Posts Tagged ‘APTs’
Friday, February 22, 2013 @ 03:02 PM gHale
Even in today’s heightened digitally aware environment, companies remain unprepared to protect themselves against an emerging, relentless cyber security danger that threatens national security and economic stability, a new survey said.
Advanced persistent threats (APTs) are not easy to eliminate, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found 53 percent of respondents do not believe APTs differ from traditional threats.
RELATED STORIES
‘Trust’ Risk Losses Soaring
Attacks Spreading to Other Industries
More Effective DDoS Attacks on Rise
DDoS Attacks Steady; Others on Rise
This disconnect indicates IT professionals and their organizations may not be fully prepared to protect themselves against APTs, ISACA said.
“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said. “Traditional cyber threats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective — and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”
High-profile examples of APTs include the Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often look to steal intellectual property, the Google Aurora and RSA attacks show these threats are not just facing government entities, the report said.
Although more than 70 percent of IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70 percent said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises use to stop APTs were anti-virus and anti-malware programs (95 percent), and network perimeter strategies such as firewalls (93 percent).
The difference is APTs can get around these types of defenses. “APTs call for many defensive approaches,” said ISACA Director Jo Stewart-Rattray.
APT hackers do use social media to learn information about employees of organizations. Then they send “spear phishing” emails that appear legitimate. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.
While 22 percent of respondents said they suffered an APT attack, 63 percent said it is only a matter of time before their enterprise ends up targeted by an APT.
“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cyber security for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”
Click here to register to download the report.
Thursday, February 21, 2013 @ 05:02 PM gHale
Sophisticated attacks that once targeted the financial services industry are now going out to other critical sectors, while the bad guys are employing new tactics and technologies to avoid industry-standard security measures.
Does that mean bad guys don’t want to play by the rules?
There is a continued proliferation of password-stealing Trojans and advanced persistent threats (APTs) such as Operation High Roller and Project Bliztkrieg, and the expansion of their attacks to government, manufacturing and commercial transaction infrastructure targets, according to the report from McAfee.
RELATED STORIES
More Effective DDoS Attacks on Rise
DDoS Attacks Steady; Others on Rise
Mobile Number Harvesting Tool
Website Attacks up 600%
“We are seeing attacks shifting into a variety of new areas, from factories, to corporations, to government agencies, to the infrastructure that connects them together,” said Vincent Weafer, senior vice president of McAfee Labs. “This represents a new chapter in cyber security in that threat-development, driven by the lure of financial industry profits, has created a growing underground market for these cybercrime weapons, as well as creative new approaches to thwarting security measures common across industries.”
Leveraging data from McAfee’s Global Threat Intelligence (GTI) network, the McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public.
In Q4 2012, McAfee Labs identified the following trends:
More threats, more availability, more industries targeted. As a group, unique password-stealing Trojans grew 72 percent in Q4 as cybercriminals realized user authentication credentials constitute some of the most valuable intellectual property stored on most computers. Now widely available, these Trojans are increasingly appearing within customized threats or combined with other “off-the-shelf” threats available on the Internet. Fourth quarter revelations around the Citadel Trojan suggest this Trojan’s information theft capabilities are going beyond the financial services sector.
Web threats shift from botnets to URLs. McAfee continued to see suspicious URLs replacing botnets as the primary distribution mechanism for malware. An analysis of web threats found the number of new suspicious URLs increased by 70 percent in Q4. New suspect URLs averaged 4.6 million per month, almost doubling the previous 2.7 million per month figure from the last two quarters. Ninety-five percent of these URLs were hosting malware, exploits or code designed specifically to compromise computers. The decline in the number of infected systems controlled by botnet operators comes in part by law enforcement efforts to bring botnets down, but perhaps more so by the declining appeal of the botnet business model.
Increase in infections beneath the OS. The volume of Master Boot Record-related malware climbed 27 percent to reach an all-time quarterly high. These threats embed themselves deep within the PC system storage stack, where standard antivirus solutions cannot detect them. Once embedded, they can steal user information, download other malicious software, or leverage the infected PC’s computing power to launch attacks against other PCs or networks. While these MBR attacks represent a relatively small portion of the overall PC malware landscape, McAfee Labs expects them to become a primary attack vector in 2013.
Malicious signed binaries circumvent system security. The number of electronically-signed malware samples doubled over the course of Q4. This indicates cyber criminals have decided that signing malware binaries is one of the best ways to circumvent standard system security measures.
