People have by now cottoned on to the fact that a reasonable level of internet security means never giving away bank data lightly, never opening suspicious emails and keeping the antivirus bang up to date. These simple safeguards head off a great number of basic threats but what happens if we suddenly become targeted by gangs of mafiosos who try to flush out our current account? Or if we become the target of a country’s secret services who want to delve into our deepest secrets? These new generation cyberattacks have become known as advanced persistent threats (APTs).
A little history: famous cyberattacks
The history of attacks on internet-connected information systems officially began in 1988 when Robert Morris launched a worm that KO’d over 6000 computers. Back then and during the nineties hackers tended to be computer-savvy, fame-hungry youngsters.
In 2000 things began to change with the appearance of several malwares such as ILOVEYOU and CodeRed; the first infected 50 million computers in May 2000 and the second half a million in 2001. Back then the economic impact of both attacks was reckoned to be over 10 billion dollars.
In 2010 Stuxnet was discovered, a malware that spied on and reprogrammed industrial systems, in particular SCADA supervisory control and data acquisition systems, with the potential for affecting critical infrastructure like nuclear power plants. This discovery showed that a malware could directly affect the life of thousands of people over and beyond any economic toll.
Daily news now breaks of information leaks and information-system hacks, often on critical infrastructure. These attacks, complex and very advanced, have come to be dubbed Advanced Persistent Threats, shortened to APT; they are part of a long term plan to compromise strategic or economic targets of any type of organization. These activities are usually funded by mafias with economic aims or governments with strategic interests. Witness the recent discovery by FireEye intelligence threat experts of a group called APT 30, which is financed by an unknown government (probably Chinese). Their modus operandi is well established: group members prioritize their targets, probably working in neatly organized collaborative shifts, to build malware based on a coherent development plan. FireEye’s conclusions about this group were forthright: “All of the key findings we examined in the report lead us to conclude that APT 30 is a professional, cohesive threat group with a long-term mission to steal data that would benefit a government, and has been successful at doing so for quite some time. Such a sustained, planned development effort coupled with the group’s regional targets and mission, suggest that this activity is state sponsored”. Other recent examples like Volatile Cedar discovered by CheckPoint or Pawn Storm discovered by TrendMicro show just how critical these attacks can be.
Technology does exist to mitigate the impact of APT-based cyberattacks, such as sandboxing techniques, which run the suspected malware in a virtual environment and observe its behavior. This makes it possible to detect APTs that use advanced stealth techniques to fly under the radar of traditional cybersecurity systems. Like any other protection system sandboxing has technical limitations, and forensic traffic- and computer- analysis capabilities have to be tagged on to facilitate post incident debriefing. The main aim is to find out how we are attacked to reinforce the weak points and head off any repeat attack by the same means. Information systems should ideally have built-in learning systems to steal a march on any future attacks.
All this technology also needs to be backed up by proper threat intelligence shared by all systems and organizations in charge of the cybersecurity of any infrastructure. CrowdStrike concludes in its annual report that companies employing threat intelligence will be better able to detect, stop and fend off hackers.
In sum, a solution that combines sandboxing technologies with forensic analysis and threat intelligence will considerably boost protection against these new-generation APT-based cyberattacks. It goes without saying that this solution should be backed up by cybersecurity professionals with a perfect understanding of how to respond effectively to any security incident.
Future and opinion
The past history of cyberattacks suggests they will become increasingly difficult to detect and prosecute. There is also a vicious-circle effect of new information protection tools triggering more sophisticated cyberattacks to circumvent them. It is therefore crucial to take onboard as soon as possible that our systems will sooner or later be hacked and that we have to up our forensic technology efforts to improve the response to the security incidents we are bound to suffer in the future.
The crucial question to ask would seem to be not if we are going to be hacked but when, and how we will react to it.
- Morris worm
- ILOVEYOU Malware
- CodeRed Malware
- Stuxnet Malware
- Economic impact of historic malware incidents
- CrowdStrike2014 report
- APT 30
- APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation
- Volatile Cedar
- APT Group ‘Pawn Storm’ Ratchets Up Attacks
Author: Enrique Martín Gómez
IT Infrastructure Cybersecurity Project Manager, GMV
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV