It's been a year since Sony Pictures employees logged into their workstations, expecting to start a normal workday, when they were greeted by soundbites of gunfire, images of skeletons and threats scrolling across their monitors. To date, the Sony Pictures attack is arguably the most vivid example of advanced persistent threats used to disable a commercial victim. A corporate giant was reduced to posting paper memos, sending faxes and paying over 7,000 employees with paper checks.
How Advanced Persistent Threats Work
Writing for the Wall Street Journal, security expert Bruce Schneier defines advanced persistent threats (APTs) as the most focus- and skill-oriented attacks on the Web. They target high-level individuals within an organization, or attack other companies that have access to their target.
After gaining login credentials, cybercriminals gain admin privileges, move data and employ sophisticated methods to evade detection. APTs can persist undetected in networks for months, even years.
What They Do
Most APTs are deployed by government agencies, organized factions of cybercrime or activist groups (often called "hacktivist" groups). According to Verizon's most recent Data Breach Investigations Report, APTs primarily target three types of organizations: public agencies, technology/information companies and financial institutions.
Some APTs are designed to steal specific information, like a company's intellectual property. Other APTs, such as the Stuxnet worm, are used to spy on or even attack another government. APTs like those launched by Sony's attackers seek to embarrass one organization for a particular grievance. Hackers reportedly had a beef with Sony back in 2005, when the company implemented anti-piracy software into its CDs.
Peter Elkind, writing for Fortune, reported that attackers using advanced persistent threats managed to disable Sony Pictures by:
- Erasing the storage data on 3,262 of 6,797 personal computers and nearly half of its network servers.
- Writing over these computers' data in seven different ways and deleting each machine's startup software.
- Releasing five Sony Pictures films, including four unreleased movies, to torrent sites for downloading.
- Dumping 47,000 Social Security numbers, employee salary lists and a series of racist internal emails directed at President Obama.
Limiting Damage from APTs
Maintaining patches and upgrades, using an antivirus and enabling network perimeter detection are worthy defense strategies, but they rarely work against an intruder who's in possession of high-level login credentials. With sufficient skills, resources and time, attackers can penetrate even the most well-fortified network. Organizations should start by using least-privilege security protocols and training critical employees to recognize and avoid spear phishing attacks.
While you're at it, use network monitoring to detect APTs early, and watch for the telltale signs of an attack in progress. Some of these are as follows:
Late-Night Login Attempts
A high volume of login attempts occurring when no one's at work is a simple but critical APT indicator. They may appear to come from legitimate employees, but they're actually attackers — often in another timezone, according to InfoWorld — using hijacked credentials to access sensitive information at odd hours.
By dropping backdoor Trojan horse malware on multiple endpoint computers, attackers maintain access to the system even when they lose access in another area. Security personnel should never stop after finding a backdoor Trojan on one computer; there may be more still on the network.
Attackers frequently set up an alternate infrastructure within the existing network to communicate with external command-and-control servers. Rogue agents have even been known to set up a series of spoof domains and subdomains based on old company names to appear legitimate. When people visit the real domain, the attackers' C&C server would redirect them to fake URLs.
Outbound Data Abnormalities
InfoWorld also suggests looking for strange movements of outbound data, including those against computers within the company's own network. Attackers love to build internal "way stations," assemble gigabytes of data and compress the files before extracting them.
Threat intelligence consultants are always at your disposal, but they shouldn't be the ones who wait for 15 minutes — surrounded by logged-in workstations — before a single human comes to greet them. To be prepared for a major attack, today's IT departments should fortify security and network monitoring tools to detect APTs, and tell any contractors they work with to do the same.