Mobile malware continues to increase and evolve. The number of mobile malware samples discovered by McAfee Labs in 2012 was 44 times the number found in 2011, meaning 95 percent of all mobile malware samples appeared in the last year alone. Cyber criminals are now dedicating the majority of their efforts to attacking the mobile Android platform, with an 85 percent jump of new Android-based malware samples in Q4 alone. The motivation for deploying mobile threats roots in the inherent value of the information found on mobile devices, including passwords and address books, as well as new “business” opportunities that are not available on the PC platform. These opportunities include Trojans that send SMS messages to premium services, then charge the user for each message sent.
Click here to download the complete report.
Thursday, December 6, 2012 @ 06:12 PM gHale
The rush of mobile devices entering corporate networks, advanced persistent threats and third-party application vulnerabilities are the primary pain points for IT professionals headed into 2013.
These are new and different issues where a few years ago, these were not even a blip on the worry-meter.
RELATED STORIES
New Year Threat Forecast
Lockheed: Attacks Up ‘Dramatically’
Agencies Join in Security Plan
Ensuring Software Security Policies
One of the top concerns cited in the fourth annual report researched by the Ponemon Institute was the proliferation of personally-owned mobile devices in the workplace such as smartphones and tablets. Eighty percent of those surveyed said laptops and other mobile data-bearing devices pose a significant security risk to their organization’s networks.
With 13 percent stating they use stricter security standards for personal over corporate-owned devices and 29 percent reporting no security strategy for employee-owned devices at all, there is a clear disconnect between awareness and action.
These figures are quite different compared to the 2010 survey. At that time, nine percent of respondents said mobile devices were a rising threat. This year, 73 percent rank mobile as one of the greatest risks within the IT environment.
This year’s study also found IT professionals view third-party applications as a major security threat. In fact, 67 percent of those surveyed reported they viewed third-party applications as a significant risk – second to mobile security risk.
In previous year’s surveys, the server environment, data centers and operating system vulnerabilities were primary concerns. With the proliferation of mobile devices, along with the wide range of software and removable media commonly used in today’s enterprise environment, IT practitioners increasingly worry about the attack vectors these third party tools could bring into the corporate network.
In addition to mobile security risk, the security concern that represents the biggest headache for 2013 is advanced persistent threats (APTs). Whereas worms and less harmful viruses were a concern in earlier reports, today’s IT teams consider APTs and hacktivism a real, global threat.
Of those surveyed, 36 percent reported they viewed advanced persistent threats as a “significant” threat to their environments while just 24 percent of respondents held this view last year. In addition, 12 percent of those surveyed this year stated current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk.
“Once again, we found the changing security terrain is preventing the state of endpoint security from improving,” said Dr. Larry Ponemon, chairman and founder, the Ponemon Institute.
“With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys,” he said. “Add to this fact that end-users are furthering the complexity of the IT environment by bringing in mobile devices and downloading third-party applications — causing risk to exponentially proliferate. IT simply must take further action before the risk is beyond their control.”
Over 670 IT and IT security practitioners took part in this year’s study. Of those, 77 percent were in organizations with a headcount of more than 1,000 and 66 percent were in a supervisory role or higher. These professionals spanned key industries including financial services, the public sector and healthcare.
Monday, October 29, 2012 @ 12:10 PM gHale
A new generation of advanced persistent threats (APTs) forced McAfee to update its Endpoint Security platform.
In the ever changing and dynamic environment of cyber security, the company said the update would better equip systems to block highly sophisticated attack techniques, such as the use of master boot record (MBR) sabotage techniques and the use of Zero Day flaws for intrusion attempts.
RELATED STORIES
Malnets Continue Growth Spurt
New Botnet Goes to Market
Revised Botnet Avoids Detection
Botnet uses Tor as a Hideout
The update would look to not only expand the scope of protections for Endpoint Security, but also the new form factors, said Candace Worley, senior vice president and general manager of Endpoint Security for McAfee.
“We believe that the endpoint has to become more dynamic and context-aware,” Worley said.
“Devices are becoming more diverse, you have everything from a laptop and desktop to a tablet form factor.”
In addition to the MBR protections introduced, McAfee is updating the Enterprise Mobility manager to add support for iOS 6 devices and adding to the whitelisting protections on the McAfee Application Control administrator tool.
Encryption is also a priority in the update. The company said it would be updating the Endpoint Encryption platform to support PC and MacOS X systems. The update will include the use of new encryption algorithms from Intel which allow for faster encryption and decryption of data.
In addition to security enhancements, the company said the new Endpoint Encryption would simplify the process of managing and updating systems required to have encryption. By integrating the tool with the company’s ePolicy Orchestrator Deep Command console, administrators will be able to remotely access and patch end user systems without the need to enter credentials.
“If you have a full-disk encryption product and you power those systems off at night you need a body to type in that password to decrypt it and that is problematic,” Worley said, “This really addresses that case.”
Monday, October 8, 2012 @ 11:10 AM gHale
Like any growing business, you need to strengthen the infrastructure to build upon a company’s success and the same holds true for cyber criminals as they are building the infrastructure behind the delivery of botnets, which could lead to stronger hits.
Botnet infections commonly spread though compromised websites seeded with malicious scripts and promoted via black hat SEO tactics such as link farms, according to a new study by web security firm Blue Coat. These malware networks, or malnets, pose a growing threat.
RELATED STORIES
New Botnet Goes to Market
Revised Botnet Avoids Detection
Botnet uses Tor as a Hideout
Pushdo Trojan a Master of Disguise
Malnets largely deal in mass market malware and as such are different from advanced persistent threats (APTs) associated with cyber-espionage attacks targeting large corporations and Western governments, Blue Coat said.
Attacks will update and change, but the underlying infrastructure used to lure in users and deliver these attacks ends up reused. The ease with which cyber criminals can launch attacks using malnets creates a vicious cycle, a process where individuals end up lured to malware, infected, and then used to infect others.
First the malnet drives a user to the malware. Then the user’s computer suffers an infection with a Trojan. Then the compromised computer can be an official member of the botnet which can lure new users into the malnet by using the infected machine to send spam to email contact lists. A compromised system can also steal the victim’s personal information or money, and, in some cases, can also function as a jumping-off point for attacks on neighboring machines.
“Their [malnet] infrastructure is comprised of several thousand unique domains, servers and websites that work together to funnel users to a malware payload,” Tim Van Der Horst, a senior malware researcher at Blue Coat, explained. “This infrastructure of relay and exploit servers allows malnet operators to quickly launch new attacks that can be tailored to attract large groups of potential victims.”
Blue Coat expects malnets to account for more than two-thirds of all malicious cyber attacks in 2012. The company is currently tracking more than 1,500 unique malnets, a 200 percent increase from just six months ago.
The biggest malnet, called Shnakule by Blue Coat, not only communicates frequently but also changes hostnames frequently, as the web filtering firm explains.
Shnakule is a wide ranging malnet that engages in a variety of malfeasant activities, including fake AV, codec, Flash and browser updates, pornography, gambling and work-at-home scams. To scale the infrastructure to accommodate attacks associated with these activities, Shnakule operators bring new domains and servers online. Over the course of six months Shnakule used anywhere from 50 to 5,005 unique domain names per day.
Tuesday, September 25, 2012 @ 03:09 PM gHale
As the SCADA market continues to add connectivity into control devices, Wurldtech Security Technologies and Oulu, Finland-based Codenomicon are extending their partnership to the Asia Pacific markets, focusing on China, Taiwan, Korea, Japan and Southeast Asia.
The SCADA environment is adding more connectivity, including new telecommunications and mobile capabilities, the need to protect these devices from Advanced Persistent Threats (APTs) continues to grow.
RELATED STORIES
Japan Adopts ISASecure
Cyber Secure Device Certification
ISASecure Means More Security
Robustness Testing: Saves Lives, Money
Vancouver, Canada-based Wurldtech and Codenomicon extended their partnership to provide Asia Pacific device manufacturers with additional testing tools to increase the robustness of their products.
“As cyber security threats evolve, device manufacturers from around the world are seeking innovative solutions to bolster their development processes,” said Wurldtech Chief Executive Neil McDonnell. “Our partnership with Codenomicon provides Asia Pacific developers with a streamlined channel to Wurldtech products enabling us to continue to build our global presence.”
Wurldtech named Codenomicon as an authorized distributor for its Achilles test products, including the Achilles Test Platform and Achilles Test Software. Through this partnership, Codenomicon customers will have access to a new set of test tools for SCADA-specific protocols and Wurldtech will extend its reach into the Asia Pacific market.
“The Wurldtech Achilles Test products provide our customer base with an expanded line of process-control security options,” said Codenomicon Chief Executive David Chartier.
