Despite the perception that attacks require advanced knowledge and skill, a new report by Imperva finds that at least some techniques attributed to Advanced Persistent Threats (APT) really only require basic skills. Attacks examined utilized weaknesses of the Microsoft NTLM protocol, Windows skills and readily available software.
Imperva released its latest Hacker Intelligence Initiative Report, the Non-Advanced Persistent Threat, on Tuesday. Written 3 times a year, these reports analyze attack campaigns and trending hacking techniques in an effort to stay ahead of hackers.
According to Imperva, “Advanced Persistent Threat (APT) is a name given to attacks that specifically and persistently target an entity. The security community views this type of attack as a complex, sophisticated cyber-attack that can last months or even years. The skill and scope required to instigate an attack of this magnitude and sophistication are believed to be beyond the reach of individual hackers. Therefore, APT is generally attributed to governments, hacktivists, and cyber criminals.”
Cyberattacks happen frequently and are becoming more focused on the cloud. The WHIR recently reported on DDoS attacks at UltraDNS, 123-reg and SurveyGizmo and the Heartbleed vulnerability, but those aren’t the only type of attacks for which organizations need to be prepared.
Arbor Networks says the number of organizations experiencing APT attacks has increased 36 percent. The number of respondents seeing those attacks on their networks also increased by 8 percent.
In APT attacks, all that’s required is a widely used protocol and a Windows account with basic privileges. Attackers commonly use spear phishing since one of the easiest access to a network is through human error. Once the user clicks a link, a backdoor can be established to get account privileges.
“Once the attacker compromises a single machine, he gains access privileges of the currently logged on user; giving the attacker access to a portion of the data store,” Imperva said. “An attacker who extends his access privileges by compromising more accounts, gains access to larger portions of the data store. NTLM protocol weaknesses provide an attacker a perfect opportunity to extend his access privileges to targeted resources – as long as those resources support NTLM authentication. Note that Windows file shares and some databases – mainly MS SQL and Oracle – support windows based authentication using NTLM.”
The report identifies 3 main conclusions to prevent this type of attack: simple file security and a more secure authentication protocol than Microsoft NTLM, mitigation focused on monitoring the authentication process, and endpoint authentication.
Imperva said that “…built-in Windows functionality combined with seemingly ‘innocent’ areas of file shares and SharePoint provide attackers with a stepping stone to an organization’s most critical data.”
In February, Imperva agreed to purchase SkyFence and Incapsula in order to offer improved security for their customers and prevent these types of attacks.