By Amichai Shulman, CTO of Imperva.
The world of hacking has evolved into two major varieties: industrialised attacks and advanced persistent threats (APT). There has been a lot of discussion around the validity of APT recently some have even connected APT with panties. But APT is a real threat. So, whats the difference between APT and industrialised hacking, and how should you respond?
Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, todays cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability, and profitability. What are the key characteristics of an industrialised attack?
Its ROI focused. All parties involved work to increase the bottom-line. Similar to the way a business works to maximise gain with as little investment as possible.
Its not personal. Automated attacks do not target specific individuals. Rather, they target the masses, both enterprises and users, using general selection criteria. For example, a botnet that drives mass SQL injection attacks or brute force password attacks will not discriminate between large or small organizations.
Its multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.
Its automated. Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe the web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results.
Common attack types include:
1. Data theft or SQL injections. Data theft is most commonly administered through SQL injection. Between January and June of 2009, IBM reported nearly 250,000 daily SQL injection attacks on websites around the world. Imperva researchers reported the use and deployment of SQL injections as the top chat topic on hacker forums. For example, the 2009 assault against Heartland Payment Systems, which resulted in 130 million dollars of lost records, was attributed to SQL injection.
2. Business logic attacks. Recently, web application hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the application code. Business logic attacks often remain undetected. In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analysers, and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests. A recent hack against Durex India highlights how this type of attack works.
3. Denial of service attacks. This type of attack is usually executed as part of a blackmail scheme that forces application owners to pay a ransom to free their application from the invasion of useless traffic. For instance, attackers will threaten to shut-down online gambling sites for a particular ransom.
Advanced Persistent Threats
Advanced persistent threats (APT) are driven, usually, by government agencies, or their terrorist counterparts. Rarely are APTs led by political or commercial organizations. However, in some cases, marginal threats do arise from obsessed individuals and legitimate commercial organisations. What are the key characteristics of APT hacking?
Its very personal. The attacking party carefully selects targets based on political, commercial, and security interests. Social engineering is often employed by an APT.
Its persistent. If the target shows resistance, the attacker will not leave, but rather change strategy and deploy a new type of attack against the same target. The attacker may also decide to shift from an external threat to an internal threat.
Control focused. APTs are focused on gaining control of crucial infrastructure, such as power grids and communication systems. APTs also target data comprised of intellectual property and sensitive national security information. Personal data, however, is of no interest. Surprisingly, APT hackers are not as concerned with costs or revenue. Thus large budgets may be thrown against individual targets with no financial justification. How can you quantify state security?
Its automated but on a small scale. Automation is used to enhance the power of an attack against a single target, not to launch broader, multi-target attacks.
Its one layer. One party owns and controls all hacking roles and responsibilities. In fact, the most serious government organizations operate their own botnets (or at least take control of parts of botnets).
Advanced Persistent Threats vs Industrialization:
How Can Security Professionals Respond?
The industrialised hacker wants money but also wants to keep costs downits simply the Tony Soprano business model. If you have a web presence, you are a potential target for industrialized attackseven if you are a small organization. You need to use timely updates on attack sources to quickly identify attackers. Since you are bound to be attacked, emphasis must be placed on easy management and operations, with protection against known vulnerabilities and common attack types, such as SQL Injection, XSS, and CSRF.
Advanced persistent threats, on the other hand, are much more sophisticated and require a James Bond approach to impede the Dr. Nos. Consider yourself a target if you hold sensitive information beneficial to governments. Key characteristics include:
.mil and .gov sites
Infrastructure companies, including power and water
Individual CEOs or leaders of powerful enterprise or government agencies, or their staff
Personal information of possible targets, such as the Chinese freedom of speech activists in the recent Google case
If you have identified an APT, then you need to collect and review audit information with regards to accessing sensitive assets.
In both cases, you should protect both your site and customers by using a rapid procedure of scanning for security vulnerabilities. Additionally, deploying a web application firewall will provide you with a first and last line of defense. Considering, however, the more James Bond nature of APTs, you may also need a powerful, fully customisable solution that integrates with vulnerability assessment technologies.