Cyber-attacks today are highly advanced, and the developers and perpetrators are constantly evolving their tactics in order to breach an organisation’s perimeter defences. In addition, cyber criminals and their attacks are highly persistent, constantly adapting, changing and trying again in order to thwart security solutions.
The consequences of such an Advanced Persistent Threat (APT) can be catastrophic to a business if a breach occurs and remains undetected. The reality is that it is all but impossible to prevent a breach, so it becomes increasingly important to defend against them. Organisations need to develop and deploy a robust cyber security strategy to defend against, detect and respond to these APT attacks.
According to Fred Mitchell, Security Software Division Manager at DCC: “The challenge lies in identifying these attacks before they can do too much damage. Once they have infiltrated an organisation they typically spread laterally, hide themselves, create a greater degree of persistence and thus become increasingly difficult to root out and destroy. Understanding the anatomy of a cyber-attack is the first step to such defence, as detecting them early in their lifecycle is key to minimising damage, mitigating risk and shortening the time it takes to remediate and address. In addition, understanding an attack from its point in the lifecycle can help organisations prioritise the defence to ensure the most persistent, most harmful or most deeply buried can be addressed first.”
Deon la Grange from FireEye confirmed that there are six steps to describe the anatomy of a cyber-attack:
* The cyber-criminal, or threat actor, gains entry through an email, network, file, or application vulnerability and inserts malware into an organisations network. The target is now compromised.
* The advanced malware probes for additional network access, vulnerabilities, or communicates with command and control (CnC) websites to receive additional instructions and/or malicious code.
* The malware typically establishes additional breach points to ensure that the cyber-attack can continue if one point is closed.
* Once a threat actor has established network access, they begin to gather data, such as account names and passwords. Once the attacker cracks the passwords, they can now identify and access data.
* Data is collected on a staging server, then the data is ex-filtrated. A data breach is now occurring.
If evidence of the initial breach remains undetected, obfuscated or in some case where this is removed, threat actors have architected persistent mechanisms into their malware and organisation remain vulnerable to further attacks.
La Grange adds: “The sophisticated nature of an APT as well as its ability to obfuscate, hide and avoid detection once it is well established means that threats could be active in organisations for months before they are even detected. In fact, according to the Mandiant M-Trends Report 2015, the median time to detection of a breach is 205 days, and the vast majority of organisations only learn about a breach from an outside party such as law enforcement.”
“A robust cyber security strategy with adaptive, proactive defence is essential, however, the reality is that the majority of organisations deploying such a solution are already compromised. Existing threats must be removed and remediated and an adequate self-discovery process must be put into place to discover attacks at the first stage, or the exploitation phase. The earlier in its lifecycle an attack can be detected, the shorter and less complex the process to remove the threat and address the breach. Understanding the lifecycle allows organisations to categorise threats once detected to ensure they can be addressed, removed and remediated with minimal damage. However, a proactive security solution is critical in preventing future attacks from infiltrating deep inside the network and remaining undetected for extended periods,” concludes Mitchell.