Written by Fran Howarth (Bloor Senior Software Analyst)
Fran's a Bloor Senior Software Analyst specialising in the field of security. For more than 20 years, Fran has worked in an advisory capacity as an analyst, consultant and writer for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. More about Bloor...
Advanced targeted threats are a fact of life for organisations of any size in any industry.
Numerous studies point to the fact that almost every organisation has suffered a breach—and those attacks are getting harder to defend against.
Numerous studies point to the fact that almost every organisation has suffered a breach—and those attacks are getting harder to defend against. Threat protection technologies are extremely useful, but are not by themselves enough. With highly sophisticated attackers looking to bury deep into networks, often aiming to lie undetected to wait for the chance to steal valuable information over time, organisations need a way to root out those security incidents and remediate them so that normal business operations can be resumed.
This document discusses advanced targeted attacks, looking at their stages, and points to strategies for protecting, detecting and remediating such attacks. It is intended for organisations of all sizes in any industry.
The small world problem
As far back as 1929, it was hypothesised that any two individuals in the world could be connected in a maximum of six steps through a chain of friends of friends. That theory has lived on. In the past few years, it has been tested on social networks that include Facebook and LinkedIn, both of which showed that interconnectivity has increased greatly. The business networking site operates on the concept of how many steps a person is away from others with whom they wish to communicate and is built around the principle of first-, second- and third-degree connections.
The rise of social networks is just one example of how the world seems to have become a smaller place. Mobile technologies have made it increasingly easy to reach other people and information and devices have become increasingly powerful, able to store large volumes of data. Today, mobiles are seen as the device of choice for many users for both leisure and work purposes. Cloud computing applications and services put information within easy reach and provide users with great convenience and they can also be used to store large swathes of data. There is currently much discussion about the Internet of Things, whereby it is postulated that up to 50 billion ‘things’, from wearable or implanted devices to cars, industrial sensors and home automation equipment, will be connected over the internet and other networks by 2020.
This increasingly inter-connected, always-on world brings with it many benefits in terms of the convenience of instant access to communications and information, increased productivity by being able to access information resources from any device at any time, and cost savings, both for organisations that no longer have to purchase, install and maintain applications on individual devices, and for users, who no longer have to travel to facilities such as libraries to find information.
The vast amount of information that are available online are a magnet for criminals.
Yet there are also downsides—hence, the small world problem. The vast amounts of information that are available online are a magnet for criminals, who are using increasingly sophisticated methods to home in on valuable information. Rather than launching attacks en masse, criminals today target specific individuals or organisations. They carefully research their victims, using the mass of information that is available online—helped by the huge amount of personal details that individuals post about themselves on social and professional networks. Then, the vast majority of advanced attacks begin with a spear phishing email, increasingly crafted to appeal to the interests of the individual, that commonly incorporates a malicious attachment or URL in an attempt to lure victims into downloading malware onto their devices that can be used to allow the attacker to delve more deeply into the network by providing them with access to privileged credentials.
In other cases, the use of mobile and cloud technologies can allow attackers to exploit security vulnerabilities. In many cases, the use of personal mobile devices or cloud applications is not officially sanctioned, and therefore outside of the direct control of the IT department. With most mobile and cloud applications requiring a user name and password combination, often varying in requirements such as password length, complexity and expiration periods, many users cope by using lax password management standards, often reusing the same password for multiple applications and websites. Should that password be cracked, personal and even corporate information can be gleaned from multiple sites and applications with relative ease.
The small world problem has opened up many new vectors of attack, but that is not all. Attackers’ motivations have changed and, as they go after bigger prizes, the ensuing damage is far greater than it used to be. Some are financially motivated; some are looking to sabotage systems in revenge for perceived wrongs against them or for other ideological reasons; others are engaged in business disruption or espionage, with fingers often pointed at nation states.
Whoever the attackers are—hacktivists, nation states or organised criminal gangs—they generally have ample resources at their disposal, including access to highly skilled people and sophisticated tools and techniques. Many of the organised criminal gangs are said to resemble large multinationals, with organisational hierarchies and budgets to match.
Yet, they are not only more advanced than the criminals of yesteryear, they are also more persistent, focusing on larger strategic goals that go beyond any individual incident. They are looking for long-term gain and are therefore more persistent, looking to bury themselves deep into networks or to elevate from the credentials they have stolen to those with higher privileges associated with them in order to get their hands on a horde of more valuable information. Often, they will lie in wait and aim to remain undetected for long periods of time.
Given the wide and ever growing variety of threat vectors and the perspicacity, sophistication and determination of criminals looking to attack networks, a holistic stance on security protection is necessary. In the past, network security tools such as firewalls, intrusion prevention systems and security information and event management systems took up the lion’s share of security budgets at most organisations. However, wide and growing use of endpoint devices, as well as third-party applications provisioned in the cloud, have all but eroded network perimeters, pushing out those boundaries. This creates new attack vectors for criminals, who are increasingly using endpoint devices as the vector of choice for infiltrating networks. Unless security controls are pushed out to this new perimeter, the organisation’s network is bound to contain dangerous security gaps through which data can leak out or threats can seep in.
Therefore, network and endpoint security need to go hand in hand so that security encompasses all entry points to the network. This will provide the organisation with greater visibility over all the security threats that it faces, both in real time and for historical analysis. Security events seen on hosts and endpoints can be fed back into network security controls, allowing more accurate decisions to be taken and more proactive protection applied across all resources based on the context of the threat seen.
In terms of advanced threats, the enemy within can come in two guises—a threat that directly emanates from insiders, whether through malicious behaviour, accident or negligence, and threats from external actors who have infiltrated networks.
In terms of the insider threat, around two-fifths of security incidents are attributed to employees. The main issues related to the insider threat are lack of awareness around security issues, and the introduction of malware via personal devices, human error and malicious intent. Another recent survey found that 70% of employees, contractors or business partners have access to sensitive information. One in ten states that they regularly access confidential information and 23% of employees admit that they have accessed or taken confidential information from their workplace.
Given the wide and ever growing variety of threat vectors and the perspicacity, sophistication and determination of criminals looking to attack networks, a holistic stance on security protection is necessary.
Given the amount of information that organisations produce, much of it sensitive, figures like these show how easy it is for information to be misappropriated unless organisations have adequate controls in place regarding who can access what information, and what they can do with it. This is especially important for those with privileged access who are not only more likely to be able to access the most sensitive information, but are able to alter it or otherwise cover their tracks unless adequate controls are in place. This used to be employees such as administrators and executives, but now employees in a wider range of roles are given access to sensitive information through applications and services designed with their convenience in mind.
This is something that is not lost on those looking to attack networks for the sensitive information that they contain. Once an attacker has gained a foothold on a network, often by targeting an individual and stealing their access credentials, they will look to move laterally across the network, searching for more valuable information. Often, they will try to get their hands on credentials of persons with higher levels of privileges assigned to them in order to gain access to sensitive information such as intellectual property or customer databases. This makes it even more important to ensure that no one is given excessive privileges, as well as tracking the use of all privileged credentials.
Given the factors of ubiquitous connectivity, the growth in the number and range of threat vectors, the sophistication of attackers and the tools, techniques and procedures that they employ, as well as the importance of threats emanating from within networks, defending against the advanced targeted threats being seen today requires that organisations cover the entire attack lifecycle, looking to protect against threats, detect those that have got through defences and to respond to incidents that have occurred.
Numerous studies point to the fact that virtually all organisations suffer security breaches and incidents. Every organisation should consider itself a target, no matter its size or line of business. Larger organisations may have large amounts of valuable intellectual property and expansive customer lists that an attacker may be interested in, but small organisations do business with their larger counterparts and can used as a conduit into their larger business partners. These are known as supply chain attacks and it is reported that this is how the breach at retailer Target began, when credentials of its HVAC supplier were compromised.
The advanced targeted threats being seen today requires that organisations cover the entire attack lifecycle, looking to protect against threats, detect those that have got through defences and to respond to incidents that have occurred.
Practically every organisation deploys technology to attempt to prevent themselves from being the victim of an attack, with the use of anti-virus being almost universal. This is an effective strategy against known malware, which constitutes around two-thirds of the malware strains being seen today. Traditional anti-virus technologies, as well as some other controls such as intrusion prevention systems, work by developing signatures, which are algorithms or a hash that uniquely identifies a particular malware strain, which serve as countermeasures for protecting the network against that virus strain. However, if a particular malware strain has not been seen before, such techniques are ineffective.
