The Back Door Threat To Cybersecurity

Uploaded on 2023-01-23 in JOBS-Training, FREE TO VIEW

Promotion

 

Advanced Persistent Threats (APTs) pose a unique challenge with motives, techniques, and tactics that differ from traditional cyberattacks.

An APT attack is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period.

Carefully planned and designed to infiltrate a specific organization, APTs evade existing security measures and fly under the radar. 

 

The four main goals of APTs are:

  • Cyber Espionage:  Including theft of intellectual property or state secrets

  • eCrime:   For financial gain
  • Hacktivism:   Hackers who call themselves activists and hack vulnerable systems for social, political, or religious causes.
  • Destruction:   To devastate an organization

Cyber thieves are constantly inventing novel and increasingly sophisticated ways to wreak havoc, leaving cybersecurity professionals playing catch up with devising essential solutions. In its annual predictions for cybersecurity for 2023, Forbes detailed the latest efforts by cybercriminals, including nation states, to wreak havoc on systems and infrastructures.

Let's explore this cybersecurity threat and what steps can be taken to safeguard critical infrastructures, most of which operate in a digital environment that is internet accessible, creating certain vulnerabilities. This makes protecting critical infrastructure and safeguarding supply chains particularly challenging in democratic societies that are, by their nature, open and accessible.

APTs: What are they, where do they come from, and how do they work?

Designed by expert hackers, APTs are a subtle and persistent form of cyberattack that can remain undetected for long periods of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. The intention of an APT is then to exfiltrate or steal data rather than cause a network outage, denial of service or infect systems with malware.

Unlike other cyber hacks that make an instant impact like a bomb going off, an APT is a stealthy yet wildly destructive slow burn, able to inflict potentially disastrous and long-term damage to critical systems and stakeholders like the Department of Defense, the banking and financial systems, the power grid, and other critical applications related to communications and transportation.

APTs originate with “skilled attackers possessing advanced hacking tools, sophisticated techniques, and possibly large teams” and have traditionally been used by nation states or state-sponsored actors “to extract information for espionage or sabotage.”

Because an APT attack requires a high degree of sophistication and customization, adversaries are typically well-funded, experienced teams of cybercriminals that have invested time and extensive resources researching and identifying vulnerabilities within high-value organizations, platforms, and critical infrastructures that these same teams then seek to target.

For example, Chinese APT groups used Remote Access Trojan (RAT) malware to gain access and compromise computers, executing PowerShell attacks, while Iranian APT groups used a PowerShell attack that, because it does not launch, remains hidden from security tools and safeguards. Although teams have traditionally executed attacks, a dedicated and savvy individual with advanced skills could also deploy an APT. Examples of well-known attacks over the years include Titan Rain, Sykipot, Ghostnet, Stuxnet Worm and Deep Panda.

APTs gain system access with various methods: confidence schemes, social engineering, physical access to facilities, bribes, and extortion to gain system access. Even more alarming, once access is gained, it can be maintained via back doors implemented into servers, software installation, and the addition of controlled hardware to networks.

What are the three stages of an APT attack?

Before safeguards and protective protocols can be put into place to prevent, detect, and resolve a future APT, systems and trained cybersecurity professionals must recognize their characteristics. Most APTs follow the same basic life cycle: infiltrating a network, expanding access, and stealing sensitive data by extracting it from the network.

Stage 1: Infiltration

APTs often gain initial traction through social engineering; for example, a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. The email will look official, as if it has originated with a known team member and may even include accurate references to an ongoing project.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion, when they move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information. APTs may also establish a “backdoor” that allows them to sneak into the network to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

In preparation for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected and then the data is “exfiltrated” without detection. Tactics employed may be a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network may then remain compromised, waiting for the thieves to return at any time.

What are some of the warning signs?

While APTs are consistently exceptionally hard to identify, there may be some particular signs that someone has gained access to your system. These include:

  • Odd client account exercises:   Like multiple logins or frequent password changes.
  • Trojans:   You’ll find your system to be using trojan horses excessively; APTs need backdoor trojan malware to continue access.
  • Strange data set action:   Like making changes to sensitive data and multiple failed attempts to access data.
  • Suspicious data or files in the system:   APTs will create data files to store and then exfiltrate information.

Who is most vulnerable?

In the U.S., most of the critical infrastructure, like defense, oil and gas, electric power grids, ports, shipping, health care, utilities, communications, transportation, education, banking, and finance, is primarily owned by the private sector and regulated by the public sector. In government, particularly defense, securing critical infrastructure and the supply chain has been an evolving priority.

