THE MONSTER OF ADVANCED THREAT AND TARGETED ATTACK /THE MONSTER OF ADVANCED THREATS AND THE PURPOSE OF ATTACKS

Dear Khabrsoobschestvo, greetings!
 
 
Today the presentation of the material will be rather ambiguous, it is difficult for me to foresee your reaction, but despite this, I will try to convey the main idea of ​​my article, shifting the complex to understandable and thereby convey the essence of what is sometimes impossible to express in words using the glossary of terms. I will do this through analogy, association, visualization and humor. I kindly remind you that today is Friday and I wish everyone a good weekend!
 
 
 
A LITTLE WATER
 
 
The application of analogy, in the first place, is the ability to transfer various complex concepts, the analysis of which causes difficulties of understanding to be easier for perception, from other understandable areas. And secondly, this method is quite interesting and gives an opportunity to look at different complicated things from a completely different angle.
 
 
THE ESSENCE OF WAVE
 
 
Even in such a conservative environment as Information Security, there is nothing easier than an example of something more tangible and understandable to clearly demonstrate the essence of something more complex. Therefore, I venture to tell you today about the octopus, one of the most perfect marine inhabitants, with the most unique equipment on board, with its sophisticated methods of attacking the victim and the defensive techniques used. Why is an octopus difficult to detect? Why is the octopus difficult to resist?
 
 
In a very clear analogy with the sea predator, I will show what tools and how to use the best trained cyber groups in their targeted attacks and why traditional means of protection are not enough to combat predators such as the octopus.
 
 
And, frankly, I have long wanted to understand the details of why the criminal, hacker and other groups like to associate themselves with this sea predator.
 
 
Are you interested? Then sit down comfortably, begin! I am sure that you will be surprised at the real capabilities of the octopus, its physiological characteristics, the ability to adapt and defend itself.
 
 
So
 
 
The octopus is a marine predator of a detachment of invertebrates, intelligent animals, has the most developed brain among invertebrates, is well trained, understands and remembers the environment. Scientists are still struck by the arsenal of the shellfish. It seems that no living creature on the planet has so many magnificent adaptations:
 
 
 
The octopus has 8 powerful tentacles, thanks to which it easily seizes prey. The octopus can sometimes grow and have more than eight limbs. All tentacles are provided with claws and have one to three rows of suckers;
 
On each tentacle there are up to ten thousand taste receptors determining the edibility or inedibility of the object;
 
The octopus is a cunning creature, as a distracting maneuver, it can throw away its tentacles, if necessary. A severed tentacle continues to move and react to tactile stimuli for a certain time, which serves as an additional distraction for continuing the attack from the other side or disappearing;
 
The octopus has the property of regeneration, that is, a tentacle torn off or thrown away after a while grows again;
 
The octopus has a powerful beak, located at the base of the tentacles, with the help of its beak-tool, they split the shell of the victim and reach the body;
 
Octopus is the most poisonous sea creature. The bite helps the octopus cope with very large prey by immobilizing it with paralyzing poison;
 
The octopus sees in total darkness due to infrared vision and has a generally better vision than the eagle;
 
The octopus is capable of perceiving sound, including infrasound;
 
The octopus is a fast swimmer, with a jet engine (draws water into the mantle and fires the water through the funnel outwards), a similar movement principle is rarely found in living things. 50 km /h - the usual speed, can develop up to 70 km /h;
 
The octopuses can spend hours lying on land and even walking along the shore. For walking on dry land, they carry water (in a special compartment of the body);
 
All octopods have perfectly developed acute jaws, there is a grater in the pharynx (grater), which grinds food;
 
The body of the octopus is equipped with searchlights. Individual parts of the skin glow, illuminating the octopus path in the middle of the night or at great depths, where eternal darkness reigns;
 
The body of the octopus is soft and elastic, which allows it to penetrate through holes and slots much smaller than the usual sizes of their bodies or hide themselves in the most secluded places;
 
The color of the octopus changes instantly if necessary (monochromatic color or mosaic of spots), so it is very difficult to distinguish it against the general background;
 
The ink bomb /cloud is a miracle weapon, one of the most amazing adaptations of the octopus for disorientation and destroying the sight of the target /opponent. The octopus is always filled with ink containing narcotic substances. Uses ink when you need to go unnoticed or buy time to attack from the other side.
 
 
Now, I'm sure that you know a lot more about octopods and in the course of reading the descriptions compared the acquired knowledge about the predator with the features of constructing a purposeful attack. It's time to get acquainted with the main character of my small visualized story.
 
