This article was first published at Lumension’s
Optimal Security blog: http://blog.lumension.com/6588/9-mistakes-apt-victims-make/
A couple years ago, Bruce Schneier said that against an APT
attacker, “the absolute level of your security is what's important. It doesn't
matter how secure you are compared to your peers; all that matters is whether
you're secure enough to keep him out.” Those words have proven true over and
over again. APT attackers don’t move on to the next target as soon as they see
your security is a little above average.
In this age, when you have to do everything right to protect
your network, it pays to look at what other people do wrong and learn from
their mistakes. Based on public and unpublished APT incidents, I’ve gathered a
list of 9 different things that show up repeatedly:
1.
Allowing open attack surfaces without securing
configurations
A system’s attack surface comprises the started services,
enabled features and installed software.
Stopping all unneeded services, disabling each and every feature that
isn’t needed and removing all non-essential software is how you reduce your
attack surface.
This includes all those elements that might seem innocuous
and have no known risks. Time and again
innocent little features have proven to harbor nasty vulnerabilities that the
bad guys find and leverage. Case in
point is Internet Explorer’s automatic proxy server detection which is enabled
by default. A recent weaponized malware exploited
this feature to fool computers trying to download Windows security updates.
While group policy is part of the solution you need
configuration management and centralized remediation capabilities so that you
can obtain ongoing assurance that all systems on the network are secure and
presenting the smallest possible target to the enemy.
2.
Permitting unlocked ports and unfettered device
usage
Allowing USB drives and other removable storage devices to
connect to your PCs is reckless. USA
Today details how an infected USB drive idled a power plant for 3
weeks. This Slashdot
article tells how one study found 2/3 of lost USB drives carry
malware. Think you can’t be singled out
and targeted USB drives? Think again. The bad guys go to tradeshows of target
industries and pass them out as swag.
They drop them in Starbucks near target businesses.
Windows features native removable storage restrictions that
can be implemented in group policy but if you need enterprise management and
compliance features like reporting and better control over different classes of
devices look to your endpoint security vendor.
3.
Failing to use centralized vulnerability
remediation
There are too many tweaks and security fixes that can’t be
made via group policy including de-registering unsafe DLLs, setting the kill
bit, configuring BitLocker, power shell security and changing the local
administrator password to name just a few.
You need a way to run commands, remediation scripts and other fixes on all your PCs automatically and be able to
track the success of such remediation steps.
Startup and logon scripts in group policy don’t provide this crucial
reporting capability so you need to look at your system management capabilities
or end point security technologies.
4.
Allowing untrusted software to execute
This is the single most effective way to stop APTs. You might be able to use Windows 7
AppLocker or you may need a modern
enterprise application whitelisting solution but either way, stop unknown,
unauthorized software from executing on your systems. Enough said.
5.
Failing to follow existing security
policies/procedures and use at-hand technology consistently
Not eating your own dog food is a painful reason to fall
victim to an APT but it happens. All it
takes is one neglected computer or one person who fails to follow policy. Case in point: Adobe allowed a critical
code-signing server to function while noncompliant with their corporate security
standards. It lead to malware being
signed to look like valid Adobe software and resulted in a huge security
incident affecting Adobe customers.
6.
Permitting open policies for privileged user
authority
The RSA SecureID incident involved lateral movement between
systems and users resulting in privilege escalation. This typically means that a privileged user
was logged on interactively on a system where they also read email, browse the
web or open document files. Best
practices and privileged user technologies exist to keep admin level
credentials sacrosanct; APTs show their value.
7.
Not engaging in consistent end-user security
awareness
RSA SecurID incident occurred when 3 users were sent an
infected spreadsheet, it went into their Junk email, and a single user opened
it. One corporation sent a spear-phishing
email to its users as part of a security awareness program. It took 3 campaigns before they got the open
rate below 20%. Lesson: security
awareness needs to be more than a poster in the break room. Make your program constant and trackable so
that you can verify that you are changing behavior.
8.
Failing to leverage logging and to set up traps
Most organizations do not monitor process start events to
discover new EXEs. Nor do most
organizations deploy decoy folders with bait files on production systems and
audit access to these files. Both are
effective ways to detect malicious outsiders.
9.
Permitting
Malware beaconing and exfiltration
In most cases, malware must be installed and permitted to
run for an APT to be persistent. When activated, most APT-ware must beacon back
to command and control servers. At some
point data is exfiltrated. It is
challenging, but there are techniques for recognizing outbound traffic that
could be malware. Here’s a couple
examples: Look for strange packet patterns inconsistent with normal web
browsing like more data going up than down.
Look for mysterious domain names like ibiz.3387.org.
Each of these measures is a single layer of defense and you
need them all. Because it only takes
one: one user, one PC, one setting or vulnerability that lets the bad guy get a
foothold. It comes down to
defense-in-depth, doing everything right and not allowing untrusted code to
execute.