March 23, 2018 at 22:53The monster of advanced threat and targeted attack / Monster of advanced threats and targeted attacks
Dear Habr community, welcome!
Today, the supply of material will be quite ambiguous. It is difficult for me to predict your reaction, but despite this, I will try to convey the main idea of my article, shifting the complex to understandable, and thereby convey the essence. The essence, which is sometimes impossible to express in words, using a glossary of terms accepted in the subject matter. I will do this through analogy, associations, visualization and humor. I kindly remind you that today is Friday, and I wish everyone a good weekend!
The use of analogy in the first place is the ability to transfer various complex concepts, the analysis of which causes difficulties in understanding to more simple for perception. And secondly, this method is quite interesting and makes it possible to look at complex things from a completely different perspective.
Even in such a conservative environment as information security, there is nothing easier than using the example of something more tangible and understandable to clearly demonstrate the essence of something more complex. Therefore, I will venture to tell you today about the octopus, one of the most perfect marine inhabitants, with the unique equipment on board, with its sophisticated methods of attacking the victim and the defensive techniques used. Why is an octopus hard to spot? Why is an octopus hard to resist?
In my opinion, a very obvious analogy with a sea predator, I will show you what tools and how the most prepared cyber groups can use in their targeted attacks, and why traditional means of defense are not enough to deal with predators such as octopus.
And, frankly, I have long wanted to figure out the details why criminal, hacker and other groups love to associate themselves with this marine predator.
Are you interested? Then sit back, get started! I am sure that you will be surprised by the physiological characteristics and abilities of the octopus, the ability to adapt and defend.
So ...
Octopus is a marine predator of the invertebrate order, clever animals, has the most developed brain among invertebrates, is well trained, understands and remembers the environment. Scientists are still amazed at the mollusk’s fighting arsenal. It seems that no living creature on the planet has so many great adaptations:
Now, I am sure that you know much more about the octopus and, as you read through the description, compared the acquired knowledge about the predator with the features of constructing a targeted attack. It is time to get to know the main character of my small visualized story.
A targeted attack in our time at a fast-growing pace is becoming the main cyber threat to business. This is a carefully planned, lengthy process of unauthorized activity in the infrastructure of a particular organization in order to obtain certain benefits planned by a cybercriminal group. Most often, the main stages of a targeted attack are: preparation, penetration, distribution, goal achievement and concealment of traces.
Preparation includes determining the target, collecting the maximum amount of information about it, examining the infrastructure and the solutions used on it, identifying vulnerabilities in the security system and planning an attack strategy based on the data collected.
Next is the development of the methodology and the selection of penetration tools with the greatest possible adaptation to the perimeter defense equipment used on the infrastructure, which allows attackers to penetrate the target infrastructure as imperceptibly as possible.
Cyber professionals have at their disposal an unlimited amount of time: to develop malware, debug malware, attempt to steal accounts, use social engineering, etc., as well as develop a sequence of stages of an attack.
The organization’s use of only traditional means of perimeter defense is no longer enough to counter complex threats of the APT (Advanced Persistent Threat) level. You need to understand that a multi-vector invasion aimed at various levels of infrastructure, using various penetration means, as well as aimed at bypassing the existing defense systems on the infrastructure, cannot be stopped by blocking only one of the planned vectors of the complex target attack.
Why are traditional remedies not enough?
Due to the specifics of the targeted attacks themselves:
Due to the technological limitations inherent in traditional protections:
A targeted attack can pursue a variety of purposes: theft of money, trade secrets, personal data, violation of business processes, weakening of competitive advantage, blackmail and extortion, theft of intellectual property, etc.
After reaching the goal, the attacker should hide the traces, and, if necessary , leaving points of return to the infrastructure.
To effectively protect against targeted attacks and APT threats, organizations need to think about using specialized solutions to counter targeted attacks and advanced APT threats and apply a comprehensive defense strategy in general.
The advantage will be if specialized solutions interact with their own tools for preventive measures, if there are third-party preventive technologies or technologies that are most often already present on the infrastructure of organizations, thereby preserving the previously invested in them. The presence of preventive technologies for detecting and automatically blocking mass common threats and clearly malicious objects helps to eliminate the need to parse a large number of small incidents that are irrelevant to complex attacks, thereby increasing the efficiency of specialized solutions aimed at identifying APT threats.
Specialized tools, in turn, after detecting more complex threats, can send verdicts to traditional remedies. This provides two-way interaction and a truly comprehensive approach to countering advanced threats.