Wurldtech and Codenomicon have worked together to provide comprehensive robustness testing tools for mission critical embedded devices. With optional Codenomicon Defensics software running on the Achilles Test Platform, Wurldtech offers users testing of additional IT protocols.
Achilles Test products provide tools to developers of mission critical connected and SCADA devices to test critical software during the early development lifecycle.
By proactively exposing and correcting vulnerabilities and validating system resiliency in a real-time environment, manufacturers are able to secure products before they release and deploy in process control networks.
Friday, July 13, 2012 @ 09:07 AM gHale
By Nicholas Sheble
“APTs (advanced persistent threats) are not a ‘what,’ but a ‘who,’” said Daniel Teal the chief technology officer at CoreTrace. It’s particular people who are after you, your products, or what you know, your information.”
“They have resources, expertise, and the time to get you.” APTs have delivered the famous cyber attacks that are familiar in the mainstream like Stuxnet, Aurora, Night Dragon, and others.
RELATED STORIES
APT: Attackers get What They Want
Focused Effort: Securing Against APTs
Securing SCADA Systems from APTs
Stuxnet Warfare: The Gloves are Off
Breaking Down Flame’s Roots
An advanced persistent threat (APT) is a cyber threat or cyber attack where the hacker has the ability to evade detection and the capability to gain and maintain access to well-protected networks and the sensitive information in them.
The hacker is adaptive and well resourced. The persistent nature of the threat makes it difficult to prevent access to one’s computer network and, once the threat actor has successfully gained access to one’s network, very difficult to remove.
The hacker has not only the intent but also the capability to gain access to sensitive information stored electronically. ISSSource has reported before on APTs and the website contains an informative white paper on them.
Beyond discussing the objectives of APTs, Teal spoke Thursday during a company webinar entitled “Combating Advanced Persistent Threats: The Case for Application Whitelisting-based Solutions,” about potential targets, what the primary weapons include (like memory attacks), and the best solutions to stave off such attacks.
One of those methods includes a compelling case for application whitelisting-based advanced threat protection platforms.
Application whitelisting is a concept whereby only authorized applications can run on the network and its nodes. So rather than searching out malware using antivirus software, the system blocks everything — except those functions that the user designates to run.
The anti-malware applications of this technique suppose that malware never gets on the whitelist. As long as the whitelist remains malware-free then malware cannot run. Teal said whitelisting can stop all APTs.
Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.
Wednesday, June 27, 2012 @ 01:06 PM gHale
Editor’s Note: This is Part II of an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.
By Eric Byres
When it comes to Advanced Persistent Threats (APTs), companies need a complete focused effort, rather than using the shotgun approach of trying to protect everything equally.
Professor Paul Dorey just presented a paper about the seven important lessons the IT world has learned in managing APTs. In a previous version, we focused on Part 1 of the lessons, here will will focus on lessons 2, 3 and 4, and how to apply these lessons to ICS and SCADA security.
RELATED STORIES
Securing SCADA Systems from APTs
Stuxnet Warfare: The Gloves are Off
Breaking Down Flame’s Roots
Fake Certificates Spread Flame
Professor Dorey’s talk discussed the seven advanced approaches that the best companies are using to deal with APTs. His Advanced Approach 1 involved setting what he called “‘Controls Coverage”. The objective is to focus protection efforts on your company’s most important assets, rather than using the shotgun approach of trying to protect everything equally.
Lesson 2: Focus on Detection, Not Protection
Advanced Approach 2 centers on “Control Focus.” If you are going to spend money on security controls, what types of controls are the most effective? Professor Dorey notes that Detective Controls (i.e. those technologies and processes that detect attacks) are more effective against modern cyber threats when compared to Preventative Controls like firewalls, data diodes and anti-virus software.
Now you might think that a person that designs and sells ICS/SCADA firewalls for a living would be dead against Professor Dorey’s approach. I’m not. The fact is, after reviewing countless control systems and attacks against control systems, the industrial automation world is terrible at detecting anything unusual on their control network. Few companies can even discover when a contractor has attached an unauthorized laptop to their system, never mind detect a sophisticated, stealthy attack.
The old “security in the dark” approach has to end. SCADA and ICS engineers need to get a better handle on what sort of traffic is travelling over the control network. To address this, a major focus at Tofino Security in the past year is the addition of strong reporting technologies. For example, modules like the Secure Asset Management LSM are designed to detect and report if unexpected devices join your network.
