Security, et al

Randy's Blog on Infosec and Other Stuff

«  How to Use Process Tracki... | My new LOGbinder EX for E... »

9 Mistakes APT Victims Make

Mon, 13 May 2013 12:06:56 GMT

This article was first published at Lumension’s Optimal Security blog: http://blog.lumension.com/6588/9-mistakes-apt-victims-make/

A couple years ago, Bruce Schneier said that against an APT attacker, “the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.” Those words have proven true over and over again. APT attackers don’t move on to the next target as soon as they see your security is a little above average.

In this age, when you have to do everything right to protect your network, it pays to look at what other people do wrong and learn from their mistakes. Based on public and unpublished APT incidents, I’ve gathered a list of 9 different things that show up repeatedly:

1.       Allowing open attack surfaces without securing configurations

A system’s attack surface comprises the started services, enabled features and installed software.  Stopping all unneeded services, disabling each and every feature that isn’t needed and removing all non-essential software is how you reduce your attack surface. 

This includes all those elements that might seem innocuous and have no known risks.  Time and again innocent little features have proven to harbor nasty vulnerabilities that the bad guys find and leverage.  Case in point is Internet Explorer’s automatic proxy server detection which is enabled by default.  A recent weaponized malware exploited this feature to fool computers trying to download Windows security updates.

While group policy is part of the solution you need configuration management and centralized remediation capabilities so that you can obtain ongoing assurance that all systems on the network are secure and presenting the smallest possible target to the enemy. 

2.       Permitting unlocked ports and unfettered device usage

Allowing USB drives and other removable storage devices to connect to your PCs is reckless.  USA Today details how an infected USB drive idled a power plant for 3 weeks.  This Slashdot article tells how one study found 2/3 of lost USB drives carry malware.  Think you can’t be singled out and targeted USB drives?  Think again.  The bad guys go to tradeshows of target industries and pass them out as swag.  They drop them in Starbucks near target businesses. 

Windows features native removable storage restrictions that can be implemented in group policy but if you need enterprise management and compliance features like reporting and better control over different classes of devices look to your endpoint security vendor.

3.       Failing to use centralized vulnerability remediation

There are too many tweaks and security fixes that can’t be made via group policy including de-registering unsafe DLLs, setting the kill bit, configuring BitLocker, power shell security and changing the local administrator password to name just a few.  You need a way to run commands, remediation scripts and other fixes  on all your PCs automatically and be able to track the success of such remediation steps.  Startup and logon scripts in group policy don’t provide this crucial reporting capability so you need to look at your system management capabilities or end point security technologies.

4.       Allowing untrusted software to execute

This is the single most effective way to stop APTs.  You might be able to use Windows 7 AppLocker  or you may need a modern enterprise application whitelisting solution but either way, stop unknown, unauthorized software from executing on your systems.  Enough said. 

5.       Failing to follow existing security policies/procedures and use at-hand technology consistently

Not eating your own dog food is a painful reason to fall victim to an APT but it happens.  All it takes is one neglected computer or one person who fails to follow policy.  Case in point: Adobe allowed a critical code-signing server to function while noncompliant with their corporate security standards.  It lead to malware being signed to look like valid Adobe software and resulted in a huge security incident affecting Adobe customers.

6.       Permitting open policies for privileged user authority

The RSA SecureID incident involved lateral movement between systems and users resulting in privilege escalation.  This typically means that a privileged user was logged on interactively on a system where they also read email, browse the web or open document files.  Best practices and privileged user technologies exist to keep admin level credentials sacrosanct; APTs show their value.

7.       Not engaging in consistent end-user security awareness

RSA SecurID incident occurred when 3 users were sent an infected spreadsheet, it went into their Junk email, and a single user opened it.  One corporation sent a spear-phishing email to its users as part of a security awareness program.  It took 3 campaigns before they got the open rate below 20%.  Lesson: security awareness needs to be more than a poster in the break room.  Make your program constant and trackable so that you can verify that you are changing behavior.

8.       Failing to leverage logging and to set up traps

Most organizations do not monitor process start events to discover new EXEs.  Nor do most organizations deploy decoy folders with bait files on production systems and audit access to these files.  Both are effective ways to detect malicious outsiders.

9.        Permitting Malware beaconing and exfiltration

In most cases, malware must be installed and permitted to run for an APT to be persistent. When activated, most APT-ware must beacon back to command and control servers.  At some point data is exfiltrated.  It is challenging, but there are techniques for recognizing outbound traffic that could be malware.  Here’s a couple examples: Look for strange packet patterns inconsistent with normal web browsing like more data going up than down.  Look for mysterious domain names like ibiz.3387.org. 

Each of these measures is a single layer of defense and you need them all.  Because it only takes one: one user, one PC, one setting or vulnerability that lets the bad guy get a foothold.  It comes down to defense-in-depth, doing everything right and not allowing untrusted code to execute.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

Comments disabled

powered by Bloget™

Search


Categories
Recent Blogs
Archive


 

Upcoming Webinars
    Additional Resources