If it is necessary to comply with the strict requirements for processing critical data, solutions should support operation in an isolated mode without loss of detection quality, i.e. must maintain a local reputation database of threats and provide promptly unique information about the latest threats without transferring data outside the corporate circuit. When choosing a specialized solution in the Russian Federation, it is necessary to take into account the availability of FSTEC, FSB certificates, the availability of a solution in the domestic software registry, as well as the compliance of the solution with the requirements of external and internal regulators and the focus on compliance with legislative recommendations, for example, N 187-FZ and GosSOPKA.
Depending on the information security maturity of each specific organization and the availability of the necessary resources in the company, manufacturers of specialized solutions to protect against advanced threats must provide the expert services and professional services necessary for companies in each specific case, from supporting the deployment, configuration and updating of products to providing its experienced experts for malware analysis and incident investigation.
Conducting penetration testing, application security analysis, as well as:
Today, the supply of material will be quite ambiguous. It is difficult for me to predict your reaction, but despite this, I will try to convey the main idea of my article, shifting the complex to understandable, and thereby convey the essence. The essence, which is sometimes impossible to express in words, using a glossary of terms accepted in the subject matter. I will do this through analogy, associations, visualization and humor. I kindly remind you that today is Friday, and I wish everyone a good weekend!
Some water
The use of analogy in the first place is the ability to transfer various complex concepts, the analysis of which causes difficulties in understanding to more simple for perception. And secondly, this method is quite interesting and makes it possible to look at complex things from a completely different perspective.
The essence of the wave
Even in such a conservative environment as information security, there is nothing easier than using the example of something more tangible and understandable to clearly demonstrate the essence of something more complex. Therefore, I will venture to tell you today about the octopus, one of the most perfect marine inhabitants, with the unique equipment on board, with its sophisticated methods of attacking the victim and the defensive techniques used. Why is an octopus hard to spot? Why is an octopus hard to resist?
In my opinion, a very obvious analogy with a sea predator, I will show you what tools and how the most prepared cyber groups can use in their targeted attacks, and why traditional means of defense are not enough to deal with predators such as octopus.
And, frankly, I have long wanted to figure out the details why criminal, hacker and other groups love to associate themselves with this marine predator.
Are you interested? Then sit back, get started! I am sure that you will be surprised by the physiological characteristics and abilities of the octopus, the ability to adapt and defend.
So ...
Octopus is a marine predator of the invertebrate order, clever animals, has the most developed brain among invertebrates, is well trained, understands and remembers the environment. Scientists are still amazed at the mollusk’s fighting arsenal. It seems that no living creature on the planet has so many great adaptations:
- The octopus has 8 powerful tentacles, thanks to which it easily masters prey. But sometimes they can grow and more than eight. All of them are equipped with claws and have from one to three rows of suction cups;
- Each tentacle has up to ten thousand taste buds that determine the edibility or inedibility of an object;
- A very cunning creature: as a distraction, it can throw away its tentacles, if the need arises. The torn tentacle for a certain time continues to move and respond to tactile stimuli, which serves as an additional distraction for continuing the attack from the other side or disappearing;
- The octopus has the property of regeneration, that is, a tentacle torn off or specially thrown away grows back after a while;
- It has a powerful beak located at the base of the tentacles, with the help of their beak-weapon they split the shell of the victim and reach the body;
- The most poisonous marine animal. The bite helps the octopus to cope with very large prey, immobilizing with the help of a paralyzing poison;
- Sees in complete darkness due to infrared vision and generally has better vision than the eagle;
- Able to perceive sound, including infrasound;
- A fast swimmer with a jet engine (draws water into the mantle and shoots water through the funnel out), a similar principle of movement is rarely found in living beings. 50 km / h - normal speed, can reach up to 70 km / h;
- Able to lie on land for hours and even walk along the shore. For walking on land, he carries water (in a special compartment of the body);
- It has perfectly developed sharp jaws, in the throat there is a grater (radula), which grinds food;
- The body of the predator is equipped with spotlights. Certain areas of the skin glow, illuminating the octopus path in the middle of the night or at great depths, where eternal darkness reigns;
- The body is soft and elastic, which allows you to penetrate through holes and crevices much smaller than the usual sizes of their bodies or sophisticatedly hide in the most secluded places;
- Coloring changes instantly as needed (plain color or mosaic of spots), so it is very difficult to distinguish it from the general background;
- Ink bomb / cloud - a miracle weapon, one of the most amazing octopus devices for disorienting and destroying the target / enemy's vision. The octopus is always filled with ink containing narcotic substances. Uses ink when you need to go unnoticed or gain time to attack from the other side.
Now, I am sure that you know much more about the octopus and, as you read through the description, compared the acquired knowledge about the predator with the features of constructing a targeted attack. It is time to get to know the main character of my small visualized story.
HISTORY ONE. Successful for the attacker - a failure for the defender
A targeted attack in our time at a fast-growing pace is becoming the main cyber threat to business. This is a carefully planned, lengthy process of unauthorized activity in the infrastructure of a particular organization in order to obtain certain benefits planned by a cybercriminal group. Most often, the main stages of a targeted attack are: preparation, penetration, distribution, goal achievement and concealment of traces.
Preparation includes determining the target, collecting the maximum amount of information about it, examining the infrastructure and the solutions used on it, identifying vulnerabilities in the security system and planning an attack strategy based on the data collected.
Next is the development of the methodology and the selection of penetration tools with the greatest possible adaptation to the perimeter defense equipment used on the infrastructure, which allows attackers to penetrate the target infrastructure as imperceptibly as possible.
Cyber professionals have at their disposal an unlimited amount of time: to develop malware, debug malware, attempt to steal accounts, use social engineering, etc., as well as develop a sequence of stages of an attack.
The organization’s use of only traditional means of perimeter defense is no longer enough to counter complex threats of the APT (Advanced Persistent Threat) level. You need to understand that a multi-vector invasion aimed at various levels of infrastructure, using various penetration means, as well as aimed at bypassing the existing defense systems on the infrastructure, cannot be stopped by blocking only one of the planned vectors of the complex target attack.
Why are traditional remedies not enough?
Due to the specifics of the targeted attacks themselves:
- used protective equipment, in order to circumvent them, are studied in detail;
- zero-day vulnerabilities, compromised accounts are used;
- Malicious software or specially created unique software is used;
- trusted, but compromised objects that do not create a negative background are used in attacks;
- a multivector approach to penetrating the infrastructure is applied;
- Social engineering and data obtained from insiders are applied.
Due to the technological limitations inherent in traditional protections:
- solutions are aimed only at detecting and blocking common (uncomplicated) threats, already known vulnerabilities or unknown, but built on previously known methods;
- there is no functionality for built-in matching and correlation of detected detects in a single chain of events;
- the functionality of detecting deviations in normal activities is not supported and there is no analysis of the operation of legitimate programs, etc.
A targeted attack can pursue a variety of purposes: theft of money, trade secrets, personal data, violation of business processes, weakening of competitive advantage, blackmail and extortion, theft of intellectual property, etc.
After reaching the goal, the attacker should hide the traces, and, if necessary , leaving points of return to the infrastructure.
HISTORY TWO. Successful for the defender - a failure for the attacker
To effectively protect against targeted attacks and APT threats, organizations need to think about using specialized solutions to counter targeted attacks and advanced APT threats and apply a comprehensive defense strategy in general.
The advantage will be if specialized solutions interact with their own tools for preventive measures, if there are third-party preventive technologies or technologies that are most often already present on the infrastructure of organizations, thereby preserving the previously invested in them. The presence of preventive technologies for detecting and automatically blocking mass common threats and clearly malicious objects helps to eliminate the need to parse a large number of small incidents that are irrelevant to complex attacks, thereby increasing the efficiency of specialized solutions aimed at identifying APT threats.
Specialized tools, in turn, after detecting more complex threats, can send verdicts to traditional remedies. This provides two-way interaction and a truly comprehensive approach to countering advanced threats.
If it is necessary to comply with the strict requirements for processing critical data, solutions should support operation in an isolated mode without loss of detection quality, i.e. must maintain a local reputation database of threats and provide promptly unique information about the latest threats without transferring data outside the corporate circuit. When choosing a specialized solution in the Russian Federation, it is necessary to take into account the availability of FSTEC, FSB certificates, the availability of a solution in the domestic software registry, as well as the compliance of the solution with the requirements of external and internal regulators and the focus on compliance with legislative recommendations, for example, N 187-FZ and GosSOPKA.
Depending on the information security maturity of each specific organization and the availability of the necessary resources in the company, manufacturers of specialized solutions to protect against advanced threats must provide the expert services and professional services necessary for companies in each specific case, from supporting the deployment, configuration and updating of products to providing its experienced experts for malware analysis and incident investigation.
Conducting penetration testing, application security analysis, as well as:
- active threat search and digital forensics services
- provision of a subscription to the portal of analytical reports on threats
- round-the-clock service of analysis of IS events and incident response, etc.