Although not defined as a critical infrastructure by the Department of Homeland Security, space is a priority asset for industry and for national security. When Russia invaded Ukraine, Ukrainian satellite communications provider ViaSat was disrupted. In this rapidly changing digital era, satellite and space security is of budding importance because of the reliance on satellites for communications, security, intelligence, and commerce. Thousands of satellites are subject to cyber vulnerabilities from above and from below. The US Space Systems Command recently announced beta testing for cybersecurity guidance around commercial satellites. Russia and China are two of the most formidable threat actors to space communication systems, while Iran and North Korea remain viable threats.

The Pentagon recently outlined its zero-trust strategy roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework. Zero-trust architectures - the idea any person, device, or application trying to access a network cannot be trusted until authenticated and verified - are a core element. The DoD plans to put a zero-trust framework fully in place by 2027, and the Pentagon wants to ensure that all related technologies keep pace with industry innovation, and that policies and funding dovetail with zero trust approaches. The DoD noted that its systems are under "wide scale and persistent attack" from threat groups, particularly from China and other nation-states.

What to do

High-value targets must learn how to defend themselves against APT attacks. Current incident response efforts are labor intensive and can take months. The defense often lags attackers’ abilities to discover vulnerabilities that lead to critical assets. There is a pressing need to generate data-driven, machine-readable descriptions of how attacker tools behave, how attacker paths unfold, and how to label observable attack behavior to prevent it before destruction occurs.

David McKeown, Chief Information Security Officer and Deputy Chief Information Officer at the Department of Defense explains that while DOD has excelled at perimeter defenses during previous attacks, APTs can gain traction through phishing, brute force attacks on server vulnerabilities, web attacks and hacking the code. “Once they get a foothold,” McKeown explained, “what we’ve found over time is we must struggle to find them and then finally eradicate them from an app on a network and have confidence that they’re gone from the network. DOD will continue to partner with industry and all its latest security offerings to provide better security solutions.

Information sharing on threats and risks and collaboration between government and industry is crucial to keep everyone up to speed on the latest viruses, malware, phishing threats, ransomware, and insider threats. Information sharing between public and private sectors establishes working protocols that strengthen resilience in the face of cyber-crimes.

There are the obvious things an organization can do including limiting access to sensitive data, keep security patches updated, perform regular scans, and control the spaces to your network including applications that can be introduced by your clients. However, the most obvious weak point and still the most persistent point of access is your workforce.

An organization is only as strong as the weakest link in its cybersecurity chain and attackers, no matter how much money businesses have spent on software, hardware, and services to prevent cyberattacks, count on someone (usually an end user) to take the bait, bypassing those expensive cybersecurity safeguards. It’s not enough to have employees watch a cybersecurity video once a year and answer questions. Businesses will need to have training throughout the year. Training needs to be a routine part of work and baked into the organization’s culture. Simply put, IT departments and security professionals need to invest more in cybersecurity training.

See what CYRIN can do

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. At CYRIN we continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility.

Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN.

Take a test drive and see for yourself!

You Might Also Read:

What’s In Store For 2023: Cybersecurity Trends:

 

« How Next Gen SIEM Addresses The Risks Of Disjointed Security Tools
War In Ukraine Drives A Decline In Stolen Cards »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CERT-EU

CERT-EU

CERT-EU is a permanent Computer Emergency Response Team for the EU institutions, agencies and bodies.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Perception Point

Perception Point

Perception Point is a Prevention-as-a-Service company, built to enable digital transformation. Our platform offers 360-degree protection against any type of content-based attack.

SecuTech Solutions

SecuTech Solutions

SecuTech is a global leader in providing strong authentication and software licensing management solutions.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

Cognni

Cognni

Cognni (formerly Shieldox) will make your InfoSec think like a human, right out of the box, so you can focus on the bigger picture, keeping the information flow safe.

KeepSolid

KeepSolid

KeepSolid is a Virtual Private Network services provider offering secure encrypted access to the internet.

NETAS

NETAS

Netas offers solutions in information and communication technologies including end-to-end value added solutions, system integration and technology services to providers and corporations.

Next47

Next47

Next47 is a global venture firm, backed by Siemens, committed to turning today's impossible ideas into tomorrow's indispensable industries.

BlueRiSC

BlueRiSC

BlueRiSC invent cutting-edge system assurance solutions for the 21st century with novel software and hardware designs focusing on security technologies that can be game changing.

SecondWrite

SecondWrite

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

Exacom

Exacom

Exacom is a leading provider of multimedia logging/recording solutions across public safety, government, DoD, energy, utilities, transportation, and security applications.

Barrier Networks

Barrier Networks

Barrier Networks are a Cyber Security Managed Service Provider that specialises in Network and Application security.

Backslash Security

Backslash Security

With Backslash, AppSec teams gain visibility into critical risks in their apps based on reachability and exploitability.

Kerberus Cyber Security

Kerberus Cyber Security

Kerberus Cyber Security (formerly MintDefense) is a leading innovator in Web3 user security, dedicated to safeguarding digital assets and transactions through its flagship product, Sentinel3.