Lessons Learned from the Most Frightening Security Threats

What do you know about advanced persistent threats? Don’t worry if you haven’t heard of them.

According to an article on infoworld.com, advanced persistent threats or APTs, are becoming the most dangerous security concern for business organizations today, and it’s all to do with how the threats attack.

The article states, “An APT attack is typically launched by a professional organization based in a different country than the victim organization, thereby complicating law enforcement. These hacking organizations are often broken into specialized teams that work together to infiltrate corporate networks and systems and extract as much valuable information as possible. Illegally hacking other companies is their day job. And most are very good at it.”

So what are some lessons we can learn from APTs? How can we better prepare ourselves for them? Author Roger Grimes has more than 40 computer certifications and has been fighting malware since 1987. He takes us through six lessons we can learn from APTs.

1) APT eyes are watching you

In some cases, an APT has been tapped into networked conference room video systems. The article points out it may be wise to disable audio/video recording equipment before conducting meetings.

2) Not all APTs are as advanced as experts think

Although the A in APT stands for “advanced,” sometimes APTs attack in simple ways. This is why it’s important to know your systems inside and out. The more you know, the easier it will be for you to figure out how an APT has gotten in.

3) The medicine may be the poison

The author relates a story of trying to solve a problem with anti-APT software. It turned out the software had been replaced with a Trojan that looked identical to the original software. So how do you keep that from happening? It’s not easy, but there are steps you can take. The author advises us to always check the integrity of our builds and prevent unauthorized modifications or try to detect them. He also suggests using honeypots, software that is designed to be attacked in order to catch the attacker, often an APT. He also reminds us to look for and investigate any strange network connections, particularly those from unexpected places.

4) All your PKI base belongs to us

Public Key Infrastructure (PKI) servers used to be pretty safe from APT attacks. Now, however, the author says it’s pretty common to find a PKI involved in an APT attack. The best way to guard against these attacks is to protect your servers. It’s all about due diligence in this case. For example, the author says offline PKI CA (certification authority) servers should be really offline, as in taken off the network and stored in a safe, not just disabled.

5) Don’t forget the accounts you’re not supposed to touch

According to the article, most APT recovery events will inevitably involve resetting passwords. The author tells us to reset all accounts, and he means all accounts. There are ways APTs can get in that you might never think of. Here is an excerpt from the article to explain:

“Alas, there's a built-in Windows account called krbtgt that is used for Kerberos authentication. You shouldn't touch it, remove it, or as far as we previously knew, change its password. It really shouldn't be a user account that shows up in user account management tools, and this APT team knew it.

As I've learned on successive engagements, krbtgt is a go-to technique. After an APT crew compromises an environment, they add the krbtgt account to other elevated groups. Because customers usually leave it alone, even during a password reset, it can be exploited as a go-to backdoor account. Great idea -- if you're a malicious hacker.”

6) Information overload is spurring APT innovation, too

APTs are getting better and better. However, they encounter the same issues in finding and managing data as we do. The author’s advice? “Don’t let them index your data better than you do.”


Click here to read the “war stories” the author shared along with each of the six lessons: http://www.infoworld.com/d/security/6-lessons-learned-about-the-scariest-security-threats-236704?page=0,0