Identifying cyber threats and anomalies is like finding a needle in a haystack. It is safe to say that with advanced persistent threats (APTs) in the picture, the needle stays where it was, only that the haystack has multiplied and spread across several million barns. Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) notified about cyber intrusions by APT actors targeting the U.S. think-tanks.
By Augustin Kurian, Senior Feature Writer, CISO MAG
According to the release, “APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spear-phishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities.” The federal bodies also noted that remote working due to COVID-19 and the reliance on remote connectivity, have given way for malicious actors to launch targeted attacks. The agencies also advised individuals to be more cyber aware.
Ed Bishop, CTO and co-founder of Tessian, told CISO MAG, “The FBI and CISA are right to advise people working in the U.S think-tanks to ‘adopt a heightened state of awareness’ when you consider the damage that could be caused should an employee fall for the scam.”
He continued, “Hacking humans over email is one of the easiest ways for cybercriminals to hack into organizations. And they’re getting better at it, using clever social engineering techniques and impersonating trusted third parties to trick victims into sharing information or account credentials.
“If an individual were to unknowingly share their user credentials with a cybercriminal, the hacker could not only access the victim’s network but could also send emails from the person’s account, making it look like the messages they were sending were 100% legitimate and, potentially, influencing U.S. policies.”
He stressed how spear-phishing attacks, like this, are low-effort but “high-reward,” which is often the reason “why they won’t be going away any time soon.” He also opined that “the threat has only been exacerbated by the shift to remote work. People are more reliant on email to stay connected with colleagues, customers, and suppliers, and our survey found that half of the employees are less likely to follow safe data practices when working from home. As people in these powerful and influential organizations continue to work away from the office, IT teams must put measures in place to automatically detect spear-phishing attacks and alert people to the threat in their inbox, warning them to think twice before clicking.”
Going Under the Radar
Since the onset of COVID-19, targeted attacks against individuals are on the rise. In October, in a joint security alert, CISA and the FBI had observed APT actors targeting federal and state, local, tribal, and territorial (SLTT) government networks, and non-government networks. In that instance, APT actors had leveraged legacy network access and exploited critical Netlogon vulnerability CVE-2020-1472, which had the CVSSv3 score of 10.0. Russian hacker groups APT28 and APT29 were also accused of targeting election campaigners, political organizations, and COVID-19 vaccine research, respectively.
APT: An Epidemic
Though APTs only account for about 20% of all cyberattacks, if successful in their execution, the severity of APTs overshadows their numbers by leaps and bounds. Targeted attacks like APTs have siphoned billions of dollars from banks and several other critical infrastructures. These billions include the cost of responding to the attack and restoring systems as well as the loss of public confidence and the institution’s reputation.
“Today most of the organizations or at least the critical part of their networks, are protected by multiple layers of security defenses ranging from Firewall, IPS, Antivirus, Anti-Spam gateways, etc. The attacks can no longer be running a simple executable with exploiting know vulnerabilities (although it may succeed in many cases with due care, is not practiced in security parlance). Enter APT, the most advanced kit attackers use,” Sairam Jetty, a cybersecurity expert.
He continued, “APT relies on two main things: covertness and persistence. The attack might contain a chain of activities by the delivered malware. Some traits followed in the attack are like maintaining low footprint, exploiting zero-day vulnerabilities, scanning the network and exploiting further systems and establishing a secure and covert channel with CnC which looks benign and might not be detected by security solutions.”
What can you do?
At the human level, it is advisable to follow the practices that are suggested by the CISA and FBI. These include:
- Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.
- Log off remote connections when not in use.
- Be vigilant against tailored spear-phishing attacks targeting corporate and personal accounts (including both email and social media accounts).
- Use different passwords for corporate and personal accounts.
- Install antivirus software on personal devices to automatically scan and quarantine suspicious files.
- Employ strong multi-factor authentication for personal accounts, if available.
- Exercise caution when: Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments; Using removable media (e.g., USB thumb drives, external drives, CDs).
IT Staff/Cybersecurity Personnel
- Segment and segregate networks and functions.
- Change the default username and password of applications and appliances.
- Employ strong multi-factor authentication for corporate accounts.
- Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.
What can enterprises do?
Machine learning is one of the most potent solutions for dealing with advanced threats as machines often prove useful in finding abnormalities in traffic. “Here I believe, machine learning and predictive analytics can come together for day-to-day security monitoring to proactively determine and mitigate threats by monitoring hundreds of parameters in network and transaction data and identify patterns such as suspicious activity before it progresses into a full-scale attack. This can be of great value especially when the traditional way of spotting an anomaly is becoming difficult as hackers use more advanced methods each time,” Sairam concluded.
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.