Known as a means to circumvent international sanctions, sophisticated state-sponsored cyber-attacks, or advanced persistent threats (APTs), recently made the headlines, with a UN report revealing that North Korea was piling ransomware-begotten bitcoins to fund its weapons program.
Traditionally the concern of only large Fortune 2000 companies, sophisticated cyber-attacks have been increasingly targeting smaller organisations’ networks as well, requiring companies of all sizes to ensure their controls can withstand an attack that spreads slow and low.
Unlike the vast majority of cyber-threats, which are opportunistic in nature and attempt to compromise and exploit the first system they land on, threat actors behind APTs take pains to study their would-be victims, gain a foothold and then wait for an opportune moment to spread laterally in the network – before reaching their final target, be it an ATM or SWIFT server, sensitive database or PLC-controlling critical infrastructure.
When establishing a counter-APT strategy, security teams can improve their testing methodology with a few simple tactics:
Test across the kill chain
Lateral movement is an APT staple. It is therefore imperative to not only challenge perimeter and endpoint security controls, but to also test for the ability to hop from one system to another, and one network segment to the next, by using different attack techniques such as LLMNR poisoning, RDP session hijacking, Pass The Hash and others.
Most organisations are surprised by the extent to which a potential attacker could traverse their network unscathed. Do you have a clear set of crown jewels? Pinpoint your tests to see what paths can be taken towards those sensitive assets.
While pentesting engagements and red-teaming are very effective at uncovering security gaps, and identifying how threat actors can get in, by their very nature these tests are only periodic. Lead time can range from weeks to months, testing is scoped for certain network segments, the exercise is performed, and reports are then drafted and submitted to security and executive teams.
But what about uncovering your weak spots in between those engagements? Just as you shouldn’t plan your holiday according to last month’s weather, your security programme needs the most up-to-date information on where your security is operating as expected, and where it needs to be fine-tuned.
By using automation to test your security continuously, or on an hourly, daily or even weekly basis, you gain a better idea of your true, real-time security posture and can quickly follow up on any newly identified exposures.
Know thy threat actor
Under the Bank of England’s CBEST regulation, UK financial services are already mandated to perform intelligence-led penetration tests that take into account threat actors known to target their industry.
Through the years, distinct APT groups have been identified according to their modus operandi, forensic data, target verticals and origin. Probably the best known is North Korean-based Lazarus Group, aka Black Cobra, believed to be behind the infamous Sony Pictures hack and a cyber-heist that robbed $13.5 million from Bangladesh Bank.
APT 32, aka OilRig, is believed to be an Iranian-based group that targets organisations across industries in the Middle East, including finservs, telcos, chemical, energy and government bodies using supply-chain attacks, such as gaining access to an organisation through its IT service portal.
Setting its sights on hospitality, retail and restaurants, yet another group, FIN8, is expert at compromising large volumes of payment card data processed by these industries. Depending on your industry and geography, different threat actors may be targeting your organisation, making it worthwhile to study who they are and the APT techniques under their hat.
Map to MITRE
Defending against the plethora of tactics, techniques and procedures (TTPs) available to attackers can be overwhelming. To simplify this undertaking, security teams can challenge controls against the methods enumerated in the MITRE ATT&CK™ matrix to ensure they are covering all their bases.
For example, PowerShell commands are a potent tool for attackers. By reviewing the mitigation methods associated with this technique, such as running only signed scripts or restricting access to admins only, you can start to reduce your attack surface. The same goes for other techniques across the kill chain.
Phishing is still the number one culprit in delivering attacks to your doorstep. Do not underestimate the value of assessing the alertness and savviness of your users in defending against APT attacks. Run periodic phishing exercises to see who your easy clickers are, and ensure appropriate follow up and training.
To learn more about testing the effectiveness of your security against APTs, download the APT-Ready in Four Steps: Your Action Plan white paper.
by Eyal Wachsman, Co-Founder and CEO, Cymulate