The definitions of advanced cyberattacks and cyberwar are hotly debated terms in information security, and they...
are used frequently in marketing materials. Advanced persistent threat, or APT, groups were once equivalent to nation-state attackers, but the term has started to include other organized cybercrime gangs that bypass the security controls of enterprises assumed to have high security, such as financial institutions.
Over time, advanced techniques will be adopted by less advanced attackers, which will result in enterprises implementing security controls to prevent these attacks. The advanced threat actors will then develop new attack techniques to bypass these new controls in the endless cat-and-mouse game that persists in information security. New research from Kaspersky Lab on several cybercrime gangs details the advanced APT-style attack techniques being adopted more broadly, which enterprises need to devote more resources to defend against.
This tip will take a look at the APT-style attacks reported by Kaspersky Lab, and how enterprises can update their security programs.
Kaspersky reported that cybercrime gangs Metel, GCMAN and Carbanak are adopting APT-style attack techniques for financial crimes. Kaspersky identified the steps these groups are adopting as "reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence." All of these components are critical in executing a multistage attack on a target and have been used widely in attacks. Reconnaissance is first done to plan the attack and identify how to customize the social engineering step to be most effective. Reconnaissance and social engineering may also help identify more internal technical details to use later in the attack. The malware used in the attack may be customized in advance to ensure all of the pieces of the attack fit together to achieve the attacker's goals. The malware may first be tested against antimalware tools or detection controls to see if it will evade detection. Lateral movement is used to identify the systems that control critical transactions or store sensitive data that can be monetized. Long-term persistence is used to monetize the APT-style attacks over time to potentially reduce the chance the attackers will get caught.
The Carbanak 2.0 gang used social engineering, with a phishing email that included an attachment for the initial foothold in the network, and then through monitoring, identified the location of sensitive data and changed ownership details of a large company. In the Metel attack, the malware was customized to roll back ATM transactions when cashing out the ATMs during the attack. In the GCMAN attack, the attackers used lateral movement, starting with a public-facing Web server and compromising other internal hosts for long-term persistence before they came back to cash out.
How enterprises can update their security programs
The core steps used in these APT attacks haven't changed over time, and an enterprise's information security program probably already has controls in place to protect against certain APT-style attacks that use reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence. Enterprises should examine each step in an attack to see if their security controls would prevent it. If the control isn't effective, enterprises should perform a risk assessment to determine why it is ineffective, how to improve the control and the cost to improve the control. Doing this can be resource-intensive, so focusing on internal or industry-specific incident data can be used to prioritize the risk analyses.
Potentially, the most effective method to stop all three attack groups from successfully robbing financial institutions could have been strong network segmentation in the financial systems, which would have addressed the lateral movement aspect of the attacks. Network segmentation is probably the most boring security control in existence, but also one of the most effective. Other than using a satellite connection, wireless or some other implant for external network access, if a system is not connected to the Internet or an external network, it is difficult to maintain persistence. For financial network segments that need to connect to other parts of the network, which most do, those connections and systems should be configured for the least access necessary, and monitored closely for any anomalous system activity or network traffic. This could be difficult on a large network, with multiple locations, but may be the only way to detect something that has bypassed the other security controls.
Read more about what a financial malware tool going public means for enterprises
Learn how to update your enterprise's security program to face new threats
Evaluate when to investigate low-level malware threats