View
219
Download
0
Category
Preview:
DESCRIPTION
Protect Your OrganizationAgainst Advanced Threatsand Targeted Cyberattacks
Citation preview
STEP OUT OF THE BULLS-EYE:Protect Your OrganizationAgainst Advanced Threatsand Targeted Cyberattacks
kaspersky.com/business
Cybersecurity is a major concern in both the private and public sectors. Targeted attacks
aimed at commercial and government organizations are on the rise, in both frequency and
severity. Computer networks and systems continue to be targets of intrusions, exploitation,
and data theft by a variety of cybercriminals searching for sensitive financial information,
personally identifiable information (PII) such as social security numbers, as well as geopolitical
knowledge and corporate intelligence.
In recent years, threat actors have become increasingly focused on targeting corporations
to obtain sensitive information for financial profit or economic espionage. Regardless of the
adversaries motives, corporations understand the need to implement defensive measures to
secure their infrastructure and sensitive data while mitigating the risk of future attacks.
This whitepaper outlines the cybercrime landscape, advanced threats, targeted attack
adversaries and their motives, the latest threats exposed, popular techniques, and strategies
for preventing and mitigating attacks.
THE DYNAMIC AND DANGEROUSONLINE WORLD
Many cyberattacks can be mitigated by relatively simple measures. Unfortunately, some people fail to take what appear to be basic precautions such as using strong passwords, applying patches, and running a security solution. In many cases, breaking into a companys network is easier than it sounds.
~ Costin Raiu , Director, Global Research & Analysis Team , Kaspersky Lab
Even though targeted attacks are highly
publicized and a predominant topic of
conversation among corporate IT security
staff, the majority of incidents originate from
cybercriminals conducting mass-malware
campaigns. These campaigns are often
simplistic in nature and lack any high level
of technical sophistication. Nevertheless,
they account for the largest number of
corporate IT security incidents.
According to research compiled by B2B
International, malware is currently the
leading cause of serious data loss events.
Many targeted attacks, like phishing and
Distributed Denial of Service (DDoS),
actually have malware at their core.1
Corporations can help protect themselves
against these attacks and fortify their IT security
perimeter immediately by implementing basic
security practices, such as automated patching
and application control combined with a
reliable endpoint protection solution. In
addition, educating employees about social
engineering and phishing campaigns will
strengthen your companys security awareness,
which will assist in decreasing your infection
vector overall.
THE CYBERCRIME LANDSCAPE
1. B2B International and Kaspersky Lab, IT Security Risks Survey 2014, September 2014
After a security breach, data loss is only the tip of the financial iceberg the true cost is much greater. There are obvious hard costs such as additional security measures and legal advice, but brand damage and reputation are arguably much larger.
~ Costin Raiu , Director, Global Research & Analysis Team , Kaspersky Lab
xxxxx
xxxxx
xxxxx
Advanced threats are complex attacks, consisting of many different components,
including penetration tools (spearphishing messages, exploits etc.), network propagation
mechanisms, spyware, tools for concealment (root/boot kits), and other, often sophisticated
techniques, all designed with one objective in mind: to provide cybercriminals with
undetected access to sensitive information.
Advanced attacks target any sensitive data; you dont have to be a government agency,
major financial institution or energy company to become a victim. Even small retail
organizations have sensitive client information on record; small banks operate remote
service platforms for customers and businesses of all sizes process and hold payment
information that is dangerous in the wrong hands. As far as attackers are concerned,
size doesnt matter: Its all about the information. Even small companies are vulnerable
to advanced threats and need a strategy to mitigate them.
