by Kim Zetter.
Rob Joyce, NSA Hacker Chief said “In the world of advanced persistent threat actors (APT) like the National Security Agency (NSA), credentials are king for gaining access to systems. Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders. Per the words of a recently leaked NSA document, the NSA hunts sysadmins.”
Advanced Persistent Threats (APTs) are one of the most dangerous and difficult threats to discover and respond to in cybersecurity today. In the past, APTs were only used against nation states and their government agencies in espionage and to gain political intelligence. However, today, APT actors are more prevalent than ever in day-to-day cyber-attacks. The recent attack on the Office of Personnel Management, Target, Anthem Health Care, and the Democratic National Committee (DNC) are just a few examples where millions of records were stolen over a long period of time and the organization that was attacked did not even know there was an adversary in their networks. The DNC dwell time is estimated to be in excess of one (1) year.
APTs most typically involve pre-planning, lateral movement, and remote code execution. They sometimes include brute force attacks. The reality is, even if malware is involved in the ultimate attack, prior to planting malware on your network more than 70% of APTs include substantial reconnaissance of your network and significant lateral movement.
Three Signs that you have an Ongoing APT?
- Elevated Logons at Night. APTs almost always steal valid credentials, dump passwords, and elevate permissions, then they move laterally throughout your network. Ultimately, they find the data they really want and store it within your network or filtrate it externally. Often, the authenticated credentials look like valid users, but act differently. They move throughout the network, often at night, when the legitimate user is sleeping.
- Finding Malware (Trojans) – APT actors often install backdoor Trojans within the target network. This way, they can maintain access to your network even if you find their less sophisticated access ports. They also dump passwords just in case their initial credentials are changed by users.
- Anomalous Data Flows – The final sign is to look for data flows within the internal organization that are different than before. This means that your authenticated users are logging on to systems that they never log onto. It might be servers, servers-toclient or, network-to-network connections. They way to discover this is by watching the disposition of every user account on the network. Geo-locating where logons are occurring will help, since most of your authenticated users logon locally rather than remotely.
What Does an APT Solution Require?
APT actors compromise organizations in minutes but persist for months to years. They can do this because of the defensive and detection tactics that organizations currently use. Detection tactics include Network Device Events, Logging, Network Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Host IDS/IPS, Antivirus, File Integrity Monitoring (FIM) and Whitelisting, and Security Information and Event Management (SIEM).5
- Logging – Centralized logging is a primary control used by large organizations to detect security incidents and changes on the network. Most organizations however, do not have sufficient personnel, nor resources to search or hunt through petabytes of data to look for anomalies.
- Network Device Events – Network and Host IDSs/IPSs detect well-known signatures of attacks or unusual patterns in traffic but they also generate lots of false alarms. They do provide lots of useful data about attacks directed at endpoints on the network.
- Antivirus – While it appears that antivirus is becoming less important over time, it still provides the ability to recognize the well-known signatures that are often used by attackers.
Organizations must have effective tools that increase their detection capabilities, especially when it comes to stolen credentials. Organizations need to be able to know the disposition of each of their users on the network. This is very difficult, if not impossible, to do without automation.
The Solution – You need Adlumin’s Sentry Platform
Sentry Platform analyzes user behavior and continuously monitors the authentication of credentials. It analyzes every user’s behavior on the network and creates a pattern of life for those users utilizing intelligent mathematical algorithms to determine when anomalies occur and what events need to be further investigated. Sentry Platform helps you detect, prioritize, and reduce the time necessary to respond to threats within your network.
Sentry Platform consists of:
- Detects remote execution of code, user activity and behavior, and lateral movement and adversarial activity.
- Targeted User & Entity Behavioral Analytic algorithms to discover anomalous user activity.
- Active Defense capabilities that help you bait and trap the adversary into giving away his position within your network.
- Responsive dashboard that provides real-time detections and de-tailed visualizations of event sequences across multiple systems.
• An easy software deployment strategy that begins defending your network in minutes with no time for environmental learning.