New research shows cybercriminals are
using more advanced attack techniques. Expert Nick Lewis explains what
enterprises need to know about the APT-style attacks.
Advanced persistent threat, or APT, groups were once equivalent to
nation-state attackers, but the term has started to include other
organized cybercrime gangs that bypass the security controls of
enterprises assumed to have high security, such as financial
institutions.
Over time, advanced techniques will be adopted by less advanced
attackers, which will result in enterprises implementing security
controls to prevent these attacks. The advanced threat actors will then
develop new attack techniques to bypass these new controls in the
endless cat-and-mouse game that persists in information security. New
research from Kaspersky Lab
on several cybercrime gangs details the advanced APT-style attack
techniques being adopted more broadly, which enterprises need to devote
more resources to defend against.This tip will take a look at the APT-style attacks reported by Kaspersky Lab, and how enterprises can update their security programs.
APT-style attacks
Kaspersky reported that cybercrime gangs Metel, GCMAN and Carbanak are adopting APT-style attack techniques for financial crimes. Kaspersky identified the steps these groups are adopting as "reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence." All of these components are critical in executing a multistage attack on a target and have been used widely in attacks. Reconnaissance is first done to plan the attack and identify how to customize the social engineering step to be most effective. Reconnaissance and social engineering may also help identify more internal technical details to use later in the attack. The malware used in the attack may be customized in advance to ensure all of the pieces of the attack fit together to achieve the attacker's goals. The malware may first be tested against antimalware tools or detection controls to see if it will evade detection. Lateral movement is used to identify the systems that control critical transactions or store sensitive data that can be monetized. Long-term persistence is used to monetize the APT-style attacks over time to potentially reduce the chance the attackers will get caught.The Carbanak 2.0 gang used social engineering, with a phishing email that included an attachment for the initial foothold in the network, and then through monitoring, identified the location of sensitive data and changed ownership details of a large company. In the Metel attack, the malware was customized to roll back ATM transactions when cashing out the ATMs during the attack. In the GCMAN attack, the attackers used lateral movement, starting with a public-facing Web server and compromising other internal hosts for long-term persistence before they came back to cash out.
How enterprises can update their security programs
The core steps used in these APT attacks haven't changed over time, and an enterprise's information security program probably already has controls in place to protect against certain APT-style attacks that use reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence. Enterprises should examine each step in an attack to see if their security controls would prevent it. If the control isn't effective, enterprises should perform a risk assessment to determine why it is ineffective, how to improve the control and the cost to improve the control. Doing this can be resource-intensive, so focusing on internal or industry-specific incident data can be used to prioritize the risk analyses.
Potentially, the most effective method to stop all three attack groups from successfully robbing financial institutions could have been strong network segmentation in the financial systems, which would have addressed the lateral movement aspect of the attacks. Network segmentation is probably the most boring security control in existence, but also one of the most effective. Other than using a satellite connection, wireless or some other implant for external network access, if a system is not connected to the Internet or an external network, it is difficult to maintain persistence. For financial network segments that need to connect to other parts of the network, which most do, those connections and systems should be configured for the least access necessary, and monitored closely for any anomalous system activity or network traffic. This could be difficult on a large network, with multiple locations, but may be the only way to detect something that has bypassed the other security controls.
searchsecurity.techtarget