RISKS AND THREATS
Advanced Persistent Threats (APT) are complex targeted cyberattacks carried out for a long time and with a sufficient level of expertise to bypass even the newest and most advanced protection systems. The term APT was originally used to describe cyber attacks on military organizations but is not limited to the military sphere anymore. Zero-day vulnerabilities, methods of social engineering and hacking tools that are specifically designed for a particular organization are all commonly used in such attacks. APT attacks are usually conducted by organized hacker groups that have the required level of expertise and significant resources that enable them to create opportunities to achieve their goals through a combination of various attack vectors.
APT Framework IS A SIEM USE CASE
APT Framework - is a specialized analytical use case for SIEM, which is designed for the most popular SIEM systems in the world: HPE ArcSight, IBM QRadar and Splunk. Use Case allows to monitor the companys infrastructure constantly and to detect signs of APT using the methodology of Lockheed Martin Cyber Kill Chain. APT Framework uses different methods of statistical profiling and behavioral analysis to allow you to make maximum use of existing technologies, such as SIEM, IDS / IPS, FW, Proxy, Antivirus, Vulnerability Scanners, and helps to get the synergy effect when used.
Use Case discovers APT attacks on various stages:
- Command & Control (C2);
- Actions on Objectives & Cleanup.
CISO TACTICAL BRIEF
APT Attack is superior to conventional cyber threats, as it focuses on hacking a specific target and is prepared based on the information collected over a long time. Distinctive features of the APT are adaptations to the efforts that the defenders use to put up the resistance and the lack of guarantee of full recovery. There are several things you can do to improve your security:
- Any access to the companys servers from both the Internet and user workstations must be protected by appropriate active network security technologies such as IPS and WAF.
- Remote access to the company network (VPN) should occur only using two-factor authentication.
- SIEM system with APT Framework Use Case can be utilized to help detect abnormal, suspicious network activity, signs of APT attacks on different stages, as well as monitor the effectiveness of the corrective measures at countering the attack.
- Raising user awareness of information security issues (Security Awarness) is the most cost-effective method of combating APT attacks.
APT Framework REPORT FROM THE FIELD
The package was developed during an on-going attack against one of our clients to assist with active resistance and analysis of consequences. It was crafted based on the study of the early stages of an attack, practical evidence and newly gained experience to create a set of measures to prevent similar incidents in the future.
APT Framework proved its effectiveness in the Financial, Media and Telecom sectors. In most cases, it detects the earliest possible stage of APT attacks (suspicious emails and mailing list, interaction with the Tor network, etc.). The initiated countermeasures stop both the beginning of a large-scale ART attack and suspicious internal activity of users (bruteforcing, hiding the traces, internal scanning, etc.) but make it harder to identify the ultimate goal of the attack. So far, according to our information, such attempts were classified as breaches of internal corporate policies. We will stay in touch with our customers and will share future experience.