ADVANCED THREATS
High-profile targeted attacks on enterprises are becoming increasingly widespread. Thousands of businesses have already been hacked and had their sensitive data stolen resulting in multi-billion dollar losses. Cyberespionage is a tangible and growing global threat today and fighting it is one of the principal tasks weve set ourselves. ~ Costin Raiu , Director, Global Research & Analysis Team ,
Kaspersky Lab
TARGETED ATTACK ADVERSARIES AND THEIR MOTIVESTargeted and multi-component attacks are a steadily increasing trend particularly when
it comes to businesses, where criminals are launching sophisticated, tailored attacks based
on well-researched organizational vulnerabilities. Targeted attacks come from a variety of
threat actors including advanced persistent threat groups, politically driven hacktivists, and
more advanced cybercriminals who offer their services for hire. Twelve percent of businesses
surveyed by Kaspersky Lab reported run-ins with targeted attacks, with the combined costs
of damages, remediation and other reactive spending averaging $2.54 million for enterprise
organizations and $84,000 per mid-sized businesses.2
Depending on the adversaries operational motives and objectives, the information identified
as valuable will vary. However, its important to note that, regardless of the motive, attackers
are targeting very specific information from a specific set of victims, and they will relentlessly
customize and optimize their techniques until they successfully realize their objective.
RESEARCHERS ARE SEEING AN UPSURGE IN MALWARE INCIDENTS ATTACKING BANKS. ONCE THE ATTACKERS GOT INTO THE BANKS NETWORKS, THEY SIPHON ENOUGH INFORMATION TO ALLOW THEM TO STEAL MONEY DIRECTLY FROM THE BANK IN SEVERAL WAYS:
Remotely commanding ATMs to dispose cash
Performing SWIFT transfers from various customers accounts
Manipulating online banking systems to perform transfers in the background3
Cybercriminals will either provide the hijacked information to the third party who hired
them to steal it, or they will repackage and resell the data underground to interested parties,
such as nation-states or competing organizations. Earned through years of hard work and
investment, stolen intellectual property enables third parties to accelerate their technological
and commercial developments while weakening corporations intellectual and competitive
advantages in the global economy.
3. Kaspersky Lab, Global Research and Analysis Team, Kaspersky Security Bulletin 2014, December 2014 2. Kaspersky Lab, Global IT Security Risks Report, November, 2014
One of the biggest challenges in defending against targeted attacks is being able to
correlate data and identify attack patterns amidst the high volume of incidents coming from
disparate sources at various times. With careful observation, research and proper analysis,
however, concrete information can show similarities in targeted attack campaigns.
In 2013 and 2014, Kaspersky Labs Global Research and Analysis Team (GReAT) researchers
published detailed reports revealing valuable information about several large-scale targeted
attack campaigns, with code names such as Red October, Winnti, NetTraveler, Icefog,4 Regin,5
DarkHotel 6 and Crystal Ball. 7 In 2015, Kaspersky Lab and law enforcement agencies around
the globe investigated an advanced threat called Carbanak that was responsible for the theft of
an estimated $1 billion dollars from up to 100 financial institutions worldwide.8
Kaspersky Labs expert reports carry heavy weight because their substantive and exhaustive
content connects the disparate dots and provides corporations with practical information
that can be used to improve security procedures and mitigation efforts immediately.
ATTACKS EXPOSED
4. Kaspersky Lab, Global Research and Analysis Team, Red October Detailed Malware Descriptions, 2013
5. ThreatPost, Costin Raiu on the Regin APT Malware, November 2014, https://threatpost.com/costin-raiu-on-the-regin-apt-
malware/109548
6. SecureList, The DarkHotel APT, November 2014, https://securelist.com/blog/research/66779/the-darkhotel-apt/
7. SecureList, Kaspersky Security Bulletin 2014: A Look Into the APT Crystal Ball, December 2014
8. SecureList, The Great Bank Robbery: the Carbanak APT, February 2015, https://securelist.com/blog/research/68732/the-great-bank-
robbery-the-carbanak-apt/
IN 2015, KASPERSKY LAB AND LAW ENFORCEMENT AGENCIES AROUND THE GLOBE INVESTIGATED AN ADVANCED THREAT CALLED CARBANAK THAT WAS RESPONSIBLE FOR THE THEFT OF AN ESTIMATED $1 BILLION DOLLARS FROM UP TO 100 FINANCIAL INSTITUTIONS WORLDWIDE.
