Stolen Credentials are a Core Attack Tool in the APT Anatomy

Hackers exploit user credentials in advanced persistent threat attacks, to gain foothold and move around in the organization

By Santeri Kangas, Omada CTO

apt

Advanced Persistent Threat (APT) attacks typically target organizations in sectors with highly valuable information, and sectors that play a pivotal role in the stability of nation states – for example the financial industry, government, manufacturing and the energy and utilities industry, all of which are critical to a country’s infrastructure.

Crime, warfare, espionage and terrorism is present in the digital as much as  in the physical world, and organizations in these domains are being targeted by increasingly sophisticated attacks, as high-profile targets to criminal organizations and nation states wishing to cause damage to their critical infrastructure or steal valuable data.

How does an APT work?

The point of APTs is that they are designed to go undetected, tapping the hacked environment for information over long periods of time.

APTs are devised and executed by professionals, not by amateur hackers. Behind APT attacks are organizations that focus their time and resources on understanding how to execute attacks on specific organizations – they do their research and collect information on the targeted organization, and customize the tools best suited for the attack. Usually, the APT attack is comprised of a variety of execution tactics and tools. An APT often starts off with a fairly trite piece of social engineering – a simple PDF to the HR department, or similar – carrying an exploit for a software vulnerability (publicly known vulnerabilities and zero-day vulnerabilities in applications are popular among hackers as entry points, and as enablers of privilege escalation).

Credentials are the key to the kingdom

Once hackers are in the system, user credentials are the key to the kingdom: User credentials – particularly administrative credentials, with extensive access rights – are a core attack tool in APT attacks, and what the attackers use, to gain the initial foothold in the organization and then move further into the infrastructure.

The hackers navigate the infrastructure, identifying users with the required access rights to the data and systems from which the hackers wish to extract information. In an environment where there is none or little control, maintenance and monitoring of changes in user rights and actual usage, it is easy for the intruders to lurk undetected within the infrastructure, and manipulate privileges into gaining ever more – and more specific – access to the most sensitive and valuable corporate treasure chests.

How to minimize the damage from an APT

While there is little an organization can do to prevent being hacked, there is plenty the organization can do to make it difficult for hackers to get to their target, and to protect the data the hackers are trying to steal.

At the very top of the “What to do” list, is to ensure that no individual users have access to more data and systems than they need, and that the organization is able to respond quickly and effectively, by suspending compromised accounts, and locking down access the instant a breach is detected.

The organization needs to be able to:

  • Map all accounts and access rights and credentials to obtain visibility of data access
  • Identify the highly sensitive systems/data stores, and users that have access to these – users with access to e.g. SWIFT payment gateways or classified intellectual property
  • Detect anomalies in the account usage – if access credentials have been changed outside the governance controls, or other indications of compromise
  • Organize efficient incident response workflows and automation to respond quickly, by locking down compromised accounts or revoking access to classified systems and data stores
  • Cutting down the time required for forensics response with efficient workflows and reports that provide what the information forensics teams need, when analyzing the attack

All kinds of organizations are susceptible to attacks, and if IT security professionals do not adhere to the basic rules of how to secure an infrastructure, they are highly vulnerable in the event of a security breach. To minimize the damage from a security breach, and protect business critical data from being stolen, a multi-layered approach to security is required, at the base of which should be a good identity management strategy.

Rather than hurrying out to get the latest spectacular gadget to deter cyberattacks, you should focus on implementing good policies, procedures, tools and intelligence  – although less glamourous, these are the cornerstones of securing any IT infrastructure.

If you have questions or comments, feel free to drop me a line.

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises.