Learn best practices to defend your organization
To fully understand how an APT works, it’s useful to study a well-documented attack—and there are several we could discuss. Google, a major provider of cloud services, publicly disclosed its 2010 attack, dubbed Operation Aurora by McAfee, and worked closely with customers and other companies that it believed might also have been compromised, as it discovered evidence in its investigation. It’s suspected that some of Google’s employees were friended using a popular IM product. The APT friending the victims had conducted extensive research about them, using search tools, their pages on social media websites, blog entries, and so on. The wealth of information posted by the victims helped identify them as targets, as well as gave the APT a detailed profile of victims so the APT could pretend to have similar interests or even to be someone the victim met, went to school with, or worked with in the past.
After the victims were ensnared, the APT sent them links to websites under the APT’s control; these sites contained malware that was downloaded to the victims’ machines and exploited an Internet Explorer (IE) 6.0 zero-day vulnerability. After the victims’ machines were under the APT’s control, the APT installed spyware designed to capture keystrokes as the victims logged on to their employers’ systems and networks. With credentials granting access to Google’s internal infrastructure, the APT probed for weaknesses in line of business (LOB) applications and other software, attempting to elevate the level of access. At each point, the APT installed more malware or configured the compromised systems to act as launch points for further attacks—which is often called pivoting. Eventually, the APT compromised the core systems it was targeting and was able to access the desired data—which in this case included the mailboxes of dissidents and human rights activists who were crucial to the regime on whose behalf the APT was working. Data collected in the attack was exfiltrated from Google via a server under the APT’s control at another service provider.
In another recent attack, RSA, the manufacturer of popular two-factor authentication systems, was the victim. The APT targeted RSA employees with an email that contained an Excel attachment, with embedded content that exploited a vulnerability in a third-party media software package (there was no vulnerability in Excel). When the victims opened the attachment, their machines were compromised and the APT proceeded to install spyware, log on to other systems, and pivot to other systems on the network until the target was reached. As a direct consequence, RSA had to go to great expense to assure its customers that their use of the company’s product was safe (and for customers who follow RSA’s published guidelines, it’s very safe). RSA issued replacement two-factor authentication hardware tokens to customers upon request, even if not truly required. Using the information obtained in this attack, the APT has since gone on to attack defense contractors who used the manufacturer’s two-factor authentication system, such as Lockheed Martin. The APT has successfully compromised other companies’ systems and networks, fueling speculation that the initial attack against RSA was simply a means to an end.
Although not every organization will become a target for an APT, the real concern among security professionals is that the tools and techniques employed by APTs will eventually make their way into the hands of cybercriminals and other hackers. If this happens, very sophisticated attacks will be carried out against any organization that has something of value to the attacker—whether credit card or other financial information, trade secrets, and so on. Attacks might also be carried out as a form of cyber-activism, also known as hacktivism.
Defending Against APT-Style Attacks
Commonalities exist in the APT attacks that I discussed in the previous section. First, the attacks began with the selection of specific targets who were friended and sent instant messages with URLs to malicious websites or who received emails with attachments containing malware. The APT compromised victims’ machines by exploiting vulnerabilities in older and unpatched software. In the case of the Aurora attack, it’s also likely that one or more of the victims logged on using elevated privileges, providing the APT with credentials that afforded more access than an ordinary user would have.
The lessons learned from these attacks show that social engineering plays a big part in the initial phases, with attackers studying their potential victims carefully and identifying whom to target. Organizations can reduce the likelihood that their employees will be targeted by creating and enforcing a social media policy that prohibits employees from discussing their employer or providing details about their job on sites such as Facebook or in non-company blogs. The less information that an attacker has about potential victims, the less successful social engineering will be against those victims.