Currently, Advanced Persistent Threats (APTs) are receiving great attention in media and IT security teams. In order to draw the attention of decision-makers in the economy and politics to this form of professional, targeted attacks, partial gloomy downturns are partly drawn.
Sensitization does not need
However, these scenarios often go far beyond the goal of automatically linking APTs to ruinous consequences, leading companies that are actually affected by an APT to keep them secret from fear of a loss of reputation. Owing to the small number of cases that have become public, APTs are still a nimbus of unjustified hype and speculation. For many companies, however, they have long been a reality, so a realistic approach to them is all the more important.
European companies are also at risk
The attention patterns that are targeted are always the same: when GhostNet was exposed to the Tibetan government as a large-scale computer-pioneering campaign several years ago, it was still a sensation.
Also interesting is
The operation Aurora, which was directed against the companies Google and Adobe, has already been treated with less attention. Subsequent campaigns such as LuckyCat, ShadyRat and Nitro partially compromised several dozen international corporate networks, but were still only discussed in specialist circles.
Targeted attacks are mostly done in campaigns
In the same way the reception of the major espionage programs ran: While Duqu and Flame still found their way into the general public, Gauss or Mahdi became only marginal. The information and awareness of the responsible persons in companies for the subject of IT security is absolutely necessary. However, the reports on Flame and Gauss had a contrary effect: because European targets were mainly affected in the Middle East, European companies were weighing on the assumption of certainty.
But even if the Middle East is far away from a European perspective, these new malicious programs show that computer pioneering is now a widespread phenomenon and is carried out in a highly professional manner. While GhostNet and Aurora are often attributed to Asian authors in the public discussion, published analyzes of the malicious programs discovered in the Middle East now also call Western actors.
It is therefore advisable for those responsible in the company to deal with their respective threat situation and the risk potential of APTs. There is, however, no reason to exaggerate fear or alertness, and the sometimes over-exaggerated warnings from ITS companies should also be considered differentiated.
So far, no cases are known in which companies were actually endangering their existence by APTs or stock prices had fallen into the ground. Nevertheless, there are negative effects. For example, the BSI has information from confidential sources that companies have lost, for example, bidder battles or business interferences because confidential information has been stolen through an APT attack.
In other cases design drawings were copied. The financial consequences of such thefts can hardly be estimated seriously, but six-digit sums can be achieved quickly for the necessary "clearing-up" after a network compromise.
The examples show that targeted attacks on companies and organizations take place and can have serious consequences. It is also of secondary importance whether the attackers are governed by the state or are financed by a state that wants to strengthen their national economy, or whether they are financial competitors who buy the abilities of the aggressors, who are now very professionally organized and acting. The consequences for the victims are often the same. Since the start of the cyber security alliance, companies are increasingly turning to the BSI to provide support in the processing of network compromises. In some cases, gigabytes of data have flowed out, as dozens of workstation computers or even mail servers could be controlled by attackers.
Often the investigation of an APT in a company leads to the recognition of network compromises in other companies as well. The reason for this is that the attackers often work on thematically and concentrate in regular campaigns on sectors such as aviation and air defense or energy. In addition, cases are known to the BSI, where several companies that cooperated in a large project were affected by APTs almost simultaneously.
This is also in line with systematic evaluations, which the BSI has carried out to publicly recognized APT campaigns such as GhostNet, ShadyRat and Nitro. Between many of these operations, technical connections can be established which indicate that the offenders were the same or that the groups of perpetrators cooperated.
These connections can be established by shared command-and-control servers or by identical attack documents. The analysis suggests that many of the major APT cases of recent years have been carried out by only a few groups.
Uniform attack patterns
If the publicly known incidents and the cases reported to the BSI are summarized, the extent of the targeted attacks is shown. It can now be assumed that any government organization and any internationally relevant company is the target of professional attacks. If this is compared to the low number of attacker groups suspected, it becomes clear what great resources the attackers must have.
However, their size and the number of targets are becoming weak: because a successful attack usually consists of many individual steps, the attacker often uses certain techniques, infrastructures and tools several times. To create these individually in the large number of different destinations would be too complicated. However, this "standardization" of the attack modules also opens up new possibilities for defenders.
Basic security measures are mandatory
Threats from the web take to
If the same attack techniques, paths and methods are used by several companies, the defenders will be given added value if these companies interchange. Technical information about an attack attempt on the one company can prevent similar attacks at another company or uncover network propagation. For this reason, it has already paid off for many organizations to exchange specific attacks on their networks within consortia or through contacts between CERTs (Computer Emergency Response Teams). However, this requires management to recognize that their own team is allowed to talk about incidents on their own network with trustworthy contacts.
The principle of giving and taking applies: anyone who is not actively networked and contributes information is often not taught if another person has valuable information.
Prevention of targeted attacks
Conclusion
Information on specific APT campaigns is important because targeted attacks are often subject to the noxious and widespread malicious software flood. Professionally executed targeted attacks are designed to remain under the radar of the classic antivirus solutions. In general, the experience shows that APTs can not be prevented by the use of individual IT security products. For example, even systems which filter harmful e-mails from the network traffic at a high rate of detection can not always prevent a well-crafted attacker from being opened or forwarded to a larger distribution channel
The experience shows, unfortunately, that the attacker is made too easy in many cases. Thus, it is relatively often the case that basic safety measures have not been implemented. Even the most cost-effective anti-virus solution does not work very well, for example when the patch management of browsers and browser plugins is not handled stringently enough.
APT attackers always use only the simplest possible attack path to spare their own resources. So, before you think about how to protect yourself against APTs, you need to ensure that basic IT security standards are met. Such standards are listed, for example, in the IT Baseline Catalogs of the BSI.
Advanced Persistent Threats
In the wake of the increasing spread and business use of smartphones and tablet PCs, mobile devices should also be involved in security considerations. This is particularly true when they are connected to the internal network or when they are used by decision-makers.
If the basic security measures are consistently implemented and a process of continuous review and adjustment of these measures is carried out, one can devote themselves to the prevention of targeted attacks. A key success factor here is, among other things, the exchange of information about targeted attacks and attacks.
Since, as described, the probability of another company being attacked by similar or even the same methods being allowed, the exchange of information on such attacks allows the defenders, for example, to create signatures and share them. The BSI has already helped companies and organizations to detect network compromises because the perpetrators used the same command-and-control servers that were used in earlier attacks.
In order to preserve the desired anonymity of the companies, the BSI is currently building an exchange platform within the framework of the Alliance for Cyber Security. The CERT Confederation, which is based in the BSI, can serve as a neutral intermediary, which redistributes attack information anonymously to potentially affected companies.
If a company does not want to identify itself with the BSI, it is also possible to forward attack details anonymously to the BSI. Important information here is, for example, command-and-control servers, malware registry keys, hash sums of files, and exploited vulnerabilities.
The fear of an APT does not have to bring a CIO or CISO to sleep. He should not lie down, too, without thinking carefully, where it might be too easy for an attacker. In addition, he should also ask himself how well his team is networked for information on current APT campaigns.
No comments:
Post a Comment