I read an article the other day about Advanced Persistent Threats vs. Targeted Attacks. It had some insightful information that got me thinking about hackers of today. I think we all can agree that the word hack or hacker has changed since its inception. One of my favorite movies back in the 90’s was called “Hackers”. I wanted to be those guys. Not just because I could possibly date Angelina Jolie, but I wanted to be able to become a lord among nerds. The hacking that the movie highlighted was the mischievous kind and had very playful tones of “we are the good guys, the corporations are the bad guys’. I think that this kind of mindset still exists today. Corporations and governments are seen to have all the power and new generations of hackers, crackers, and organized syndicates are chanting the mantra “Mess with the best, die like the rest”. So the threat is real. People want what you have and the most valuable currency of our age is information. No matter what buzz word is being used to describe the attacker, or what the end goal of the attack may be, it’s a reality. The question so many are asking is how do we really protect ourselves from the jelly of the month club (buzz word of the month for cyber threats like APT)? You know you are going to get jelly each month (attacked), but it’s probably going to have a different name and slightly different flavor (threat rebranded). I always keep in mind that at the end of the day, it’s still jelly. I pretty much know what to do with it (protect, detect, and correct). Unless of course its grape flavor. Then I just throw it away. But enough about my preserve obsession.
How does STEALTHbits Technologies play into the equation?
Before we answer the question of how we play into the equation, I wanted to break down what an Advanced Persistent Threat (APT) in my mind really is. An APT in the cyber arena refers to an attacker that compromises a target. You can dress up the lingo as much as you want, but at the end of the day attacker Alpha attempts to compromise target Bravo with unyielding determination. Remember, they want what you have and will figure out a way to get it. I don’t differentiate a targeted attack and an APT attack the same way many do. Sure, targeted attacks are often purpose built and widespread. They often happen much faster and don’t play the long game like an APT will. However, the goal is still the same and the only difference is the determination of the attacker to win.
Do we address targeted attacks or advanced persistent threats?
I will answer this question with a resounding yes. We address targeted attacks and advanced persistent threats with a very focused protect, detect, and correct methodology. It helps to break an attack down into its component pieces to understand what our response would look like.
- Something is compromised
- A backdoor is established for command and control
- Credentials are compromised and escalated
- What data can be had and what is the value of the data
- With more credentials discovered and stolen in the recon phase, begin to access more systems and data
- Keep the backdoor open for command and control
- Valued data identified and in hand, make a run for the back door with it
STEALTHbits looks for differences in an established baseline of activity which helps us detect the threat. We allow pro-active protection to disallow activity that is outside established parameters. Think of this like “Privilege escalation is nearly impossible from a workstation as the only allowed method for adding a user to domain admins is from one server, with one credential, that has a password locked in a physical safe.” I could talk about privileged identity management here, but I will save that for another post. Our future is in the behavior of users and systems. We know how your systems and users SHOULD be acting and when they deviate, we know it. This type of knowledge can stop an attacker at phase 1 or phase 2. Now let’s say something does get past the walls and is identified in other ways. Our technology gives customers the tools needed to correct problems caused by malicious activity because we know what it looked like before the attack. Recovering from a successful targeted attack or APT isn’t as easy as pressing a button. The real strength in what we do beyond detecting and protecting from an attack is being able to give our customers the ability to identify what kind of data an attacker would be after BEFORE it happens. This type of information helps you plan for where to put the moat, walls, and sharks with lasers. Once you know the value of what you have you can more easily plan on how to protect it.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.