Similarly, deep packet inspection (DPI) modules for the Modbus and OPC protocols provide detailed reporting to 3rd party Security Incident and Event Monitoring (SIEM) systems. So if your read-only remote operator station suddenly starts to try to program a PLC, you can get an immediate alert that trouble is brewing in your control system.
Lesson 3: Move Your Perspective from Perimeter-based to Data-centric
The third lesson for successful APT containment is to change your security focus from controlling the perimeter to controlling specific collections of data, regardless of where they are in space and time. For example, if a financial company can ensure customer credit card records are encrypted at all times (and the keys to decrypt the records are not leaked), then the loss of a laptop with these records is of limited importance.
Or take the case of Bradley Manning, the young U.S. Army private that leaked thousands of classified documents to WikiLeaks. If these sensitive documents had been always encrypted and Bradley had only been able to view them with a controlled application at his desk, then his ability to share so many documents would have been limited. Instead, it is clear the US Army’s security strategy was to leave them unencrypted, (or in a form that was easy to convert to an unencrypted form) and hope these documents never left the perimeter of the U.S. military-base. Obviously, this “perimeter-focused” strategy failed badly.
At first glance, applying this lesson to ICS and SCADA systems appears to be difficult as data confidentiality is of far less importance to the control system. But substitute the word “process” or “asset” for the word “data,” and it makes sense. A “process-centric” or “asset-centric” approach to managing security means making sure that specific high value processes continue to function reliably regardless of what else is happening around them. The safety world, with standards like IEC61508 and IEC61511, has a long history of using this sort of approach.
Lesson 4: Why Log? Compliance versus Threat Detection
The final Advanced Approach lesson for today looks at the reason we log security events (assuming we log them at all). Too many of the sites I visit, especially sites trying to pass NERC-CIP audits, log only for compliance reasons. They generate massive log collections, but if anyone ever bothers to analyze the logs, it is only after something really bad has happened. By then it is too late.
Now effective threat detection doesn’t mean pouring over thousands of logs every day. It means optimizing what information you collect so dangerous anomalies standout, rather than get buried in the noise.
Lessons 1 to 4 – A Realistic Unified Security Strategy
Look back at Lesson 1 – “Focus protection on your most important assets” and compare it with the three lessons from today. What you will notice is that these four lessons are highly related around the concept of focused effort. For example, effective threat detection is only possible if you focus your controls on detection and focus your coverage on what matters. Unfocused approaches to security that try to protect everything inside a perimeter are too complex and too expensive.
So think about what processes and assets you really want to protect in your SCADA or ICS system and start focusing on those. Think about what would indicate trouble in your system and focus on detecting that. Advance your security approach from scattered to focused and save time, money and effort. You might just save your company from the next APT.
Eric Byres is chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Tuesday, June 26, 2012 @ 05:06 PM gHale
By Gregory Hale
In early 2010, Siemens officials were talking about needing to create an area within the company that would test and check products and systems to make sure they were secure.
“We thought Siemens products will become a target of critical infrastructure attacks,” said Thomas Brandstetter, program manager global technology field IT security for Siemens during his presentation at Siemens 2012 Automation Summit in Washington, DC.
Then Stuxnet hit.
RELATED STORIES
Summit: Users Need to be Aware
Summit: Productivity Key to Growth
Risk is Not a Game
Survey: Security a Thought, Not a Focus
That was the birth of Siemens’ ProductCERT. The mission for that organization is to look at and ensure Siemens products, all 15,000 of them, are as secure as possible, Brandstetter said. “We have been working on response and recovery for over two years. We created a CERT (Computer Emergency Response Team) just for Siemens products. We really try to think ahead and protect our customers against attacks.”
“We were called into action when Stuxnet came around,” he said. “After the smoke settled down, we started to look ahead so we didn’t get caught again.”
Some of the areas Brandstetter is seeing as growing are Advanced Persistent Threats (APTs) from political and commercial reasons. Also, hackers are analyzing critical infrastructure components and are beginning to release automated tools for hackers.
With open systems enjoying greater usage, they are also allowing more people to get into industrial control systems to introduce malware or viruses or generally cause problems. “More vulnerability issues are becoming uncovered now more than ever,” Brandstetter said.
That is why this past October Siemens officially started up its ProductCERT program. “Siemens knows they need a focal point regarding product security – especially in a time of crisis” Brandstetter said. The web site for Siemens’ ProductCERT is Siemens.com/cert/advisories.