The Back Door Threat To Cybersecurity

Promotion

 

Advanced Persistent Threats (APTs) pose a unique challenge with motives, techniques, and tactics that differ from traditional cyberattacks.

An APT attack is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period.

Carefully planned and designed to infiltrate a specific organization, APTs evade existing security measures and fly under the radar. 

 

The four main goals of APTs are:

  • Cyber Espionage:  Including theft of intellectual property or state secrets

  • eCrime:   For financial gain
  • Hacktivism:   Hackers who call themselves activists and hack vulnerable systems for social, political, or religious causes.
  • Destruction:   To devastate an organization

Cyber thieves are constantly inventing novel and increasingly sophisticated ways to wreak havoc, leaving cybersecurity professionals playing catch up with devising essential solutions. In its annual predictions for cybersecurity for 2023, Forbes detailed the latest efforts by cybercriminals, including nation states, to wreak havoc on systems and infrastructures.

Let's explore this cybersecurity threat and what steps can be taken to safeguard critical infrastructures, most of which operate in a digital environment that is internet accessible, creating certain vulnerabilities. This makes protecting critical infrastructure and safeguarding supply chains particularly challenging in democratic societies that are, by their nature, open and accessible.

APTs: What are they, where do they come from, and how do they work?

Designed by expert hackers, APTs are a subtle and persistent form of cyberattack that can remain undetected for long periods of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. The intention of an APT is then to exfiltrate or steal data rather than cause a network outage, denial of service or infect systems with malware.

Unlike other cyber hacks that make an instant impact like a bomb going off, an APT is a stealthy yet wildly destructive slow burn, able to inflict potentially disastrous and long-term damage to critical systems and stakeholders like the Department of Defense, the banking and financial systems, the power grid, and other critical applications related to communications and transportation.

APTs originate with “skilled attackers possessing advanced hacking tools, sophisticated techniques, and possibly large teams” and have traditionally been used by nation states or state-sponsored actors “to extract information for espionage or sabotage.”

Because an APT attack requires a high degree of sophistication and customization, adversaries are typically well-funded, experienced teams of cybercriminals that have invested time and extensive resources researching and identifying vulnerabilities within high-value organizations, platforms, and critical infrastructures that these same teams then seek to target.

For example, Chinese APT groups used Remote Access Trojan (RAT) malware to gain access and compromise computers, executing PowerShell attacks, while Iranian APT groups used a PowerShell attack that, because it does not launch, remains hidden from security tools and safeguards. Although teams have traditionally executed attacks, a dedicated and savvy individual with advanced skills could also deploy an APT. Examples of well-known attacks over the years include Titan Rain, Sykipot, Ghostnet, Stuxnet Worm and Deep Panda.

APTs gain system access with various methods: confidence schemes, social engineering, physical access to facilities, bribes, and extortion to gain system access. Even more alarming, once access is gained, it can be maintained via back doors implemented into servers, software installation, and the addition of controlled hardware to networks.

What are the three stages of an APT attack?

Before safeguards and protective protocols can be put into place to prevent, detect, and resolve a future APT, systems and trained cybersecurity professionals must recognize their characteristics. Most APTs follow the same basic life cycle: infiltrating a network, expanding access, and stealing sensitive data by extracting it from the network.

Stage 1: Infiltration

APTs often gain initial traction through social engineering; for example, a phishing email that selectively targets high-level individuals like senior executives or technology leaders, often using information obtained from other team members that have already been compromised. The email will look official, as if it has originated with a known team member and may even include accurate references to an ongoing project.

Stage 2: Escalation and Lateral Movement

Once initial access has been gained, attackers insert malware into an organization’s network to move to the second phase, expansion, when they move laterally to map the network and gather credentials such as account names and passwords in order to access critical business information. APTs may also establish a “backdoor” that allows them to sneak into the network to conduct stealth operations. Additional entry points are often established to ensure that the attack can continue if a compromised point is discovered and closed.

Stage 3: Exfiltration

In preparation for the third phase, cybercriminals typically store stolen information in a secure location within the network until enough data has been collected and then the data is “exfiltrated” without detection. Tactics employed may be a denial-of-service (DoS) attack to distract the security team and tie up network personnel while the data is being exfiltrated. The network may then remain compromised, waiting for the thieves to return at any time.

What are some of the warning signs?

While APTs are consistently exceptionally hard to identify, there may be some particular signs that someone has gained access to your system. These include:

  • Odd client account exercises:   Like multiple logins or frequent password changes.
  • Trojans:   You’ll find your system to be using trojan horses excessively; APTs need backdoor trojan malware to continue access.
  • Strange data set action:   Like making changes to sensitive data and multiple failed attempts to access data.
  • Suspicious data or files in the system:   APTs will create data files to store and then exfiltrate information.

Who is most vulnerable?

In the U.S., most of the critical infrastructure, like defense, oil and gas, electric power grids, ports, shipping, health care, utilities, communications, transportation, education, banking, and finance, is primarily owned by the private sector and regulated by the public sector. In government, particularly defense, securing critical infrastructure and the supply chain has been an evolving priority.

