You may think that cyber-attacks are someone else’s problem. You would be wrong.
Cyber-attacks are growing in their number, sophistication and diversity of target. The 2013 Verizon report on data breaches made clear that we all need to be on guard for so called “Advanced Persistent Threats” (APTs). In fact, Verizon concluded “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no IT staff at all.”
Verizon’s report groups APT actors in three categories and identifies the industries they focus on. Their targets vary, but when you put them together they don’t leave many of us out.
- Other Service
Other than Agriculture, that’s pretty much everyone.
Most APTs use widely understood and available techniques such as Brute Force hacking, Phishing and SQL Injection to obtain access to networks and confidential data. Verizon makes a particular issue of the vulnerability of most email systems to phishing, where users are tricked into opening malicious email and downloading malware.
Verizon states “More than 95% of all attacks tied to state- affiliated espionage employed phishing as a means of establishing a foothold in their intended victims’ systems.” They conclude that most organizations do a poor job of protecting their email systems from email phishing.
Email phishing is a good example of how APTs are similar to but very different from other types of attacks. Spammers using phishing, but cast a very wide net, pun intended. They obtain emails from a variety of sources and send out their spam everywhere with little or no thought about the recipients.
APTs differ in that they target an organization and areas of that organization. They look for specific individuals in that organization who, if compromised, can best be used to advance the goals of the attack. This requires more patience and, as the name implies, persistence than other hackers.
Hackers will compromise email address books to send out malicious email. My son’s Yahoo email contact list was hacked rently and I received an email that appeared to come from him. In that case, I wasn’t fooled because the message was so generic that it clearly wasn’t from him.
If this was an APT, however, the hackers would go to great lengths to make the subject and message appear plausible. They analyze address book information and use any other information they can obtain about me and my organization. For example, if I receive a message from someone I know in my department telling me to sign up for a tradeshow that our company is actually participating in I could well be fooled into clicking on the link they provide.
And, unlike the common hacker, this is not a one shot attempt. If the tradeshow ruse doesn’t work they might identify the high school or college I went to and use that in their next email. They will come back again and again to me or other people in my organization until one of us makes the mistake to click on that link.
APTs do not look for a home run on the first hit. They often first gain access into low priority areas that companies fail to protect adequately, the weakest links. By being patient, they can gradually work their way into parts of the networks they really want to access and steal data.
Targeted phishing is referred to as “spear phishing” because they are aimed at a target. The most high profile example was the compromise of a White House email system by Chinese hackers in 2012. We were assured that nothing important was compromised, but you have to wonder. Afterall, the emails were for the White House Military Office which is in charge of the President’s schedule and the codes he can use to order a nuclear attack!
We don’t know what the Chinese hackers were looking for exactly, but the lesson for all of us is that if the White House can be hacked then we are all vulnerable. You may not think your organization is significant target, like the White House, but every organization has financial and personal data that is attractive to hackers. Payroll records are a gold mine for criminals.
The techniques used by APTs are being emulated by others. APTs are the best argument for the layered approach to internet security with endpoint security management. Every connection point and every device that connects to your network needs to be secured. Every user that communicates on the network is a potential weak link that needs to be attended to.