Targeted cyberattacks on businesses are becoming increasingly sophisticated. The Swisscom Cyber Security Report shows that advanced persistent threats in particular call for new defensive measures. And for more human intervention.
Text: Andreas Heer, 15 march 2019
The attack was meticulously planned. The cybercriminals had spent months researching and spying on the company’s environment. Important people, their contacts and preferences, activities and the IT infrastructure as seen from the outside. The attackers then used spear phishing – personalised phishing emails – to plant malware on the two computers of the targeted victims. The attackers bypassed the company’s security measures with the latest knowledge and sophisticated technology. With the help of a script, they infiltrated the computers through a zero-day vulnerability, without leaving any suspicious traces in the form of files.
Over the months that followed, the attackers spread unnoticed within the company’s network and its systems, until they eventually reached their target: confidential customer and project data. They then smuggled the documents out of the company via well-camouflaged channels.
This is just one example of how a sophisticated and targeted cyberattack might play out today. Advanced persistent threats (APT) – attacks carried out with enormous resources and outstanding technical expertise – are a continuing trend in the murky world of cybercrime, as the Swisscom Cyber Security Report 2019 shows.
Given this situation, such attacks are very difficult to detect. The security provider Kaspersky Lab is currently monitoring 100 APT groups that carry out targeted attacks. They have pretty names such as ‘LuckyMouse’, ‘OceanLotus’ and ‘Comment Crew’, and at least some are thought to operate with the support of governments. Among their targets are other governments, public institutions and companies active in sensitive fields. Their motivation includes espionage, data theft and sabotage, as seen with the attacks on the infrastructure of the Winter Olympics in South Korea.
Conventional IT security measures alone, such as perimeter protection, are not enough to protect against APT attacks. Companies must focus their IT security measures more on attackers that have already infiltrated their corporate network, says Costin Raiu in an interview in the Swisscom Cyber Security Report.
The head of the Kaspersky Global Research and Analysis Team (GReAT) calls for a paradigm shift. He believes that attackers spend most of their time in spreading through the corporate network and syphoning off data. Companies should therefore focus their security measures on these activities.
An important measure is to monitor running processes, file operations and logins, as this helps to detect suspicious activity. Threat intelligence information can also help to identify typical patterns and IP addresses of cyberattacks. The downside, however, is that such monitoring measures are more complex and resource-intensive to implement than conventional perimeter security.
Advanced persistent threats cannot be stopped with technical measures alone – people are just as important in the defence against them. Raiu recommends that security officers and specialists put themselves in the shoes of the attackers in order to understand how they operate. Since APTs are manually triggered attacks, the process is often controlled by humans. It can therefore be helpful to ask questions such as: ‘What might make my company the target of an APT attack?’, ‘Which information and systems might might appeal to espionage or sabotage?’, ‘What might a phishing email or social engineering attack on the CFO look like?’
This focus can also help to recognise patterns in log files, as anomalies can be targeted – for example, by monitoring the network traffic of the CFO’s computer or the ERP system separately.
In the case of human defence mechanisms, combating APTs is a task usually reserved for security operations centres (SOC), as they have specialists who can make sense of the recorded patterns and expose human attackers. They are able to put themselves in the shoes of the attackers due to their specialist knowledge and expertise. Understanding the mindset of highly professional cybercriminals think, and a familiarity with the tools they employ are important aspects in the defence against APTs.
Click here to find out more about the cyber security services of Swisscom.
More on the topic