Although not defined as a critical infrastructure by the Department of Homeland Security, space is a priority asset for industry and for national security. When Russia invaded Ukraine, Ukrainian satellite communications provider ViaSat was disrupted. In this rapidly changing digital era, satellite and space security is of budding importance because of the reliance on satellites for communications, security, intelligence, and commerce. Thousands of satellites are subject to cyber vulnerabilities from above and from below. The US Space Systems Command recently announced beta testing for cybersecurity guidance around commercial satellites. Russia and China are two of the most formidable threat actors to space communication systems, while Iran and North Korea remain viable threats.

The Pentagon recently outlined its zero-trust strategy roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework. Zero-trust architectures - the idea any person, device, or application trying to access a network cannot be trusted until authenticated and verified - are a core element. The DoD plans to put a zero-trust framework fully in place by 2027, and the Pentagon wants to ensure that all related technologies keep pace with industry innovation, and that policies and funding dovetail with zero trust approaches. The DoD noted that its systems are under "wide scale and persistent attack" from threat groups, particularly from China and other nation-states.

What to do

High-value targets must learn how to defend themselves against APT attacks. Current incident response efforts are labor intensive and can take months. The defense often lags attackers’ abilities to discover vulnerabilities that lead to critical assets. There is a pressing need to generate data-driven, machine-readable descriptions of how attacker tools behave, how attacker paths unfold, and how to label observable attack behavior to prevent it before destruction occurs.

David McKeown, Chief Information Security Officer and Deputy Chief Information Officer at the Department of Defense explains that while DOD has excelled at perimeter defenses during previous attacks, APTs can gain traction through phishing, brute force attacks on server vulnerabilities, web attacks and hacking the code. “Once they get a foothold,” McKeown explained, “what we’ve found over time is we must struggle to find them and then finally eradicate them from an app on a network and have confidence that they’re gone from the network. DOD will continue to partner with industry and all its latest security offerings to provide better security solutions.

Information sharing on threats and risks and collaboration between government and industry is crucial to keep everyone up to speed on the latest viruses, malware, phishing threats, ransomware, and insider threats. Information sharing between public and private sectors establishes working protocols that strengthen resilience in the face of cyber-crimes.

There are the obvious things an organization can do including limiting access to sensitive data, keep security patches updated, perform regular scans, and control the spaces to your network including applications that can be introduced by your clients. However, the most obvious weak point and still the most persistent point of access is your workforce.

An organization is only as strong as the weakest link in its cybersecurity chain and attackers, no matter how much money businesses have spent on software, hardware, and services to prevent cyberattacks, count on someone (usually an end user) to take the bait, bypassing those expensive cybersecurity safeguards. It’s not enough to have employees watch a cybersecurity video once a year and answer questions. Businesses will need to have training throughout the year. Training needs to be a routine part of work and baked into the organization’s culture. Simply put, IT departments and security professionals need to invest more in cybersecurity training.

See what CYRIN can do

At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. At CYRIN we continue to evolve and develop solutions with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility.

Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN.


Take a test drive and see for yourself!


You Might Also Read:

What’s In Store For 2023: Cybersecurity Trends:

 

« How Next Gen SIEM Addresses The Risks Of Disjointed Security Tools
War In Ukraine Drives A Decline In Stolen Cards »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: Learn how SOAR helps you streamline security

ON-DEMAND WEBINAR: Learn how SOAR helps you streamline security

Watch this webinar to explore the Security orchestration, automation, and response (SOAR) paradigm, its relationship with organization IT practices, and its role in your security strategy.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Security Weekly

Security Weekly

Security Weekly provides free content within the subject areas of IT security news, vulnerabilities, hacking, and research.

Ripjar

Ripjar

Ripjar is a global company of talented technologists, data scientists and analysts designing products that will change the way criminal activities are detected and prevented.

Schneider Electric

Schneider Electric

Schneider Electric develops connected technologies and solutions to manage energy and process in ways that are safe, reliable and sustainable.

Pradeo

Pradeo

Pradeo Security offers a complete, automatic and seamless protection to mobile devices and applications, aligned with your organization security policy while preserving business agility.

Cybersecurity Advisors Network (CyAN)

Cybersecurity Advisors Network (CyAN)

CyAN provides a not-for-profit platform that helps private and public organisations as well as governments to identify trusted advisors in the area of Cyber Security and Cyber Crime.

Secudos

Secudos

SECUDOS is an innovative appliance technology and services provider focused on IT security and compliance.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

Vehere

Vehere

Vehere specialises in mission critical signals aquisition and analytics platform and cyber defence systems.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

Alpine Cyber Solutions

Alpine Cyber Solutions

Alpine Cyber is a Managed IT Service Provider focused on cybersecurity and cloud services.

Kasm Technologies

Kasm Technologies

Kasm Browser Isolation - Protect your organization from malware, ransomware and phishing by using zero-trust containerized browsers.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

tTech

tTech

tTech is the first and foremost company providing outsourced Information Technology solutions to businesses in Jamaica.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.