4 Ways to Stop APT Attacks Using Web Intelligence

Posted: 22nd March 2014

In case you missed it, below is a brief recap of our webinar yesterday with Oren Falkowitz.

Oren began with a baseline, observing most efforts to combat APTs (Advanced Persistent Threats) focus on identifying adversary tools and techniques. These telltales improve detection, but compromise is all but assumed.

How can web intelligence reduce the delta time between intrusion and detection, or even enable prevention? Oren identified four proven areas. Here are those four, each with an example.

1. Motivations and Patterns

Campaigns begin with social engineering attacks against weak links in your security. This may manifest as a well-crafted phish email to executives, or embedding malicious links in a legitimate company website. Adversaries exploit current events to craft phishbait, and analysis of past campaigns against targets in your industry reveals these patterns. Armed with these patterns, OSINT alerts you when your company will be a ripe target for social engineering attacks, regardless of adversary attribution or tools, techniques, and tactics (TTP). Public disclosure of travel by senior leaders travel is a simple example. Major geopolitical events clearly align with state-sponsored APT responses.

2. Commonalities Across Victims

Although polymorphic malware creates the appearance of individual targeting, few campaigns are devoted to a single target. Broad and early awareness of attacks and breaches at peer companies can surface new campaigns before your company is targeted. Our recent case study on POS malware trends prior to the Target breach illustrates how web intelligence can cut through the noise of “hacker chatter” and reveal early indicators of new attacks.

3. Timing and Messaging

Returning to social engineering, attacks have a built-in audience by leveraging touchstone events for their target community, and recycling messaging with proven resonance. These touchstones can be as simple as political anniversaries and publicly scheduled events. Prior reporting of the event by the target community is a messaging primer. For example, Kaspersky’s dissection of Syrian watering-hole attacks offers clues to messaging for future attacks on regime opponents timed to anniversaries of high-profile atrocities in the Syrian civil war.

4. Data Exfiltration

APT campaigns are time consuming and expensive. Data exfiltrated from other targets may hit the black market while cyber criminals in your network are still in recon or lateral movement stages. Recent analysis by Brian Krebs shows how reported exfiltration serves as a targeting alert to companies with similar data holdings, even if the specific attribution and TTPs are unknown.

Ideas in Action

Recent Recorded Future research applied these concepts to current, known APTs in two examples.

1. We collaborated with the ThreatConnect Intelligence Research Team (TCIRT) to help identify multiple instances of Chinese APTs, targeting numerous Southeast Asian entities. (Full Analysis)

2. In our Hidden Lynx report, we visualized open source intelligence that demonstrated overlapping infrastructure, tools, and exploits used in the VOHO campaign with those employed in Operations Aurora, DeputyDog, and Ephemeral Hydra.