IT security experts have labeled 2011 as the “Year of the Hack,” and appropriately so. Last year saw a diverse group of breaches that were financially and politically motivated. While each attack has its own unique fingerprint, some common elements are emerging – the quiet, persistent and sophisticated nature of today’s attacks.
If you compare a hack like the Microsoft MSBlaster Worm of 2003 to Sony PlayStation’s data breach of April 2011, the motivation, sophistication, and direct cost are in stark contrast. The MSBlaster was a fairly rudimentary Distributed Denial of Service attack, and the motivation behind it was hacker glorification, i.e. penetrating a system just to boast about it over beer. It caused mostly embarrassment to the effected companies, and more annoyance than actual monetary losses (though in some cases significant costs were incurred to wipe out the infections). On the other side, the attack on Sony was financially motivated and garnered credit card numbers, passwords, and other very personal information of 70M users directly costing Sony $170 million dollars and an estimated 10 to 100x that much in indirect costs.
As Distributed Denial of Service (DDoS) attacks and viruses, which are oftentimes associated with the idea of hacking for hacking sake, have steadily gone down in recent years, Advanced Persistent Threats (APT) have gone up. APTs typically have political and financial motivation, and often include an element of revenge. According to a study by Bit9, of the 765 IT executives interviewed for their Endpoint Survey, 60% said that APT is the biggest fear they have with security breaches and 28% feared that theft and disclosure was coming from insiders—APT threats can often be an insider job, or at least aided by risky behavior from within the enterprise network.
Advanced Persistent Threats are what the name implies: a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists. However, that just skims the surface of understanding what APTs are and how they can affect you, so let’s take a look at each of the words that define Advanced Persistent Threat.
Hacking techniques have been continually evolving, becoming more advanced at every turn, and often in APTs hackers combine multiple targeting methods. Since the perpetrators of APTs have strong financial backing and serious motivation, they often take time to focus on operational security, not often done in more opportunistic, less advanced threats. But the methods need not always be advanced. Consider the Citigroup breach of 2011. Though the target and the purpose certainly categorize this attack as an APT, the method turned out to be incredibly simple. The perpetrators identified a security flaw in the web-based banking where once logged in with a known good account, they could simply change the account number in the URL string and immediately gain access to another account. It was then a simple task of writing scripts to first guess account numbers, and whenever a good one was found, to scrape the user information from the compromised account. Though perhaps not “advanced” in this case, the method was highly effective resulting in more than 200,000 compromised customer accounts.
As stated earlier, and as evidenced by the Sony and Citigroup attacks, APTs are not opportunistic, simply seeking an easy in for boasting rights. These are “low and slow” attacks, meaning they are relatively unnoticeable and steal information over a longer period of time. And the perpetrators will maintain long-term access to the target. Should access be broken along the way, every attempt will be made to regain access and continue with the attack. Similar to what Peter Gibbons was attempting to do in the movie Office Space.
APTs are typically backed by powerful, well-funded organizations (think organized crime or rogue governments), with the intent and the capability to achieve their goals. A key element includes coordination and execution by human action vs. automation, at least until a stealthy, automated process can be implemented that has limited risk of being identified. Oftentimes to stay under the radar an APT will remain manual and incorporate minimal automation.
As APTs begin to grow and DDoS attacks and viruses become less of a threat, it is important to ensure that you have security policies in place to protect your network. Even though 28% of IT executives fear theft and disclosure will come from within, 60% of these firms are either using the “honor system” or have no internal security policy whatsoever. In addition, a recent survey by Ponemon Institute reported that although 90% of respondents had at least one breach in 2011, 40% of those surveyed had no clue where the breach stemmed from, and 33% could only identify the source of some attacks. Without a clear understanding of the source, how can you possibly protect yourself from another occurrence?
In addition to the active security systems in place today, you need a security “insurance policy,” since it’s clear that today’s state-of-the-art security systems don’t do a complete job – after all, 90% of survey respondents had at least one breach in 2011, and 70% had two or more! This insurance policy takes the form of a network recorder, which passively records each and every packet traversing your network. When an attack happens, and statistics indicate it will, you’ll have a complete recording of the incident, allowing you to identify how the attack happened, what information was compromised and how tune your existing network security tools to prevent future breaches.
To learn more about the trends and how to protect your network, check out our webcast “Cyber Security – IDS/IPS is Not Enough.”