The Back Door Threat To Cybersecurity

Promotion

 

Advanced Persistent Threats (APTs) pose a unique challenge with motives, techniques, and tactics that differ from traditional cyberattacks.

An APT attack is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period.

Carefully planned and designed to infiltrate a specific organization, APTs evade existing security measures and fly under the radar. 

 

The four main goals of APTs are:

  • Cyber Espionage:  Including theft of intellectual property or state secrets

  • eCrime:   For financial gain
  • Hacktivism:   Hackers who call themselves activists and hack vulnerable systems for social, political, or religious causes.
  • Destruction:   To devastate an organization

Cyber thieves are constantly inventing novel and increasingly sophisticated ways to wreak havoc, leaving cybersecurity professionals playing catch up with devising essential solutions. In its annual predictions for cybersecurity for 2023, Forbes detailed the latest efforts by cybercriminals, including nation states, to wreak havoc on systems and infrastructures.

Let's explore this cybersecurity threat and what steps can be taken to safeguard critical infrastructures, most of which operate in a digital environment that is internet accessible, creating certain vulnerabilities. This makes protecting critical infrastructure and safeguarding supply chains particularly challenging in democratic societies that are, by their nature, open and accessible.

APTs: What are they, where do they come from, and how do they work?

Designed by expert hackers, APTs are a subtle and persistent form of cyberattack that can remain undetected for long periods of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. The intention of an APT is then to exfiltrate or steal data rather than cause a network outage, denial of service or infect systems with malware.

Unlike other cyber hacks that make an instant impact like a bomb going off, an APT is a stealthy yet wildly destructive slow burn, able to inflict potentially disastrous and long-term damage to critical systems and stakeholders like the Department of Defense, the banking and financial systems, the power grid, and other critical applications related to communications and transportation.

APTs originate with “skilled attackers possessing advanced hacking tools, sophisticated techniques, and possibly large teams” and have traditionally been used by nation states or state-sponsored actors “to extract information for espionage or sabotage.”

Because an APT attack requires a high degree of sophistication and customization, adversaries are typically well-funded, experienced teams of cybercriminals that have invested time and extensive resources researching and identifying vulnerabilities within high-value organizations, platforms, and critical infrastructures that these same teams then seek to target.

For example, Chinese APT groups used Remote Access Trojan (RAT) malware to gain access and compromise computers, executing PowerShell attacks, while Iranian APT groups used a PowerShell attack that, because it does not launch, remains hidden from security tools and safeguards. Although teams have traditionally executed attacks, a dedicated and savvy individual with advanced skills could also deploy an APT. Examples of well-known attacks over the years include Titan Rain, Sykipot, Ghostnet, Stuxnet Worm and Deep Panda.

APTs gain system access with various methods: confidence schemes, social engineering, physical access to facilities, bribes, and extortion to gain system access. Even more alarming, once access is gained, it can be maintained via back doors implemented into servers, software installation, and the addition of controlled hardware to networks.

What are the three stages of an APT attack?

Before safeguards and protective protocols can be put into place to prevent, detect, and resolve a future APT, systems and trained cybersecurity professionals must recognize their characteristics. Most APTs follow the same basic life cycle: infiltrating a network, expanding access, and stealing sensitive data by extracting it from the network.

Stage 1: Infiltration

APTs often gain initial traction through social engineering; for example, a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. The email will look official, as if it has originated with a known team member and may even include accurate references to an ongoing project.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion, when they move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information. APTs may also establish a “backdoor” that allows them to sneak into the network to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

In preparation for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected and then the data is “exfiltrated” without detection. Tactics employed may be a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network may then remain compromised, waiting for the thieves to return at any time.

What are some of the warning signs?

While APTs are consistently exceptionally hard to identify, there may be some particular signs that someone has gained access to your system. These include:

  • Odd client account exercises:   Like multiple logins or frequent password changes.
  • Trojans:   You’ll find your system to be using trojan horses excessively; APTs need backdoor trojan malware to continue access.
  • Strange data set action:   Like making changes to sensitive data and multiple failed attempts to access data.
  • Suspicious data or files in the system:   APTs will create data files to store and then exfiltrate information.

Who is most vulnerable?

In the U.S., most of the critical infrastructure, like defense, oil and gas, electric power grids, ports, shipping, health care, utilities, communications, transportation, education, banking, and finance, is primarily owned by the private sector and regulated by the public sector. In government, particularly defense, securing critical infrastructure and the supply chain has been an evolving priority.

