Note: This article first appeared at In Cyber Defense.
By Edward J. Hawkins, II
Last week, the world awoke to the latest information security breach involving Marriott International’s Starwood hotel chain, caused by an advanced persistent threat (APT) attacker. This breach, dating back to 2014, resulted in the unauthorized disclosure of 500 million customers’ personally identifiable information (PII).
The Krebs on Security website provides some good information and tips for victims of this breach. It also offers some guidance for everyone else on good security practices.
Why Are Advanced Persistent Threats Successful?
Like any event, there is always more than one side to the story. In this case, we’re talking about an APT and why these attacks are successful.
I teach students proper incident response and one of the core concepts that they gain in my class is an understanding of what is normal for the network under their responsibility. They must learn how to monitor their network for changes in behavior. To stay undetected, an APT attack leverages the concept of looking “normal.”
The question then becomes: “How does an attack of such large scale happen?” To answer that question, some fundamentals in the attack process need to be discussed.
Cyberattacks Often Start with Footprinting
The first phase of a cyberattack involves intelligence gathering. Attackers will find as much information as possible on their target, using freely available resources, such as an organization’s webpages, Google searches and the search engine Shodan.
A common name for this research process is “footprinting.” Footprinting can be a lengthy process depending on who or what the target is and what damage the attacker seeks to cause.
After Footprinting, Attackers Probe for Security Vulnerabilities
The next phase in a cyberattack is to find a way into the organization’s network, which can usually be done through numerous methods. Sometimes malware is used, but that could lead to faster detection. However, the ultimate goal of the attackers is for the company’s system administrators not to notice the attack.
Attackers will identify some out-of-date software with some vulnerability in its implementation or create a phishing email and website. Phishing is a modern social engineering technique that tricks a victim into divulging sensitive information and allow an attacker to gain unauthorized access to the victim’s data. Successful phishing attacks usually result in the victim divulging usernames and passwords to sensitive accounts such as banks, financial organizations or social media accounts.
Upon Collecting Information, Attackers Create Backdoors to Networks
After attackers have the necessary information to compromise a network, they create a backdoor to provide continuous access to the computer system. To create a backdoor, the attacker might establish a new user account with network administrative privileges. Then, the last stage in the sequence is for the attacker to remove all indications of an attack.
Video Example of an APT Attack
This security video depicts an APT attack on a Windows 7 system. There are several assumptions made in the creation of this attack:
- The victim is running a web server like an organization would run in its demilitarized zone (DMZ).
- Functionality of the network environment takes precedence over security. Multiple unnecessary services are turned on and are only protected by an external-facing firewall.
- The attacker has gained local access to the network, which is plausible based on the motivations behind the attack.
Note that there are two snapshots of the Windows 7 system. One is before updating the system with security patches and the other is the system after the patches.
Each system snapshot is followed by a published exploit. This technique helps security researchers evaluate the effectiveness of a software patch. The only change between system states is the patching.
Internal Attacks Often Cause Greater Damage
Many reports, like the Verizon Data Breach Investigation Report (DBIR), showcase the fact that the number of external attacks is greater than internal cyber breaches. However, it takes just one attacker on the inside to do even greater damage to the network because that person has a level of added trust as an employee.
Due to the length of time required to conduct an attack, a computer system can be made purposely vulnerable, so the video shows only a small portion of the attack process. A full attack against a system may take weeks to accomplish, depending on the attacker’s level of motivation.