Monster of advanced threats and targeted attacks.
Dear Habrsoobshchestvu, welcome!
Today, the presentation of the material will be quite ambiguous. It is difficult for me to predict your reaction, but despite this, I will try to convey the main idea of ​​my article, shifting the complex to the understandable, and thus convey the essence. The essence, which sometimes can not be expressed in words, using the terminology adopted in the subject. I will do this through analogy, association, visualization and humor. Kindly remind you that it's Friday and I wish you all a good weekend!
The application of analogy in the first place is the ability to transfer various complex concepts, the analysis of which causes difficulties of understanding to more simple ones for perception. And secondly, this method is quite interesting and provides an opportunity to look at complex things from a completely different side.
Even in such a conservative environment as information security, there is nothing easier than to illustrate the essence of something more complex with the example of something more tangible and understandable. Therefore, I would venture to tell you today about the octopus, one of the most perfect sea dwellers, with the most unique equipment on the “board”, with its sophisticated methods of attacking the victim and using defensive techniques. Why is the octopus hard to spot? Why is it difficult to resist the octopus?
')
In a very visual, in my opinion, analogy with the sea predator, I will show you what tools and how the most prepared cyber groups can use in their targeted attacks, and why traditional remedies are not enough to fight predators like octopus.
And, frankly, I myself have long wanted to understand the details of why the criminal, hacker and other groups like to associate themselves with this marine predator.
Are you interested in? Then sit down comfortably, begin! I am sure that you will be surprised by the physiological features and abilities of the octopus, the ability to adapt and defend.
So…
The Octopus is a sea predator of the invertebrate order, an intelligent animal, possesses the most developed brain among invertebrates, is well trained, understands and remembers the environment. Scientists are still struck by the military arsenal of the mollusk. It seems that no living thing on the planet has so many magnificent adaptations:
Now, I am sure that you know much more about the sprint and in the course of reading the description you compared the acquired knowledge of the predator with the features of building a targeted attack. It is time to get acquainted with the main character of my small visualized story.
Purposeful attack in our time is rapidly becoming the main cyber threat to business. This is a carefully planned, lengthy process of unauthorized activity in the infrastructure of a particular organization with the aim of obtaining a certain benefit, planned by the cybercrime group. Most often, the main stages of a targeted attack are: preparation, penetration, distribution, achievement of the goal and concealment of traces.
Preparation includes determining the target, collecting as much information as possible about it, studying the infrastructure and the solutions used on it, identifying security vulnerabilities and planning an attack strategy, taking into account the collected data.
Next comes a study of the methodology and selection of penetration tools with the maximum possible adaptation to the perimeter protection means used on the infrastructure, which allows attackers to penetrate the target infrastructure as unobtrusively as possible.
Cyber-professionals have at their disposal an unlimited amount of time: for developing malware, debugging malicious programs, attempting to steal accounts, applying social engineering, etc., as well as developing a sequence of attack steps.
The use of only traditional perimeter protection by the organization is no longer enough to counter the complex threats of the Advanced Persistent Threat (APT) level. It is necessary to understand that a multi-vector intrusion aimed at different levels of infrastructure, using various means of penetration, as well as aimed at circumventing existing infrastructure of the protection systems, cannot be stopped by blocking only one of the planned vectors of the complex target attack.
Why are not enough traditional remedies?
Due to the specifics of the targeted attacks themselves:
Due to technological limitations inherent in traditional remedies:
Purposeful attack can pursue various goals: the theft of money, trade secrets, personal data, violation of business processes, weakening of competitive advantage, blackmail and extortion, theft of intellectual property, etc.
After reaching the goal, the attacker should hide the traces and, if necessary, leave the return points to the infrastructure.
To effectively protect against targeted attacks and APT threats, organizations need to consider using specialized solutions to counter targeted attacks and advanced threats of the APT level and apply a comprehensive strategy to protection in general.
The advantage will be if specialized solutions interact with their own preventive measures, if available or with third-party preventive technologies that most often already exist on the infrastructure of organizations, thereby preserving the investments previously made in them. The presence of preventive technologies for detecting and automatically blocking mass common threats and clearly malicious objects helps to eliminate the need to parse a large number of small, irrelevant to complex attacks incidents, thereby increasing the efficiency of specialized solutions aimed at identifying threats of the level of APT.
Specialized tools, in turn, after the detection of more complex threats, can send verdicts to traditional means of protection. Thus, they provide two-way interaction and a truly comprehensive approach to countering advanced threats.
If it is necessary to meet strict requirements for processing critical data, solutions must support work in an isolated mode without loss of detection quality, i.e. must maintain a local reputation database of threats and provide promptly unique information about the latest threats without transferring data outside the corporate contour. When choosing a specialized solution on the territory of the Russian Federation, it is necessary to take into account the availability of certificates of FSTEC, the FSB, the availability of a solution in the domestic software registry, as well as the compliance of the solution to external and internal regulators and a focus on compliance with legislative recommendations, for example, N 187- and GosPROM.
Depending on the IS maturity of each individual organization and the availability of the necessary resources in the company, manufacturers of specialized solutions to protect against advanced threats should provide in each case the necessary expertise and professional services for companies, ranging from providing support for the deployment, configuration and updating of products to providing its experienced experts for malware analysis and incident investigation.
Perform penetration testing, application security analysis, and:
Today, the presentation of the material will be quite ambiguous. It is difficult for me to predict your reaction, but despite this, I will try to convey the main idea of ​​my article, shifting the complex to the understandable, and thus convey the essence. The essence, which sometimes can not be expressed in words, using the terminology adopted in the subject. I will do this through analogy, association, visualization and humor. Kindly remind you that it's Friday and I wish you all a good weekend!
Some water
The application of analogy in the first place is the ability to transfer various complex concepts, the analysis of which causes difficulties of understanding to more simple ones for perception. And secondly, this method is quite interesting and provides an opportunity to look at complex things from a completely different side.
The essence of the wave
Even in such a conservative environment as information security, there is nothing easier than to illustrate the essence of something more complex with the example of something more tangible and understandable. Therefore, I would venture to tell you today about the octopus, one of the most perfect sea dwellers, with the most unique equipment on the “board”, with its sophisticated methods of attacking the victim and using defensive techniques. Why is the octopus hard to spot? Why is it difficult to resist the octopus?
')
In a very visual, in my opinion, analogy with the sea predator, I will show you what tools and how the most prepared cyber groups can use in their targeted attacks, and why traditional remedies are not enough to fight predators like octopus.
And, frankly, I myself have long wanted to understand the details of why the criminal, hacker and other groups like to associate themselves with this marine predator.
Are you interested in? Then sit down comfortably, begin! I am sure that you will be surprised by the physiological features and abilities of the octopus, the ability to adapt and defend.
So…
The Octopus is a sea predator of the invertebrate order, an intelligent animal, possesses the most developed brain among invertebrates, is well trained, understands and remembers the environment. Scientists are still struck by the military arsenal of the mollusk. It seems that no living thing on the planet has so many magnificent adaptations:
- The octopus has 8 powerful tentacles, thanks to which it easily seizes prey. But sometimes they can grow and more than eight. All of them are clawed and have from one to three rows of suction cups;
- Each tentacle contains up to ten thousand taste buds that determine the edibility or inedibility of the object;
- A very cunning creature: as a distracting maneuver, it can discard its tentacles if the need arises. The detached tentacle continues to move and react to tactile stimuli for a certain time, which serves as an additional distraction for the continuation of the attack from the other side or disappearance;
- The octopus has the property of regeneration, that is, a tentacle torn off or rejected specially, after some time grows back;
- It has a powerful beak, located at the base of the tentacles, with the help of its beak-weapon, they split the victim's shell and reach the body;
- The most poisonous sea animal. The bite helps the octopus deal with very large prey, immobilizing with a paralyzing poison;
- Sees in complete darkness due to infrared vision and possesses a better overall vision than an eagle;
- Able to perceive sound, including infrasound;
- A fast swimmer with a jet engine (he draws water into the mantle and shoots water through the funnel to the outside), a similar principle of movement is rarely seen in living beings. 50 km / h - normal speed, can reach up to 70 km / h;
- He knows how to lie for hours on land and even walk along the shore. For walking on land, he carries with him water (in a special part of the body);
- It has well-developed sharp jaws, in the throat there is a grater (radala), which grinds food;
- The body of the predator is equipped with spotlights. Certain parts of the skin glow, illuminating the way to the octopus in the middle of the night or at great depth, where eternal darkness reigns;
- The body is soft and elastic, which allows them to penetrate through the holes and crevices that are much smaller than the usual sizes of their bodies or to hide in sophisticated places in the most secluded places;
- The color changes instantly as needed (monochromatic color or mosaic of spots), therefore it is very difficult to distinguish it on the general background;
- Ink bomb / cloud is a miracle weapon, one of the most amazing devices of the octopus for disorientation and destruction of the target / enemy’s vision. Octopus is always filled with ink that contains narcotic substances. Uses ink when you need to go unnoticed or gain time to attack from the other side.
