Advanced Persistent Threats – Webinar Wrap-up with WatchGuard

WGlockAt this point it is hard to come by a person who isn’t familiar with someone that has been affected by an Advanced Persistent Threat. An Advanced Persistent Threat (APT) is a very high-tech, cutting edge attack leveraged to gain prolonged, stealthy control over a high value, political or business target.

The problem is, they’re everywhere and even hacks on businesses and large companies can trickle down to the everyday consumer.

SLPowers with WatchGuard technologies recently provided a free webinar sharing tips and information on how to protect your business against the lurking online threats. Check out the highlights below (as well as some extra info from other sources), and be sure to get on the mailing list for an invite to our next webinar!

 

Harrison Midkiff of WatchGuard shared some helpful information about APTs.

“Most of today’s malware is polymorphic and highly adept at changing its identity to evade standard, signature-based security platforms. Alone, these platforms will not recognize as many as 88 percent of these threats.* Advanced persistent threats, or APTs, increase the threat level by employing sophisticated evasion capabilities to get payloads past a network’s defenses where they persist, undetected. APTs are targeted to an organization or a specific technology and often leverage zero day vulnerabilities – flaws for which no patch is available and no signature has been written. Any organization can become a victim.”

According to WatchGuard:

An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over an extended period of time. APT attacks are highly sophisticated and often target specific, high-profile institutions, such as government or financial-sector companies. Use of this advanced malware has also expanded to target smaller networks and lower-profile organizations.

whatisapt

 

Three APT Attributes:

  1. Advanced – An unknown, zero day attack that has malware payloads and uses kernel rootkits and evasion-detection technologies.
  2. Persistent – It doesn’t stop. It keeps phishing, plugging and probing until it finds a way in to serve malware.
  3. Targeted – Sometimes backed by nation states, goes after specific technology and highly complex.

Be wary of email phishing scams or other gimmicks which aim to get you to download malware.

Today, normal criminal malware exploits the same advanced tactics as nation-state APTs. Every organization is at risk of advanced threats!

Some additional information from infoworld on APT

Generally, APT hackers employ familiar methods, using phishing emails or other tricks to fool users into downloading malware. But the ultimate objective tends to be very ambitious. If you discover a break-in where the only apparent intent was to steal money from your company, then it probably wasn’t an APT hack. Those who deal in APTs are trying to be your company.

And their 5 signs you’ve been hit with an advanced persistent threat:

  1. Increase in elevated log-ons late at night
  2. Finding widespread backdoor Trojans
  3. Unexpected information flows
  4. Discovering unexpected data bundles
  5. Detecting pass-the-hash hacking tools

Here is a list of some prominent APTs

GhostNetAttack launched from China to go after political & economic data.

Operation Aurora – Attack launched from China that went after high tech source code

StuxnetWorm that went after industrial Programmable Logic Controllers primarily used in the Iranian centrifuges to enrich uranium.

GhostNet – Is the name given by researchers at the Information Warfare Monitor to a large-scale cyber spying operation discovered in March 2009.

Operation Aurora – Was a cyber attack conducted by advanced persistent threats such as the Elderwood Group based in Beijing, China, with ties to the People’s Liberation Army. First publicly disclosed by Google on January 12, 2010, in a blog post, the attack began in mid-2009 and continued through December 2009.

Stuxnet – Was a computer worm that was discovered in June 2010. It was designed to attack industrial Programmable Logic Controllers or PLCs.

Duqu – Duqu is a collection of computer Malware discovered on 1 September 2011, thought to be related to the Stuxnet worm.

Flame – Also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries.

Many of you will remember the Target breach at the end of 2013. Some of the staggering details:

  • Breached Nov. 15, 2013
  • Disclosed Dec. 18, 2013
  • 40M CCNs stolen (Track 1 & 2 data)
  • Attackers nabbed encrypted PINs
  • 70M PII records stolen
  • 0day POS Malware (BlackPOS variant)
  • FTP used to exfiltrate data
  • HVAC partner’s creds used in attack
  • Started with a spear phishing email
  • Target ignored alerts warning of breach

Another of the high profile attacks mentioned in the webinar, Stuxnet, caused a great deal of damage.

  • Four zero day exploits
  • Self replicates over LAN
  • USB exploit jumps air gap
  • P2P update mechanisms
  • Stealthy C&C (SSL)
  • Kills security processes
  • Kernel Windows rootkit
  • Finds SCADA software (WinCC, Step7)
  • Fingerprints Siemens ICS system
  • First PLC rootkit
  • Ultimately, interrupted Iran’s uranium enrichment

Some more information on Stuxnet via Forbes.com

The most well-known example of a cyber attack on a physical infrastructure is the Stuxnet malware, which was allegedly built by the U.S. and Israeli governments and deployed on the computer systems of Iranian nuclear facilities beginning in 2008, disrupting a fifth of Iranian facilities and setting back Iran’s nuclear plans by as much as two years.

 

Traditional AntiMalware is NOT Enough!

WGlizard

 

 

“Nearly 88 percent of today’s malware can morph to avoid detection by signature-based AntiVirus solutions* That means today’s AntiVirus solutions remain necessary for catching known threats but alone, they’re no longer sufficient.”

Here are three defensive take-aways which come back to best practices in your network…

1. Defense in Depth

  • Use multiple services to protect you
  • There is no silver bullet
  • More security layers you have the better your chances are of catching something

2. Advanced Malware Protection

3. Security Visibility Tools

If you would like to hear about our next webinar, let us know– we’d love to have you. And if you want to know more about WatchGuard and SLPowers services, and what we can do to help protect you against APTs, visit us online or contact us to see how we can help.

SLPowers was selected as WatchGuard’s Expert Partner of the Year in 2012.
We are also a WatchGuard Certified Training Partner and a WatchGuard Managed Security Service Provider.



Categories: Data Loss Prevention, Data Security, Firewalls, WatchGuard

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: