attacks

WildFire. Preparing for Modern Network Attacks

Top five strategies for combating modern threats Is anti-virus dead?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Netsweeper Whitepaper

Networking for Caribbean Development

WEBSENSE TRITON SOLUTIONS

Carbon Black and Palo Alto Networks

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Protecting Your Organisation from Targeted Cyber Intrusion

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

WEBSENSE SECURITY SOLUTIONS OVERVIEW

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Stop advanced targeted attacks, identify high risk users and control Insider Threats

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Unified Security, ATP and more

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

AntiVirus and AntiSpam scanning The Axigen-Kaspersky solution

Defending Against Cyber Attacks with SessionLevel Network Security

Small and Midsize Business Protection Guide

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Security Strategy

Phone Fax

Agenda , Palo Alto Networks. Confidential and Proprietary.

Data Center security trends

Innovations in Network Security

Cyber Security Solutions for Small Businesses Comparison Report: A Sampling of Cyber Security Solutions Designed for the Small Business Community

Getting Ahead of Malware

AVeS Cloud Security powered by SYMANTEC TM

IBM Security X-Force Threat Intelligence

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

TRITON APX. Websense TRITON APX

Security Intelligence Services.

V1.4. Spambrella Continuity SaaS. August 2

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Symantec Endpoint Protection Datasheet

Spyware: Securing gateway and endpoint against data theft

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

WHITE PAPER. Understanding How File Size Affects Malware Detection

How Do Threat Actors Move Deeper Into Your Network?

IBM Advanced Threat Protection Solution

Transcription:

White Paper INTRODUCTION Although most business leaders and IT managers believe their security technologies adequately defend against low-level threats, instances of (APTs) have increased. APTs, which are combined, sustained attacks on an organization s computer systems, have infiltrated several major IT companies, including Google, Adobe and Juniper, demonstrating the effectiveness of these methods. Ask yourself: What would your employees do if they found a USB stick in the parking lot? How susceptible would they be to clicking on a link in a Phishing message? Would they approve the installation or update of a third-party browser plug-in? How frequently do you update all your desktop applications for vulnerability fixes? All of these methods have been used in the initial stages of APT attacks on organizations. APTs pose serious new security concerns to organizations, especially if the tools and kits used to create them become commercialized similarly to attack toolkits. This paper will outline the evolution of APTs, explain the motivation behind them, and determine best practices for defending against these threats. CONTENTS About...2 Definition...2 Anatomy of an APT...2 Stages of an APT Attack...3 Case Study of an APT: Operation Aurora...4 Remediation: Protecting Against...5 Best Practices...5 Layer Security Technologies...5 Be Proactive...5 Protect the Initial Attack Point Email (Blended Threats)...5 Cover the Major Threat Vector, the Web Gateway...6 Correlate Threat Information between Email & and the Web...6 Set Network Activity Baselines...7 Additional Preventative Steps...7 About M86 Security...8 m86security.com

ABOUT ADVANCED PERSISTENT THREATS Definition The term refers to a series of low-level attacks that were previously seen individually, but are now used collectively to launch highly-targeted, prolonged attacks. The goal is to gain maximum access and control into an organization. Anatomy of an APT An APT attack tries to penetrate an organization using any method available both technical and physical. Examples of the individual attack components include: Blended email threats These attacks spoof known email addresses and/or domains. Email messages are well-formatted with no attachments, so they pass through spam and anti-virus scanner defenses running at the email gateway. These emails include embedded URLs that link to an infected Web page. They typically use social engineering techniques to encourage users to click through. Legitimate websites hosting malware These sites are usually linked from blended threats emails. Typically, employees visit the legitimate site regularly for business-related tasks, and infections of the site may be limited to specific blocks of time all to limit the possibility of detection. Cross-site scripting attacks and stolen FTP credentials are just two ways cybercriminals infect legitimate websites. Combination of malware tools Back-door downloaders, key loggers, network scanners and password stealers may be combined for the purposes of installing malware. Malware used in an APT is low-level in terms of activity and is designed to escape detection. In addition, this dynamically-created malware evades anti-virus scanners by being the first/only example ever created or by using polymorphic viruses which constantly change to escape signature-based detection technologies. Infected workstations (bots) These are the infected workstations inside the organization s network. Once the malware is inside the trusted network, infiltrating or compromising additional information such as credentials or confidential data is easier. Command & Control servers Operated by the attacker, these remote servers communicate with bots, or infected workstations. They can be used as a collection point to which compromised data is uploaded or to control the workstation s actions. Most APT activity occurs outside of the normal U.S. workday, again to evade detection. Outbound communication between the bot and these C&C servers is called the C&C communication channel. Previously, this has been easy to spot because attackers used protocols such as RPC, but recently, this has become more complex through use of diverse methods such as Google Groups or Tweets. Today s C&C networks are highly resilient and very difficult to track. The Internet makes it easy to host servers in other countries, routing data through them to avoid detection. Attack management console This user interface is used to control all aspects of the APT process, and multiple attackers can work on the same target. The management console enables the attackers to control the actions of the infected bots through the C&C servers, install new malware on the bots, and assemble all aspects of the APT to measure the current success rate. The screenshot below shows an attack toolkit, which is similar to an APT attack console. User Interface of Attack Toolkit Crimepack Page 2

