4 Ways to Stop APT Attacks Using Web Intelligence

May 22, 2014 • Matt Kodama

In case you missed it, below is a brief recap of our webinar yesterday with Oren Falkowitz.

Oren began with a baseline, observing most efforts to combat APTs (Advanced Persistent Threats) focus on identifying adversary tools and techniques. These telltales improve detection, but compromise is all but assumed.

How can web intelligence reduce the delta time between intrusion and detection, or even enable prevention? Oren identified four proven areas. Here are those four, each with an example.

1. Motivations and Patterns

Campaigns begin with social engineering attacks against weak links in your security. This may manifest as a well-crafted phish email to executives, or embedding malicious links in a legitimate company website. Adversaries exploit current events to craft phishbait, and analysis of past campaigns against targets in your industry reveals these patterns. Armed with these patterns, OSINT alerts you when your company will be a ripe target for social engineering attacks, regardless of adversary attribution or tools, techniques, and tactics (TTP). Public disclosure of travel by senior leaders travel is a simple example. Major geopolitical events clearly align with state-sponsored APT responses.

2. Commonalities Across Victims

Although polymorphic malware creates the appearance of individual targeting, few campaigns are devoted to a single target. Broad and early awareness of attacks and breaches at peer companies can surface new campaigns before your company is targeted. Our recent case study on POS malware trends prior to the Target breach illustrates how web intelligence can cut through the noise of “hacker chatter” and reveal early indicators of new attacks.

3. Timing and Messaging

Returning to social engineering, attacks have a built-in audience by leveraging touchstone events for their target community, and recycling messaging with proven resonance. These touchstones can be as simple as political anniversaries and publicly scheduled events. Prior reporting of the event by the target community is a messaging primer. For example, Kaspersky’s dissection of Syrian watering-hole attacks offers clues to messaging for future attacks on regime opponents timed to anniversaries of high-profile atrocities in the Syrian civil war.

4. Data Exfiltration

APT campaigns are time consuming and expensive. Data exfiltrated from other targets may hit the black market while cyber criminals in your network are still in recon or lateral movement stages. Recent analysis by Brian Krebs shows how reported exfiltration serves as a targeting alert to companies with similar data holdings, even if the specific attribution and TTPs are unknown.

Ideas in Action

Recent Recorded Future research applied these concepts to current, known APTs in two examples.

1. We collaborated with the ThreatConnect Intelligence Research Team (TCIRT) to help identify multiple instances of Chinese APTs, targeting numerous Southeast Asian entities. (Full Analysis)

2. In our Hidden Lynx report, we visualized open source intelligence that demonstrated overlapping infrastructure, tools, and exploits used in the VOHO campaign with those employed in Operations Aurora, DeputyDog, and Ephemeral Hydra. (Full Analysis)

New call-to-action

Related Posts

6 Ways to Supercharge Your Risk Reduction With Recorded Future in 2020

6 Ways to Supercharge Your Risk Reduction With Recorded Future in 2020

February 19, 2020 • The Recorded Future Team

Today, Recorded Future announced plans to introduce new modules designed to help security and IT...

Why ServiceNow and Recorded Future Are Better Together

Why ServiceNow and Recorded Future Are Better Together

February 18, 2020 • The Recorded Future Team

Your organization’s security operations and incident response teams are hard at work keeping the...

The Definitive Guide to Reducing Risk: Launching at RSA Conference 2020

The Definitive Guide to Reducing Risk: Launching at RSA Conference 2020

February 12, 2020 • The Recorded Future Team

What’s the best approach to enterprise security The prevailing consensus in the industry has...