Emerging Trends in Advanced Persistent Threats (APTs)
I recently sat in on a webinar on the future of advanced persistent threats (APT). A few things struck me during the presentation:
- There are many common misconceptions regarding APTs
- Gauss could be the next Stuxnet or Duqu
- The APT landscape is constantly changing in a digital game of cat and mouse
The common myth among IT administrators is that APTs only go after large corporations, the government and defense industry targets. In reality, manufacturing and finance are also major business sectors that receive constant attention from APTs.
It is also widely assumed that a targeted attack is a single attack (which would dispel the āPā for persistence in the APT acronym). However, an example case provided showed that one company was continuously attacked for nine straight months. Just because you stop the threat the first time does not mean an attacker is going to take his ball and go home. If the value of the data is high, expect the level of persistence to be too.
Gauss, a new rootkit identified by Kaspersky Labs in early August, is the next complex APT in the pipeline after Flame, Stuxnet and Duqu. In fact, it shares the same platform and subroutine string decryption that Flame uses. Of course, it adds its own new wrinkles for system administrators to figure out how to neutralize, such as the Palida Narrow font installed into word processing programs that offers an accessible exploit for attackers. Kaspersky Labs has put a call out for help in cracking the payload, which thus far remains intact and unbroken with RC4 128-bit encryption.
So far, exposure to Gauss has been limited to financial institutions in the Middle East, but it is definitely worth keeping an eye on to see if there will be additional infection hotspots or locales, and whether it makes the jump to the rest of the continent or even to banking systems in the U.S. The protection around the payload suggests that the ultimate goal of Gauss is to compromise high-level targets, with the final endpoints to be discovered.
All on the panel agreed on a couple of key points:
- New APTs are being developed as we speak, and often share components and build off of each other. Reverse engineering has shown that Gauss was being developed right around the same time that Duqu was released. The panel also noted that while some thought Duqu was fading into the sunset late last year, it reappeared in a different strain in March of this year.
- If possible, an APT will avoid using up a zero-day exploit to introduce itself to new targets. Each zero-day exploit is treated as a silver bullet by the attacker ā once you use it, you have one less round of ammunition to use for future attacks, since counterattack security experts will reverse engineer the exploit, learn from it, and release patches to protect against it.
In the end, administrators can better protect their resources by utilizing a few key strategies: keep software up-to-date, use a 64-bit platform architecture (since some APTs will not work on x64 systems), use unique, strong passwords, and perform backups and log all system activity. As we all know, the best resource a company has to protect itself is its employees. Security is only as good as the weakest link; technology only provides a tool for administrators and users to use, interpret, and respond to events with.
Craig Anderson submitted this to 