The primary method for infecting targeted organizations is sending spearphishing
emails to targets. These emails are rigged against common vulnerabilities found in
corporate applications or programs. Once infected, a malicious program is installed
on the victims machine, which is usually a remote administration tool or backdoor
Trojan. This allows the attacker to control the machine and bypass typical security
perimeters. Attackers begin to move laterally across the network, patiently attempting
to elevate their privileges and getting access to credentials of IT administrators,
managers and executives. Target data is identified, collected and exfiltrated via the
remote administration tool, sending the information back to the operations command
and control server. The compromised system is completely owned and under the
control of its attackers, enabling for more information collecting, infection spreading
or continued surveillance until the malicious behavior or program is identified.
ANALYZING THE OPERATIONAL PLAYBOOK FOR TARGETED ATTACKS
Using this technique, attackers have successfully
compromised organizations across every sector, including
government and defense organizations, commercial
enterprises, financial institutions and scientific research
institutes. Organizations are being compromised using
rudimentary attack techniques because they are easy
and because companies are vulnerable due to the lack of
patch management, control policies and updated security
configurations.
A common alternative to infecting targets is infecting legitimate websites with malicious
resources and exploits. The basic idea of this type of attack is to find and infect the sites that
are most often visited by the companys employees. Recently, the site of the U.S. Department
of Labor was infected, but it is assumed that the real target of the attack was the Department
of Energy (DOE). The criminals were trying to infect the computers of DOE employees who
regularly visited the Department of Labors website.
When a staff member at the company under attack opens the infected site, the code injected or
planted in the body of the page secretly redirects the browser to a malicious site that contains
a set of exploits. Malware posted on infected websites; for example, a server script, often
acts selectively to implement malicious code in pages sent to the user who is most relevant
to the targeted company. Thus the adversaries can hide the targeted attack from antivirus
companies and IT security experts.
The attackers also try to infect trusted, legitimate sites. In these cases, even when users must
carry out additional steps to run the exploit (e.g., to turn on JavaScript, to allow execution of
the Java applet to confirm the security exception, etc.), they are likely to innocently click
Allow and Confirm. Adversaries can hide the targeted attack from antivirus companies
and IT security experts.
WATERHOLING ATTACKS 55%
OF ORGANIZATIONS LOST SENSITIVE BUSINESS DATA DUE TO INTERNAL AND EXTERNAL THREATS IN THELAST 12 MONTHS 9
9. B2B International and Kaspersky Lab, IT Security Risks Survey 2014, September 2014
SOCIAL VULNERABILITY
The majority of targeted attacks are delivered
via email to employees. The attackers try to
trick employees into opening these phishing
communications and clicking on dangerous
links. The attacks are not very sophisticated,
but theyve been incredibly successful in
infecting organizations across all sectors.
In June 2013, Kaspersky Labs experts
published an analysis report about
Operation NetTraveler, which was an active
cyberespionage campaign that infected more
than 350 high-value targets using spear-
phishing emails and common vulnerabilities.
Organizations that were compromised
spanned a number of industries including
military, oil and gas, aerospace and defense,
human rights activists, energy, government,
trade, and commerce.
The NetTraveler campaign was conducted
by an APT organization that was focused on
stealing data related to space exploration,
nanotechnology, energy production, nuclear
power, lasers, medicine and communications.
The majority of targeted organizations were
located in Japan and South Korea and were
within the military, telecom, shipbuilding,
maritime and technology sectors.
In October 2013, Kaspersky Labs research
team issued another in-depth analysis about
the cyberespionage campaign Icefog, which
was an economic espionage campaign
conducted by an APT group who offered their
services to third-party organizations for hire.
The Icefog group targeted subcontractors
in the global supply chain who provided
dual-use technology, which could be used
for commercial expansion as well as military
modernization efforts.
The attackers used spearphishing emails with
common vulnerabilities found in Microsoft
Word, Microsoft Excel, Java, and in Hangul
Word Processor, which is a commonly used
program in South Korea. One example of
a prevalent spearphishing email used a
common Microsoft Office exploit. Once
opened, the email showed an image of
scantily clad women while the vulnerability
was exploited in the background.