 
THE MONSTER OF ADVANCED THREAT AND TARGETED ATTACK /THE MONSTER OF ADVANCED THREATS AND THE PURPOSE OF ATTACKS  
 
HISTORY FIRST. Successful for the attacker - a failure for the defending
 
 
 
 
A targeted attack, in our time, is rapidly becoming a major cyber threat for business. This is a carefully planned, lengthy process of unauthorized activity in the infrastructure of a particular organization, with a view to obtaining a certain benefit, a planned cybercrime grouping. Most often, the main stages of a purposeful attack are: preparation, penetration, distribution, achievement of purpose and concealment of traces.
 
Training includes defining the goal, collecting the maximum amount of information about it, studying the infrastructure and the solutions used on it, identifying vulnerabilities in the security system, and planning an attack strategy, taking into account the collected data.
 
 
 
 
Next is the development of methods and selection of tools for penetration with the maximum possible adaptation to the perimeter protection tools used on the infrastructure, which allows attackers to penetrate the infrastructure as inconspicuously as possible.
 
Cyber ​​professionals have an unlimited amount of time to develop malicious software, debug malicious programs, consider options for social engineering, attempts to steal accounts, etc., and develop a sequence of attack stages.
 
 
 
 
The use of only traditional perimeter security tools by the organization is no longer enough to counter complex threats of the APT (Advanced Persistent Threat) level. It should be understood that a multi-vector invasion aimed at different levels of infrastructure, using various penetration facilities, as well as aimed at circumventing existing security systems on the infrastructure, can not be stopped by blocking only one of the planned vectors of the complex targeted attack.
 
 
Why are there not enough traditional means of protection?
 
Because of the specifics of the targeted attacks themselves:
 
 
the means of protection used, in order to circumvent them, are studied in detail;
 
zero-day vulnerabilities, compromised accounts;
 
Use malicious software or specially created unique software;
 
Trusted, but compromised objects that do not create a negative background are used in attacks;
 
A multi-vector approach to penetration into the infrastructure is used;
 
applied social engineering and data obtained from insiders.
 
 
Due to the inherent technological limitations of the traditional means of protection:
 
 
The solutions are aimed only at detecting and blocking common (uncomplicated) threats, already known vulnerabilities or unknown, but built on previously known methods;
 
there is no functionality of the built-in mapping and correlation of detected detectors into a single chain of events;
 
the functionality of detecting deviations in normal activities is not supported, and there is no analysis of the work of legitimate programs, etc.
 
 
 
 
 
A purposeful attack can pursue a variety of purposes: embezzlement of money, commercial secrets, personal data, business process violation, weakening of competitive advantage, blackmail and extortion, theft of intellectual property, etc.
 
After reaching the goal, the attacker should hide tracks, and, if necessary, leave points of return to the infrastructure.
 
 
 
 
HISTORY OF THE SECOND. Successful for the defender - a failure for the attacker
 
 
 
 
To effectively protect against targeted attacks and APT threats, organizations need to think about the use of specialized solutions to counteract targeted attacks and advanced threats of the APT level and the application of a comprehensive strategy to protection in general.
 
 
 
 
The advantage will be if specialized solutions will interact with their own preventive measures, with or with third-party preventive technologies, which are most often already present on the infrastructure of organizations, thereby preserving the investments previously invested in them. Presence of preventive technologies for detection and automatic blocking of widespread widespread threats and obviously malicious objects helps to eliminate the need to analyze a large number of minor incidents that are irrelevant to complex attacks, thereby increasing the efficiency of specialized solutions aimed at detecting threats of the APT level. Specialized tools, in turn, after detecting more complex threats, can send verdicts to traditional remedies. Thus, they provide bilateral cooperation and a truly integrated approach to counteracting advanced threats.
 
If it is necessary to meet the strict requirements for the processing of critical data, the solutions should support the operation in an isolated mode without loss of detection quality, i.e. should support a local reputation database of threats and provide quickly unique information about the latest threats, without transferring data beyond the corporate contour. When choosing a specialized solution on the territory of the Russian Federation, it is necessary to take into account the availability of FSTEC, FSB certificates, the presence of a solution in the domestic software registry, and the compliance of the solution with the requirements of external and internal regulators and the focus on compliance with legislative recommendations, for example, N 187-FZ and GOSOPKA.
 
 
 
 
Depending on the IS of maturity of each particular organization and the availability of the necessary resources in the company, the producers of specialized solutions to protect against advanced threats must provide in each case the necessary expertise and professional services necessary for companies, starting with supporting the deployment, setting up and updating the products, their experienced experts to analyze malware and investigate incidents.
 
Testing for penetration, analysis of application security, in addition:
 
- services for active search for threats and digital forensics
 
- Subscription to the portal of analytical reports on threats
 
- round-the-clock service for analyzing IS events and responding to incidents, etc.
 
 
+ +3 -

Add comment