Black Hat attendees 'naïve' on advanced persistent threats

IT pros say they can find advanced persistent threats within an hour - mostly, apparently, we think...

Black Hats are "naive"
Black Hats are "naive"

A new survey of 150 security professional from Lieberman Software Corporation has suggested that 83 percent of participants do not believe Advanced Persistent Threats (APTs) are over-hyped. The study was carried out at Black Hat Conference 2015 which was held in Las Vegas in August.

Naïvety relativity

The ‘findings' also suggests that many IT pros are naïve about the length of time it would take to identify an APT on their own corporate network: 10 percent of IT pros say it would take them only one hour to identify an APT on their network, while 55 percent said it would take them one week to one month.

These revelations sit in contrast to data from a recent Mandiant report which suggests that hackers are present on a network for an average of 205 days before being discovered.

Joan Pepin, VP of security and CISO of Sumo Logic, told SCMagazineUK.com that it's important to clarify that the term “APT” itself was initially coined to denote a person or group that was highly motivated, highly skilled and had the right tools at their disposal to be a serious threat to a government agency or enterprise over a significant period of time.

“Some people confuse malware to be an APT. However, malware, no matter how advanced, is not an APT. It's the person or group of people behind that malware or other form of attack that defines an APT,” said Pepin.

Unmanaged privileged credentials

Other discoveries from Lieberman Software's study were that 84 percent of respondents believe that unmanaged privileged credentials are the biggest cyber-security vulnerability within their organisation.

Lieberman Software CEO Philip Lieberman argues that despite the prevalence of cyber-attacks and the difficult task of stopping them, malware and APTs do have a weakness. Lieberman specifies that, to be able to do their worst, APTs need privileged credentials to gain elevated access to a system.

“Ultimately, if they can't install something, they can't attack,” he said.

Michael Sutton, CISO at Zscaler, the cloud-based internet security startup contacted SC to say that APTs entail not just one attack, but a sequence of events ranging from the most pedestrian publicly available exploit to new vulnerabilities and custom exploits.

“An APT is not opportunist or a mindless piece of code – the attacker tends to be organised and motivated to accomplish a task with a high payoff. Once a target is infiltrated, the attacker maintains a presence at the target exfiltrating information over an extended period of time,” said Sutton.

Evasion tactics

Simon Mullis, global technical lead at FireEye, spoke to SC this week to say that one key characteristic of the modern or advanced attack is that the attackers will use every opportunity to hide or evade detection and make the job hard for the analyst.

“There are countless examples to illustrate this point. Going back a few years to 2009 to the poster-child of nation-state attacks against private enterprise, we see the Aurora campaign. This attack used a few different objects, served from different network locations. This included a bit of JavaScript to exploit the browser, a payload disguised as a valid image and a final component to remove the traces of the previous phases,” he said.

Mullis argues that he sees these techniques used every day in new campaigns and that it is essential to have the capability to ‘re-assemble' the jigsaw pieces of the attack kill-chain to have any chance of detecting them – in the absence of prior knowledge.

“A significant proportion of systems touched by the bad guy during a breach never had any malware on them! The initial compromise is merely a foot in the door and the attackers will use standard built-in tools to navigate their way around your internal network. You're playing a game that has far more possibilities than a game of chess against a skilled and talented opponent. There's a human at the keyboard. Your defences must have technology, intelligence and expertise to minimise the consequences of any attack,” added FireEye's Mullis.

Kane Hardy, VP for EMEA at Hexis Cyber Solutions, told SC that while some endpoints may display signs of an APT breach – such as sluggishness or failed logins, many go undetected, until an external source leverages the information they've gained. 

"By their nature, APTs are engineered to lurk beneath the surface so the only organisations that are successful at detecting them in real-time are those that have invested in an integrated threat detection model. APTs require organisations to quickly identify anomalies, verify the severity of the threat, isolate and remediate it. Through this approach, organisations have a better chance of dealing with a compromise in its earliest phase, before it becomes a breach,” added Hardy.

A real world APT example

In her role as VP of security and CISO at Sumo Logic, Joan Pepin recounts one case she was involved in where the APT had been tasked with getting into a particular tech company to breach its core database and extract a large amount of data.

The APT hackers perpetrated their attack by researching the office park where the company's headquarters and main IT team was located. In the same office park was a fitness gym that had a website for scheduling personal trainers, which some of the tech company's employees used.

“The attackers hacked into the gym's website, installed malware and waited for someone who worked in IT to visit the website. From there, the attackers were able to infect the laptop of one of the tech company's employees; they installed key loggers, and in a short time, got his password. Then they used a Remote Access Trojan (RAT) to gain access to the database through the infected laptop, which they then used as a gateway to extract all of the data,” said Pepin.