Once the vulnerability was exploited, the
Icefog group would install a backdoor
espionage kit that gave the attackers full
control of the infected machine. The group
would quickly pivot through the network to
locate the target data and steal it. Once the
data theft operation was complete, the group
would abandon the infected machines in a
type of hit-and-run technique.
The hit-and-run technique was uncommon
compared to the long-term surveillance
campaigns that other APT groups typically
conducted. While analyzing the campaign,
Kaspersky Lab found that Icefog focused on
specializing in this hit-and-run mentality
by implementing technical optimizations to
its espionage toolkit, which made it more
agile and evasive. This, combined with
the diverse group of target organizations,
indicates that the Icefog criminals were
acting as cyberthieves, hired by different
customers who each had an individual
agenda and priorities. In the future,
Kaspersky Lab expects this hit-and-run
trend to increase as more groups of
specialized cyberthieves are hired to
carry out data-theft operations.
Although the topic of information sharing is often used synonymously with the term
disclosure when discussing cybersecurity incidents and collaboration, the two can and
should be viewed independently. By analyzing large-scale targeted attack campaigns and
their characteristics, Kaspersky Lab provides corporations with practical information that
achieves two immediate objectives:
Mitigate the risk of future attacks by improving day-to-day security
operations and practices
Perform verification and security assessment tests to ensure you
havent already been compromised
To protect against exploits, ensure all applications, programs and operating systems are
installed with the latest patches and security updates. Implementing an automated patch
management system is highly recommended.
PREVENTING TARGETED ATTACKS: Security Recommendations and Mitigation Efforts
Targeted attacks often exploit popular
programs like Microsoft Office,
Adobe Reader, Adobe Flash,
Internet Explorer, and Oracle Java,
so verifying these programs are patched
should be the first priority, in addition
to operating systems and third-party
applications. Educate employees on the use
of social engineering in targeted attacks.
Employees should be cautious of clicking
any URLs or opening attachments in email.
Attackers can also send suspicious URLs
leading to infected websites to employees
over social networks, IRC messages and
personal email accounts. While it is also
the job of an email server security system
to block malicious links from email bodies,
its always a good idea to restrict access to
these sites from workstations. This can be
done using web control tools that block URLs
in accordance to a dynamically updated
malicious URL lists. It is also possible to block
websites with a specific content. For larger
and more complex IT infrastructures, patch
implementation can take longer, increasing
the risk of the publicized vulnerabilities
being exploited. Consider using advanced
protection technologies such as Automatic
Exploit Prevention, which uses Data
Execution Prevention and addresses space
layout randomization mechanisms
methods of heuristic analysis and control
over executable code. This enables Automatic
Exploit Prevention to block the execution of
malicious code before its patched or when
a zero-day vulnerability is being used
1
2
USING NETWORK TRAFFIC CONTROL TECHNOLOGY (FIREWALLS, INTRUSION PREVENTION SYSTEMS AND INTRUSION DETECTION SYSTEMS), SYSTEM ADMINISTRATORS AND IT SECURITY SPECIALISTS CAN NOT ONLY BLOCK DANGEROUS NETWORK ACTIVITY, BUT ALSO DETECT ANY PENETRATION INTO THE CORPORATE NETWORK. FIREWALL AND INTRUSION PROTECTION SYSTEMS AND INTRUSION DETECTION SYSTEMS CAN:
Block incoming and outgoing connections by port, domain name and IP address, and/or protocol
Generate statistical analysis of traffic (NetFlow) for anomaliesCollect suspicious network traffic for further analysisDetect and block outgoing commands or similar output sent via the Internet
Downloads of suspicious files from the Internet (additional malware modules)
NETWORK TRAFFIC You must protect transmissions of confidential information (IP addresses, logins, computer
names, corporate documents, credit card numbers, etc.). Firewalls, intrusion prevention
systems and intrusion detection systems can detect anomalies in the way network nodes
interact as soon as the malicious code tries to contact the command center or actively
scans the corporate network for other systems, open ports, shared folders, etc.