Now, I am sure that you know much more about the sprint and in the course of reading the description you compared the acquired knowledge of the predator with the features of building a targeted attack. It is time to get acquainted with the main character of my small visualized story.
HISTORY ONE. Successful for the attacker - failure for the defender
Purposeful attack in our time is rapidly becoming the main cyber threat to business. This is a carefully planned, lengthy process of unauthorized activity in the infrastructure of a particular organization with the aim of obtaining a certain benefit, planned by the cybercrime group. Most often, the main stages of a targeted attack are: preparation, penetration, distribution, achievement of the goal and concealment of traces.
Preparation includes determining the target, collecting as much information as possible about it, studying the infrastructure and the solutions used on it, identifying security vulnerabilities and planning an attack strategy, taking into account the collected data.
Next comes a study of the methodology and selection of penetration tools with the maximum possible adaptation to the perimeter protection means used on the infrastructure, which allows attackers to penetrate the target infrastructure as unobtrusively as possible.
Cyber-professionals have at their disposal an unlimited amount of time: for developing malware, debugging malicious programs, attempting to steal accounts, applying social engineering, etc., as well as developing a sequence of attack steps.
The use of only traditional perimeter protection by the organization is no longer enough to counter the complex threats of the Advanced Persistent Threat (APT) level. It is necessary to understand that a multi-vector intrusion aimed at different levels of infrastructure, using various means of penetration, as well as aimed at circumventing existing infrastructure of the protection systems, cannot be stopped by blocking only one of the planned vectors of the complex target attack.
Why are not enough traditional remedies?
Due to the specifics of the targeted attacks themselves:
- used means of protection, with the purpose of their circumvention, are studied in detail;
- zero-day vulnerabilities, compromised accounts are used;
- using malware or specially created unique software;
- trusted but compromised objects that do not create a negative background are used in attacks;
- a multi-vector approach to infrastructure penetration;
- applied social engineering and data obtained from insiders.
Due to technological limitations inherent in traditional remedies:
- solutions are aimed only at detecting and blocking common (uncomplicated) threats, known vulnerabilities or unknowns, but built on previously known methods;
- There is no functionality for built-in matching and correlation of detected detections into a single chain of events;
- the functionality of detecting deviations in normal activities is not supported and there is no analysis of the operation of legitimate programs, etc.
Purposeful attack can pursue various goals: the theft of money, trade secrets, personal data, violation of business processes, weakening of competitive advantage, blackmail and extortion, theft of intellectual property, etc.
After reaching the goal, the attacker should hide the traces and, if necessary, leave the return points to the infrastructure.
HISTORY TWO. Successful for the defender - failure for the attacker
To effectively protect against targeted attacks and APT threats, organizations need to consider using specialized solutions to counter targeted attacks and advanced threats of the APT level and apply a comprehensive strategy to protection in general.
The advantage will be if specialized solutions interact with their own preventive measures, if available or with third-party preventive technologies that most often already exist on the infrastructure of organizations, thereby preserving the investments previously made in them. The presence of preventive technologies for detecting and automatically blocking mass common threats and clearly malicious objects helps to eliminate the need to parse a large number of small, irrelevant to complex attacks incidents, thereby increasing the efficiency of specialized solutions aimed at identifying threats of the level of APT.
Specialized tools, in turn, after the detection of more complex threats, can send verdicts to traditional means of protection. Thus, they provide two-way interaction and a truly comprehensive approach to countering advanced threats.
If it is necessary to meet strict requirements for processing critical data, solutions must support work in an isolated mode without loss of detection quality, i.e. must maintain a local reputation database of threats and provide promptly unique information about the latest threats without transferring data outside the corporate contour. When choosing a specialized solution on the territory of the Russian Federation, it is necessary to take into account the availability of certificates of FSTEC, the FSB, the availability of a solution in the domestic software registry, as well as the compliance of the solution to external and internal regulators and a focus on compliance with legislative recommendations, for example, N 187- and GosPROM.
Depending on the IS maturity of each individual organization and the availability of the necessary resources in the company, manufacturers of specialized solutions to protect against advanced threats should provide in each case the necessary expertise and professional services for companies, ranging from providing support for the deployment, configuration and updating of products to providing its experienced experts for malware analysis and incident investigation.
Perform penetration testing, application security analysis, and:
- services for the active search for threats and digital forensics
- providing a subscription to the portal of analytical reports on threats
- round-the-clock service of analysis of information security events and incident response, etc.
Source: https://habr.com/ru/post/351910/
All Articles