Stages of an APT Attack Each attack is different and customized to its target for maximum success. Page 3

Example below: How APTs spread through an organization and how they are controlled The attacker s C&C server is the external point which controls the overall attack. It can be a single server or multiple cascading servers, which are difficult to track and neutralize. Case Study of an APT: Operation Aurora Widely reported in the press, operation Aurora was the first major disclosure of a widespread series of APT attacks. We believe Operation Aurora started in mid-2009 and was first publicly disclosed by Google in a blog post on Jan. 12, 2010. Other organizations, including Juniper, Adobe and Rackspace followed with their own disclosures. The goal of the attack was to access and potentially modify source code repositories at the affected high-tech, security and defense companies. The ability to modify and infect a backdoor into the source code could be a larger prize for cybercriminals than financial or design documents. Operation Aurora followed the typical stages of an APT (as previously defined). Detailed steps in this case include: 1. Employees with the most access to proprietary data were identified first, after which their social networks were investigated and compromised. This enabled cybercriminals to send blended threats emails to them from trusted friends, improving chances that they would click on links inside the messages. 2. Email links led to an infected website, initiating the initial malware infection. This occurred through a vulnerability in Internet Explorer versions 6, 7 and 8 that allowed remote code to be executed on the target machine. 3. With a backdoor into the organization, the attackers were able to move laterally from the infected workstation, identifying other vulnerable targets that could be compromised and infected to eliminate a single point of failure. 4. They began to scan systems to obtain higher level security privileges. 5. In the discovery phase, the compromised credentials were used to try to access the master details of selected Gmail accounts of known Chinese dissidents. Now that the attackers were inside the network of target organizations, vulnerabilities found in the Perforce source code system were used to directly access source code for the organizations products. This was a potentially serious problem because the source code could have been deployed to thousands of the organization s customers, giving the attackers a backdoor to those as well. 6. There is only conjecture as to how long this attack was active, but many reports put the elapsed period at more than four months of sustained, multiple attacks and infections with un-measurable data flowing back out. The source of these attacks was traced to two technical institutes based in China. Page 4

REMEDIATION: PROTECTING AGAINST ADVANCED PERSISTENT THREATS Today, APTs are widespread and frequently used. Organizations need to determine their risk levels and note their most valuable resources to plan how to defend themselves effectively. The following diagram provides a basic outline for protecting your organization. Best Practices Multi-faceted attacks require multi-faceted responses. Ideally, solutions that can correlate threat information to maximize attack intelligence will provide an optimal defense. 1. Layer multiple technologies for the best possible defense. 2. Combine proactive and reactive security controls to maximize coverage. 3. Deploy security controls as early as possible at the network perimeter or in the cloud before threat infiltrates your network. 4. Deploy coverage against blended threats at the email security gateway to prevent compromised emails from reaching user inboxes. 5. Deploy appropriate security controls at the Web gateway. 6. Use solutions that correlate threat information between email and Web gateways as well as vendors who use collective intelligence to share information on attacks. 7. Establish baseline network activity so you can recognize irregular behavior and traffic earlier. Layer Security Technologies Build as many defenses as possible by layering security technologies such as desktop malware protection and email and Web gateway security. Look for suspicious network activity especially to unknown external hosts. Though you might not block the initial infection, awareness of the threat will go a long way to stopping an APT as soon as possible. A great pre-emptive step includes having an effective way to process log information and spot unusual activity across all layers. Be Proactive Today s threats involve dynamically-created malware or Polymorphic viruses that are designed to evade reactive security controls. Highly innovative proactive controls can detect and block suspicious behavior exhibited through email or the Web to successfully detect new and emerging threats. Best-in-class security solutions layer reactive controls for speed with proactive controls to close the threat window. Look for technologies such as M86 s patented Real-time Code Analysis and behavioral analysis. Ensure proactive controls are running on all the data your users access, as they are accessing it, to maximize coverage. A high proportion of malware comes from legitimate websites. Protect the Initial Attack Point: Email (Blended Threats) Typically, the first vector tried in an attack is email. Are proactive security controls on your email gateway scanning specifically for blended threats? Page 5