This anomaly detection allows IT security experts to promptly respond to the threat,
preventing further intrusion that might compromise the corporate network.
Application controls can block the launch of untrusted programs and modules. This
behavior should be prohibited, but once a system is infected, additional applications
under these names will appear as attackers and install additional modules or programs
that are disguised as system processes.
Systems that require the highest protection level should be safeguarded by the default deny
mode, which can block any program from starting up if it is not included in the white list.
APPLICATION CONTROL AND SYSTEM PROCESSES
TO PREVENT ATTACKERS FROM GAINING CONTROL OF THE SYSTEM, IT SECURITY SPECIALISTS SHOULD:
Prevent both trusted and potentially vulnerable programs from implementing code in other processes
Restrict applications access to critical system resources Block potentially dangerous functions (network access, installation of drivers, creation of screenshots, access to a webcam or microphone, etc.)
File and disk encryption can restrict local access to the protected
information on computers, mobile devices and open network folders.
Data that needs to be transferred can be done in an encrypted form. With
encryption, even if the attackers manage to intercept and download
something, they wont be able to read the content of the encrypted files.
ENCRYPTION
IF THE SCAMMERS SEIZE CONTROL OF THE SYSTEM AND PENETRATE THE CORPORATE NETWORK, THEY MAY TRY TO FIND AND UPLOAD FILES WITH INFORMATION THAT IS POTENTIALLY IMPORTANT FOR THEM, INCLUDING:
Corporate documents and security policies Files containing credentials Configuration files Source codes Private keys Customer data, including PII, payment information, health and insurance-related data
Many of these measures can be automated. For example, if security policies are violated,
special software shows the user a warning message. Systems management technology
can be used to search for network services and unauthorized devices as well as
vulnerabilities and automatic updates of vulnerable applications.
SECURITY POLICIES IN ISOLATION, NONE OF THE PRACTICES DISCUSSED ON THE PREVIOUS PAGES CAN EFFECTIVELY PREVENT A TARGETED ATTACK. IN ORDER TO PROTECT THE CORPORATE NETWORK, ALL THESE TECHNOLOGIES MUST BE WELL INTEGRATED AND CAREFULLY TUNED. HOWEVER, SYSTEM ADMINISTRATORS AND IT SECURITY SPECIALISTS SHOULD ALSO USE ADMINISTRATIVE PROTECTION MEASURES, INCLUDING THE FOLLOWING USER EDUCATION PRACTICES:
Ensure that all users know and observe company security policies
Inform users about possible consequences of the Internet threats, such as phishing, social engineering or malware sites
Instruct all users to notify IT security staff about all incidentsMaintain control over user access rights and privileges; any rights and privileges should be granted only when necessary
Record all rights and privileges (access) granted to the users
Scan the systems for vulnerabilities and unused network services
Detect and analyze vulnerable network services and applications
Update vulnerable components and applications. If there is no update, vulnerable software should be restricted or banned
JOIN THE CONVERSATION
Learn more at usa.kaspersky.com/business-security
Watch us on YouTube
Like us on Facebook
Review our blog
Follow us on Twitter
Join us on LinkedIn
GET YOUR FREE TRIAL NOW
Visit Knowledge
Center
PROTECT YOUR BUSINESS NOW. Kaspersky Lab is the worlds largest privately held vendor of endpoint protection
solutions. The company is ranked among the worlds top four vendors of security
solutions for endpoint users.* Throughout its more than 17-year history Kaspersky Lab
has remained an innovator in IT security and provides effective digital security solutions
for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company
registered in the United Kingdom, currently operates in almost 200 countries and
territories across the globe, providing protection for over 400 million users worldwide.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was
published in the IDC report Worldwide Endpoint Security 20142018 Forecast and 2013 Vendor Shares (IDC #250210,
August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.
ABOUT KASPERSKY LAB
2015 Kaspersky Lab ZAO. All rights reserved. Registered trademarks and service
marks are the property of their respective owners.
Recommended