4 Ways to Stop APT Attacks Using Web Intelligence

4 Ways to Stop APT Attacks Using Web Intelligence

May 22, 2014 • Matt Kodama

In case you missed it, below is a brief recap of our webinar yesterday with Oren Falkowitz.

Oren began with a baseline, observing most efforts to combat APTs (Advanced Persistent Threats) focus on identifying adversary tools and techniques. These telltales improve detection, but compromise is all but assumed.

How can web intelligence reduce the delta time between intrusion and detection, or even enable prevention? Oren identified four proven areas. Here are those four, each with an example.

1. Motivations and Patterns

Campaigns begin with social engineering attacks against weak links in your security. This may manifest as a well-crafted phish email to executives, or embedding malicious links in a legitimate company website. Adversaries exploit current events to craft phishbait, and analysis of past campaigns against targets in your industry reveals these patterns. Armed with these patterns, OSINT alerts you when your company will be a ripe target for social engineering attacks, regardless of adversary attribution or tools, techniques, and tactics (TTP). Public disclosure of travel by senior leaders travel is a simple example. Major geopolitical events clearly align with state-sponsored APT responses.

2. Commonalities Across Victims

Although polymorphic malware creates the appearance of individual targeting, few campaigns are devoted to a single target. Broad and early awareness of attacks and breaches at peer companies can surface new campaigns before your company is targeted. Our recent case study on POS malware trends prior to the Target breach illustrates how web intelligence can cut through the noise of “hacker chatter” and reveal early indicators of new attacks.

3. Timing and Messaging

Returning to social engineering, attacks have a built-in audience by leveraging touchstone events for their target community, and recycling messaging with proven resonance. These touchstones can be as simple as political anniversaries and publicly scheduled events. Prior reporting of the event by the target community is a messaging primer. For example, Kaspersky’s dissection of Syrian watering-hole attacks offers clues to messaging for future attacks on regime opponents timed to anniversaries of high-profile atrocities in the Syrian civil war.

4. Data Exfiltration

APT campaigns are time consuming and expensive. Data exfiltrated from other targets may hit the black market while cyber criminals in your network are still in recon or lateral movement stages. Recent analysis by Brian Krebs shows how reported exfiltration serves as a targeting alert to companies with similar data holdings, even if the specific attribution and TTPs are unknown.

Ideas in Action

Recent Recorded Future research applied these concepts to current, known APTs in two examples.

1. We collaborated with the ThreatConnect Intelligence Research Team (TCIRT) to help identify multiple instances of Chinese APTs, targeting numerous Southeast Asian entities. (Full Analysis)

2. In our Hidden Lynx report, we visualized open source intelligence that demonstrated overlapping infrastructure, tools, and exploits used in the VOHO campaign with those employed in Operations Aurora, DeputyDog, and Ephemeral Hydra. (Full Analysis)

New call-to-action

Related Posts

5 Notable Quotes from Predict21: Wednesday, October 13th

5 Notable Quotes from Predict21: Wednesday, October 13th

October 13, 2021 • The Recorded Future Team

Predict21 is a wrap! Over the course of two days, there were more than 40 presentations and 70...

5 Notable Quotes from Predict21, Tuesday, October 12th

5 Notable Quotes from Predict21, Tuesday, October 12th

October 12, 2021 • The Recorded Future Team

Today we kicked off Predict21: The Intelligence Summit, Recorded Future’s annual event focused on...

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

How The Stadtwerke Klagenfurt Group Reduces Risk to Critical Infrastructure

November 17, 2020 • The Recorded Future Team

Key Takeaways The Stadtwerke Klagenfurt Group delivers essential municipal services,...