The world of hacking has evolved into two major varieties: industrialized attacks and advanced persistent threats (APT). There has been a lot of discussion around the validity of APT recently, but the threat is real. So, what's the difference between APT and industrialized hacking, and how should you respond?
Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability and profitability. What are the key characteristics of an industrialized attack?
- It's ROI focused. All involved parties work to increase the bottom line, similar to the way a business works to maximize gain with as little investment as possible.
- It's not personal. Automated attacks do not target specific individuals. Rather, they target the masses, both enterprises and users, using general selection criteria. For example, a botnet that drives mass SQL injection attacks or brute force password attacks will not discriminate between large or small organizations.
- It's multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.
- It's automated. Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe the web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results.
Common attack types include:
- Data theft or SQL injections. Data theft is most commonly administered through SQL injection. Between January and June of 2009, IBM reported nearly 250,000 daily SQL injection attacks on websites around the world. Imperva researchers reported the use and deployment of SQL injections as the top chat topic on hacker forums. For example, the 2009 assault against Heartland Payment Systems, which resulted in 130 million dollars of lost records, was attributed to SQL injection.
- Business logic attacks. Recently, web application hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the application code. Business logic attacks often remain undetected. In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analyzers, and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests. A recent hack against Durex India highlights how this type of attack works.
- Denial of service attacks. This type of attack is usually executed as part of a blackmail scheme that forces application owners to pay a ransom to free their application from the invasion of useless traffic. For instance, attackers will threaten to shut-down online gambling sites for a particular ransom.
Advanced persistent threats
Advanced persistent threats (APT) are driven, usually, by government agencies or their terrorist counterparts. Rarely are APTs led by political or commercial organizations. However, in some cases, marginal threats do arise from obsessed individuals and legitimate commercial organizations. What are the key characteristics of APT hacking?
- It's very personal. The attacking party carefully selects targets based on political, commercial and security interests. Social engineering is often employed by an APT.
- It's persistent. If the target shows resistance, the attacker will not leave, but rather change strategy and deploy a new type of attack against the same target. The attacker may also decide to shift from an external threat to an internal threat.
- Control focused. APTs are focused on gaining control of crucial infrastructure, such as power grids and communication systems. APTs also target data comprised of intellectual property and sensitive national security information. Personal data, however, is of no interest. Surprisingly, APT hackers are not as concerned with costs or revenue. Thus, large budgets may be thrown against individual targets with no “financial” justification. How can you quantify state security?
- It's automated, but on a small scale. Automation is used to enhance the power of an attack against a single target, not to launch broader multi-target attacks.
- It's one layer. One party owns and controls all hacking roles and responsibilities. In fact, the most serious government organizations operate their own botnets (or at least take control of parts of botnets).
How can security professionals respond?
The industrialized hacker wants money, but also wants to keep costs down it's simply the Tony Soprano business model. If you have a web presence, you are a potential target for industrialized attacks even if you are a small organization. You need to use timely updates on attack sources to quickly identify attackers. Since you are bound to be attacked, emphasis must be placed on easy management and operations, with protection against known vulnerabilities and common attack types, such as SQL injection, XSS and CSRF.
Advanced persistent threats, on the other hand, are much more sophisticated and require a James Bond approach to impede the villains. Consider yourself a target if you hold sensitive information beneficial to governments. Key characteristics include:
- .mil and .gov sites
- Department of Defense contractors
- Infrastructure companies, including power and water
- Individual CEOs or leaders of powerful enterprise or government agencies, or their staff
- Personal information of possible targets, such as the Chinese freedom of speech activists in the recent Google case
If you have identified an APT, then you need to collect and review audit information with regards to accessing sensitive assets.
In both cases, you should protect both your site and customers by using a rapid procedure of scanning for security vulnerabilities. Additionally, deploying a web application firewall will provide you with a first and last line of defense. Considering, however, the more James Bond nature of APTs, you may also need a powerful, fully customizable solution that integrates with vulnerability assessment technologies.