10:15 AM
Anatomy of an Advanced Persistent Threat Attack
The previous post of this blog series discussed the Federal Financial Institutions Examination Council (FFIEC) warning about imminent, advanced persistent threat (APT) attacks on ATMs. Specifically, criminals might hack into banks’ web-based, ATM management systems, eliminate cash withdrawal limits imposed on the ATMs and thereby steal all the cash stored in the ATMs.
Unlike the cybercrimes that banks have dealt with so far -- including numerous Trojans, DDoS attacks, and ATM skimming -- the attack that the FFIEC is warning about is far more advanced and very similar to the ongoing attacks on the retail industry. So in this post, we’ll dissect recent APT attacks on the retail industry, which will yield valuable lessons and help us build better defense strategies against the cyberage Pancho Villas and John Dillingers.
[JPMorgan Chase Breach Impacts 76 Million Consumers]
Anatomy of an advanced persistent threat attack
In an APT attack, the intruders break into a network, implant advanced malware, and sustain an indiscernible presence until they are able to siphon off the targeted data. Typically, an APT involves the following phases:
Target selection. Some attackers choose a victim first and research that party as if they were doing a PhD. Some simply go scouring the available sources on the Internet -- such as company websites, case studies, and employee resumes -- looking for companies that use IT systems that are exploitable or comfortable to work with. Others go hunting for “accidental victims.” For example, in 2007, hacker Albert Gonzalez went war-driving in search of organizations that had vulnerable WiFi networks, and he found his victim, retail giant T.J. Maxx.
Footprinting. Once the target is identified, the attackers use various kinds of surveying tools to create a blueprint of the target’s IT infrastructure. Details about sites, network topology, domain, internal DNS and DHCP servers, internal IP address ranges, and any other exploitable ports or services are captured.
Malware engineering. Now that the attackers know their target’s IT systems and exploitable vulnerabilities, they plan the attack. They engineer or procure the core and supplementary malware required to carry out the attack.
Initial breakthrough. Usually, the attackers phish their target company’s employees into downloading the malware. Alternatively, they can also exploit any zero-day vulnerabilities of the software used by the employees. For instance, attackers used Adobe ColdFusion’s vulnerabilities to break into the networks of LaCie, the computer hardware manufacturer.
Capturing admin privileges. In almost all of the attacks, the hackers attempt to steal the local administrator credentials of the victim’s computer (and eventually steal domain-level admin credentials), since some of their malware requires admin-level operational context.
Internal recon mission. The attackers then explore the network from inside to determine who has privileged access that can get them closer to their targets. Vulnerabilities required to create a backdoor are determined. Information such as baseline network traffic, user access and behavior, and auditing blind spots are extracted, all of which help the attackers improve their stealth, customize the core malware, and readjust their initial plan if required.
Privileged credential theft and backdoor establishment. Privileged accounts that matter are stolen. A backdoor is established to exfiltrate stolen data or sneak in more malware.
Expansion of compromised access. Attackers prefer to compromise more systems in order to maximize their success rate at harvesting the target data.
Covering the tracks. Once they’ve accomplished their goal, the attackers take care not to leave any telltale signs of their covert operations. There have been instances where attackers left a backdoor open through which they waltzed in several times and robbed a victim repeatedly without being caught.
In future posts, we’ll take a look at how the phases above came together in the 2013 Target hack and discuss the preventative measures against each phase.
Prasanna Kumar Singh is a marketing analyst for ManageEngine, the real-time IT management company. For more information on ManageEngine, a division of Zoho Corp., please visit www.manageengine.com; follow the company blog at https://blogs.manageengine.com; on Facebook at ... View Full Bio