Blended Email Threats are blocked at the email gateway, or correlated information is sent to the Web gateway for blocking. Cover the Major Threat Vector: the Web Gateway When an unsuspecting user clicks a link in a blended threat email, the actual attack occurs through the Web, necessitating a secure Web gateway (SWG) solution. The SWG should include proactive security controls that analyze all content moving through the Web gateway, like are within the M86 SWG. All users, whether on the network at headquarters and remote workers should be covered. Hybrid Web services extend 100% of the security coverage offered on-premises to remote and external users. Security solutions that reside on the desktop provide few, if any, proactive security controls. So catching threats earlier at the gateway is ideal (though these solutions aren t always used). Evaluate your current endpoint security solutions. How many proactive capabilities do they have? How effective are they in independent tests? Correlate Threat Information between Email and the Web Consider a scenario in which an email gateway detected low levels of activity that could be a possible attack. The Web gateway also detected low levels of suspicious traffic. Individually, these solutions might not act on this information (to prevent overblocking). But correlating this data between both gateways would trigger a block. The power of correlation moves to a whole new level if a vendor is able to correlate across an entire customer base. Page 6

Cycle of threat data received from customer installations and third party feeds, correlated and analyzed at M86 Security Labs and then fed back out to installed products. An organization running email and Web security solutions from a single vendor doubles the advantage they get from this threat data correlation. It can use the updated threat data to maximize coverage, minimize attack windows and secure the organization from coordinated APTs. Set Network Activity Baselines APTs will generate irregular network traffic from internal computers to external command and control (C&C) servers. C&C traffic can use a number of ports and applications. Traditionally RPC channels have been used, Google groups, Twitter and other seemingly legitimate protocols and applications have been used as well. Recognizing this C&C traffic is an important step in mitigating APTs. So knowing the volume of your traffic and the external hosts/applications typically used will help you spot abnormal activity possibly an infected internal workstation that s communicating externally. Analyzing firewall logs is a good way to get started, but there are many tools and products that can assist. Additional Preventative Steps Ways an administrator can help prevent APTs include: 1. Keep applications up to date Most vulnerabilities target outdated browsers like Internet Explorer 6 and 7, and old versions of applications like Adobe Flash and Adobe Reader. Most recent updates to these applications address many of the vulnerabilities that continue to be exploited. 2. Disable administrative rights for most users It s been proven that by eliminating user administrative privileges, 90% of Windows 7 vulnerabilities would be mitigated. 3. Conduct sensitive tasks such as financial transactions on another system If members of your organization conduct e-banking on your network, we strongly encourage they do so on a separate computer on a separate network. Many of the headline-making e-banking business thefts occur when a user account is compromised by an information-stealing Trojan. Another option is to arm employees with a Linux live CD for use with sensitive transactions. 4. Educate users Never underestimate the power of user education. Ensure your employees can recognize social engineering, Phishing, Man-in-the-middle malware, etc. And institute a policy regarding external devices such as USB sticks. Page 7

ABOUT M86 SECURITY M86 Security is the global expert in real-time threat protection and the industry s leading Secure Web Gateway provider. The company s appliance, software, and Software as a Service (SaaS) solutions for Web and email security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand. TRY BEFORE YOU BUY M86 Security offers free product trials and evaluations. Simply contact us or visit www.m86security.com/downloads Corporate Headquarters 828 West Taft Avenue Orange, CA 92865 United States Phone: +1 (714) 282-6111 Fax: +1 (714) 282-6116 International Headquarters Renaissance 2200 Basing View, Basingstoke Hampshire RG21 4EQ United Kingdom Phone: +44 (0) 1256 848 080 Fax: +44 (0) 1256 848 060 Asia-Pacific Millennium Centre, Bldg C, Level 1 600 Great South Road Ellerslie, Auckland, 1051 New Zealand Phone: +64 (0) 9 984 5700 Fax: +64 (0) 9 984 5720 Version 08/20/10 Copyright 2010 M86 Security. All rights reserved. M86 Security is a registered trademark of M86 Security. All other product and company names mentioned herein are trademarks or registered trademarks of their respective companies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information