Trend #1: Advanced Persistent Threat (APT) Meets Industrialization
Top 10 security trends for 2011 countdown:
- #10: Convergence of Data Security and Privacy Regulation Worldwide
- #9: Hackers Feeling the Heat
- #8: Security Becomes a Business Process
- #7: Data Security Goes to the Cloud
- #6: Mobile Devices Compromise Data Security
- #5: File Security Takes Center Stage
- #4: Misanthropes and Anti-socials: Privacy vs. Security in Social Networks
- #3: Man in the Browser Attacks Will Man Up
- #2: The Insider Threat – It’s Much More than You Imagined
- #1: Advanced Persistent Threat (APT) Meets Industrialization
Advanced Persistent Threats (APTs)—politically motivated, specifically-targeted cyber-attacks—will incorporate concepts and techniques from the commercial hacker industry. These campaigns will contain a different malware payload than the traditional attacks conducted for monetary gain. However, these attacks will use similar techniques. The incorporation of industrialization techniques to APT seems quite natural. This past year alone has proven the success of cyber crime lords. The hacking industry is bursting with success stories. Why shouldn’t the attack techniques then be adopted by the creators of politically focused attacks? These APT attacks will borrow techniques, such as automation and viral distribution, making them all the more powerful, and potentially more successful.
Towards the end of summer 2010, the name Stuxnet began circulating among security practitioners. It was a worm that specifically targeted SCADA systems. A threat with consequences to nations’ underlying power systems and industrial infrastructure. Throughout the following months, researchers have analyzed the worm and the news emerged—this was no simple common worm. Stuxnet consisted of four different attack vectors, each exploiting a different vulnerability. The code, very deceptive, had to be written by a group of dedicated hackers, taking some six months of development. Although speculative, there is much agreement that this worm had one specific target—Iran. Much of the worm’s deception laid in its propagation. In the course of reaching Iran, the worm also propagated itself in multiple countries: Germany, Russia, India and others. Upon arrival at the ultimate destination, Stuxnet called home and announced that the Eagle had landed.
Stuxnet was not searching for data to monetize, rather it was focused on gaining control of crucial infrastructure. And as mentioned, all fingers are pointing to government agencies as the Stuxnet driver.
However, as opposed to traditional APT attacks, the worm’s target was not direct. Hopping around different countries and power plants, it seemed like the grand plan was to unleash the worm on the world. This technique sounds familiar: target as many systems, and sooner or later, there will be a victim. This notion is one of the underlying foundations of the hacker industry.
Looking back, we can see already that North Korea has also started mimicking the hacker industry. In mid-2009, botnet armies targeted US governmental institutions. When those did not fall prey to the attack, the attacks started targeting private U.S. sites. Once again, the target shifted while the attacks were ROI focused. The attacking state has allegedly hired botnets from the hacker industry. And as they were already paid for and engaged in an attack, they were being used for a full-fledged campaign.
Both classes of attack (industry and APT) are going to use some of the same techniques, so some security controls are applicable to both. On the positive side, given you’re covered against the cyber-mafia you should have some of the controls to be protected from certain APT attacks. On the negative (scary?) side, as the name implies, APT is persistent. If a certain attack does not succeed, another one will come into play. The traditional security controls do not deter these relentless, state-sponsored hacker organizations. For the enterprise, this means increasing monitoring visibility of traffic and setting security controls across all organization layers. Consider this, if an attacker is really persistent in doing damage to the target, there is always another way to enter the organization. That is, through the insider.
This wraps up our blog series. For further insight into each trend, join us for our December 15th Webinar with Imperva CTO, Amichai Shulman.
