The April edition of the Hacker Intelligence Initiative report from security provider Imperva examines something we have long been aware of – the “Non-Advanced Persistent Threat,” or how many of the methods employed in so-called Advanced Persistent Threat (APT) attacks require only basic technical skills to carry out.
Many of the most high-profile breaches have hinged on very simple and quite preventable methodologies such as social engineering and through the use of widely available toolkits has made the notion of APTs the subject of much contempt when such simple attacks are characterized as sophisticated in the media.
“As our research team reveals in our Hacker Intelligence Initiative Report, some APTs are relatively simple to execute. There needs to be a fundamental shift in how we view APTs and how we protect against them” said Amichai Shulman, CTO of Imperva.
“These types of attacks are difficult to prevent and our report shows that they can be conducted relatively easily. In order to mitigate damage, security teams need to understand how to protect critical data assets once intruders have already gained access.”
The report examines the process by which attackers escalate privileges and collect intelligence in order to successfully breach a defended network without ever having to resort to employing to zero-day exploits or other sophisticated methodologies that are much more costly to pursue.
Key findings include:
Data breaches commonly associated with APT can be achieved by relatively simple (and commonly available) means, using basic technical skills
Built-in Windows functionality, combined with seemingly “innocent” file shares and SharePoint sites, can provide attackers with an entry-point to accessing an organization’s most critical data
A mitigation strategy should be implemented that focuses on monitoring the authentication process itself and data access patterns, in addition to tailoring authorization mechanisms for increased security
“This research examines how attacks target commonly known weaknesses in the Windows NTLM protocol, a standard Microsoft authentication protocol. This protocol, while considered weak, is still widely used in corporate environments,” the company stated.
“The research then shows how attackers can exploit these vulnerabilities to expand their reach within a target organization and access critical data assets. Finally, the report details how organizations can protect themselves and their most sensitive data against the outcomes of such attacks.”
Advice in the report includes:
- While upgrading to more secure authentication protocols is always a good idea, it’s not the silver bullet for stopping APTs. You actually need relatively simple file security to protect against a relatively significant threat
- Mitigation of these kinds of attacks should focus on monitoring the authentication process itself and on data access patterns, rather than the authentication protocol and authorization mechanisms
- Privileged processes inside the network that routinely authenticate to endpoints are a potential threat vector
Read More Here (PDF)…