Although not defined as a critical infrastructure by the Department of Homeland Security, space is a priority asset for industry and for national security. When Russia invaded Ukraine, Ukrainian satellite communications provider ViaSat was disrupted. In this rapidly changing digital era, satellite and space security is of budding importance because of the reliance on satellites for communications, security, intelligence, and commerce. Thousands of satellites are subject to cyber vulnerabilities from above and from below. The US Space Systems Command recently announced beta testing for cybersecurity guidance around commercial satellites. Russia and China are two of the most formidable threat actors to space communication systems, while Iran and North Korea remain viable threats.

The Pentagon recently outlined its zero-trust strategy roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework. Zero-trust architectures - the idea any person, device, or application trying to access a network cannot be trusted until authenticated and verified - are a core element. The DoD plans to put a zero-trust framework fully in place by 2027, and the Pentagon wants to ensure that all related technologies keep pace with industry innovation, and that policies and funding dovetail with zero trust approaches. The DoD noted that its systems are under "wide scale and persistent attack" from threat groups, particularly from China and other nation-states.

What to do

High-value targets must learn how to defend themselves against APT attacks. Current incident response efforts are labor intensive and can take months. The defense often lags attackers’ abilities to discover vulnerabilities that lead to critical assets. There is a pressing need to generate data-driven, machine-readable descriptions of how attacker tools behave, how attacker paths unfold, and how to label observable attack behavior to prevent it before destruction occurs.

David McKeown, Chief Information Security Officer and Deputy Chief Information Officer at the Department of Defense explains that while DOD has excelled at perimeter defenses during previous attacks, APTs can gain traction through phishing, brute force attacks on server vulnerabilities, web attacks and hacking the code. “Once they get a foothold,” McKeown explained, “what we’ve found over time is we must struggle to find them and then finally eradicate them from an app on a network and have confidence that they’re gone from the network. DOD will continue to partner with industry and all its latest security offerings to provide better security solutions.

Information sharing on threats and risks and collaboration between government and industry is crucial to keep everyone up to speed on the latest viruses, malware, phishing threats, ransomware, and insider threats. Information sharing between public and private sectors establishes working protocols that strengthen resilience in the face of cyber-crimes.

There are the obvious things an organization can do including limiting access to sensitive data, keep security patches updated, perform regular scans, and control the spaces to your network including applications that can be introduced by your clients. However, the most obvious weak point and still the most persistent point of access is your workforce.

An organization is only as strong as the weakest link in its cybersecurity chain and attackers, no matter how much money businesses have spent on software, hardware, and services to prevent cyberattacks, count on someone (usually an end user) to take the bait, bypassing those expensive cybersecurity safeguards. It’s not enough to have employees watch a cybersecurity video once a year and answer questions. Businesses will need to have training throughout the year. Training needs to be a routine part of work and baked into the organization’s culture. Simply put, IT departments and security professionals need to invest more in cybersecurity training.

See what CYRIN can do

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. At CYRIN we continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility.

Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN.


Take a test drive and see for yourself!


You Might Also Read:

What’s In Store For 2023: Cybersecurity Trends:

 

« How Next Gen SIEM Addresses The Risks Of Disjointed Security Tools
War In Ukraine Drives A Decline In Stolen Cards »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

iStorage

iStorage

iStorage is the leading global provider of PIN Activated, hardware encrypted, portable data storage solutions.

Cyber Defense Media Group (CDMG)

Cyber Defense Media Group (CDMG)

CDMG is the leading global media group for all things cyber defense.

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

ShieldIOT

ShieldIOT

ShieldIOT delivers a complete AI-powered security solution across any IoT device, application and network.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

Bfore.ai

Bfore.ai

Stop future attacks, today. Bfore.ai is an operational threat intelligence feed to add predictive technology to your security infrastructure.

Avrem Technologies

Avrem Technologies

Avrem Technologies is a business IT and cybersecurity consulting firm. We design, implement, manage and monitor the networks, servers, computers and software that our clients rely on each day.

Guardsman Cyber Intelligence (GCI)

Guardsman Cyber Intelligence (GCI)

GCI provides proven cyber intelligence solutions to protect your business against ever present physical and digital threats shadowing your online business.

D.med Software

D.med Software

D.med Software is a company with a focus on cybersecurity for embedded software and cloud applications for the medical industry.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.

Triovega

Triovega

Triovega are a leading provider for production security and efficiency. Our solutions enhance OT security, and reduce production downtime.