To increase their effectiveness, threat protection vendors have been adding other types of controls to their offerings. These include the use of heuristics, which is a technique based on trial and error. In computing uses, heuristics is used to detect malware by looking for characteristics that are typically used in writing malicious code.
Some vendors offer sandboxing techniques, which utilise a highly protected environment that is separate from the network in which untrusted programs can be executed, or allowed to run, in order to verify that they do not contain a virus or other malicious code. They can be used to isolate and test not only programs, but websites, files and documents. Some newer technologies are available that inspect all files and documents sent into, or out of, an organisation, looking for structure and content that is out of line with what is known to be good, isolating all else until potentially bad elements can be removed and the file sanitised of harmful content before it can be sent on to the intended recipient.
To bolster threat prevention capabilities, many vendors offer threat intelligence services, generally based in the cloud, that collect evidence of new nefarious activity and malicious programs seen in the wild from sources worldwide. Such services can prevent newly seen malware and behaviour from ever reaching the network, providing an extra layer of protection.
Techniques such as these improve the effectiveness of threat protection technologies, even allowing for previously unknown threats to be isolated and remediated. However, no matter how vigilant organisations are in protecting themselves from attack, data shows that some attacks will find a way in. From end-user data, FireEye estimates that more than 95% of companies have been compromised with advanced malware, despite having deployed many layers of traditional defences at their perimeters. According to PwC, 81% of large businesses have suffered malicious breaches in the past year and two-thirds have had a serious incident. It also found that 10% of those organisations that experienced a breach found the fallout so damaging that they were forced to change the nature of their business.
Given that threat prevention is not always 100% successful, organisations need a way of detecting what has actually infiltrated their networks—but that is not always an easy task. Attackers using advanced targeted techniques aim not only to gain a foothold on the network, but also to move laterally in search of more valuable information and to lie low in order to evade detection. Such techniques make detecting an incident a much harder task. According to Mandiant, the average time taken to detect an incident on a network is 229 days. Add to that the fact that most breaches are detected by third parties—85% according to the Data Breach Investigations Report 2014—and the headaches really begin to build. When an organisation relies on information from a third party, the length of time to detect an incident mounts from 13.5 days average for self-detection to 108 days for third-party detection.
Organisations need a better way to root out evidence of security events and incidents that have occurred. This requires that they should have a handle on what is happening on their network—as well as all the endpoints that connect to it, the users who are present and what they are doing. This requires a combination of technologies that are able to share and act on information feeds.
These technologies must be able to collect, normalise and aggregate event and log information from all of this extended network so that it can then be analysed to create insight that aids in better decision making. To do this, systems must be monitored on a continuous basis so that events can be seen in real time, rather than just providing a snapshot of the situation at any given point in time. To provide an example of why this is necessary throughout the extended network, such a system can monitor and record all information related to a particular file—how and where it entered the network, what it brought in with it, what happened subsequently and what systems are infected—in order to be able to see the entire chain of events.
By continuously monitoring, organisations will also be able to detect incidents such as a file that was deemed to be benign, but that has since started to behave maliciously. This is a tactic used by some attackers in order to get past the initial threat protections that organisations have in place.
More than 95% of companies have been compromised with advanced malware, despite having deployed many layers of traditional defences at their perimeters.
Core to enabling this is a security intelligence platform, many of which have their roots in security event and intelligence management (SIEM) and log management systems. Today, such systems have added advanced big data analytical capabilities, visualisation and forensics capabilities in order to make sense of what is uncovered and to trace the path back to the original perpetrator. In order to do this, they need to take in feeds from a wide variety of systems and controls, including intrusion detection and prevention systems, network behavioural analysis controls, next-generation firewalls, identity and access management systems, and network access controls. It is therefore of vital importance that all information is collected and managed through a centralised console, providing the ability to look across the network and to create audit trails of findings.
At the same time at improving detection capabilities, organisations need to tackle the data exfiltration challenge to prevent organisations experiencing data loss before the incident has been detected. Owing to the difficulty that organisations face in detecting security incidents on their networks, all outbound communication channels should be monitored to prevent data from being exfiltrated. A common strategy used by advanced attackers is to look to extract data from networks, sending it out to command and control servers under their charge. Preventing this requires that all network egress points and endpoints be monitored to prevent sensitive data leaking out, ideally integrated with data leakage prevention tools. For web channels, communications should be prevented from going out to known bad URLs or IP addresses.
When an incident has been detected, organisations need to gain an understanding of the scope of the damage in terms of how far it has spread and what systems have been impacted. This information will be obtained from the event data that has been collected and analysed from all systems in the network, endpoints and traffic flowing through the network.
They then need to assess the criticality of the incident and the assets that have been affected in order to prioritise the response. In some cases, the organisation may decide to block an action or quarantine a system until it can be dealt with. However, containing a threat in this way can hinder productivity if users are denied access to critical systems or files. It can also draw an attacker’s attention to the fact that their exploit has been discovered, at which point they may choose to lie dormant, ceasing any activity until the organisation ceases to respond to the incident.
In many cases, it is best to try to remediate the threat in order to remove it from the network and get operations back to normal. Vendors have begun to offer automated countermeasures for remediating threats, often based on indicators of compromise (IOCs) that provide greater intelligence regarding the sophisticated tools, techniques and procedures used by attackers. Every attack leaves behind forensic artefacts that indicate it has occurred, along with information about how the attack was carried out. Those artefacts are termed IOCs, which can be used to identify security incidents and hidden threats. The knowledge that IOCs provide, combined with threat intelligence services, is used to determine which countermeasures are the most appropriate to mitigate specific types of threats, based on policies that have been set by the organisation. IOCs can help greatly in speeding up the time taken to discover and remediate even the most advanced, sophisticated threats and can allow organisations to make informed decisions regarding the best remediation method.
Every attack leaves behind forensic artefacts that indicate it has occurred, along with information about how the attack was carried out.
Many organisations are wary of automating the incident response process for fear of shutting down a sensitive system or of denying system access to a user by removing entitlements, meaning that they cannot get their job done. Therefore, organisations should look for a system that provides manual authorisation checks before an action can be taken so that humans can give their approval. Even where a remediation action is automated, it should also be possible to rollback the change should a problem be encountered.
Any system chosen should also provide forensics capabilities to investigate events that have occurred and how effective the response was. This will help organisations to look for and discern trends, with the resulting information used to automatically upgrade protections and implement rules on security controls to detect and block the same or similar attacks from occurring again in the future.
|Threat intelligence and reputation services|
|Alternative to signature-based detection - sandbox on-premise or in cloud for payload analysis with optional blocking, endpoint behaviour analysis with virtual containers, whitelisting|
|Threat vector coverage - email, web, documents, removable media|
|Operating system coverage|
|System configuration, memory and process monitoring to block attacks, especially threat injection attacks|
|Integration with access controls|
|Malware removal capabilities|
|Virtual execution engines for detecting files of all types|
|AV suite integration|
|Tracking lateral movement|
|Network traffic analysis to highlight anomalous patterns, including off-network mobile devices|
|Integration with network security controls, SIEM, IDPS, NBA, NGFWs, NAC and IAM|
|Security intelligence for RT continuous monitoring|
|Patch management and configuration change management|
|Central management system|
|Outbound communications monitoring|
|Network file share analysis|
|Stop connections to known bad URLs or IP addresses|
|Network forensics - capture all traffic, with analysis and reporting tools|
|Endpoint forensics - collect data from monitored hosts|
|Indicators of compromise shared with customers|
|System configuration, memory and process monitoring to block attacks to assist in incident response|
|Big data analytics and machine learning|
|Malicious file quarantine and storage for forensics and law enforcement|
Every organisation is under pressure to safeguard its sensitive data from harm in order to avoid business disruptions and damage to its brand and reputation. It is no longer sufficient to assume that attacks can be defeated with protective technologies alone since, given the nature of today’s technology and the sophistication of attackers, some attacks will always get through. Therefore organisations need also to focus on detecting security incidents that have occurred and on efficient ways of recovering from those attacks and resuming normal business operations. Those that do not consider the entire lifecycle of advanced threats and attacks will find themselves playing a game of catch-up, always one step behind attackers and putting their businesses on the line.