Yesterday, Fortinet released a new report on Advanced Persistent Threatsthe big, scary attacks that haunt the dreams of security wonks. The good news is that APTs and their tactics are still rare, but the bad news is that organizations need to do more to protect themselves.
"Companies still aren't getting the message about protecting themselves or mitigating the risks of APT," Fortinet 's security strategist Richard Henderson told SecurityWatch. "They're not doing a good enough job keeping their infrastructure patched and up to date."
APTs are perhaps the most methodical attacks out there, sometimes running for months or years. Fortinet 's report says, "an APT is typically stealthy, ongoing and intends to steal information that the attacker finds important." These multi-step attacks, like Flame and Stuxnet, are in sharp contrast to the scatter-shot approach of most attackers that are designed to reach as many victims as possible.
However, Fortinet reports that many APTs make use of known vulnerabilities, many of which may have been addressed in software updates. Despite this, Henderson explained that companies and even governmental organizations are still moving too slowly to patch their systems, worried that they'll break a piece of in-house infrastructure.
"They put these patches through exhaustive testing procedures," said Henderson. "Five or ten years ago that wasn't a big deal, but we're seeing criminals of all stripes rolling these [vulnerabilities] into their exploit kits as soon as they can get their hands on the data."
What's the Solution?
If sensitive information is properly controlled and encrypted, then even the scope of an APT attack could be greatly curtailed. "Well, if you can only focus on one thing [like encryption], you'll do a very good job of mitigating the chance of that data ever leaving your network."
That said, patching known security holes is vital. Henderson told SecurityWatch that organizations should not just apply patches "willy-nilly," but invest in the staff and the resources to stay secure. "If the patch was to interfere with something, that type of downtime could have huge financial impact," Henderson conceded. "But what's the cost of a penetration? Of cleaning up a data breach or a rampant malware attack?"
Henderson continued, "whenever there's a security patch, they really should be dropping everything to them into play as fast as they can."
The Bad Guys Are Catching On
Fortinet says that at least for now, nation states are the only groups with that can afford to use the methodical APT approach. Doing so requires patience, funding, and a staff of experts across a number of fields. This is in contrast with most cyberattacks, which usually focus on quick, money-making successes across a wide swath of victims.
"Joe Schmo hacker hasn't latched on to this idea," said Henderson. That said, Joe hacker is getting access to more advanced tools all the time, and the ideas from APTs are no doubt trickling down.
"Some of these guys have become very adept at following what other groups are doing and trying to roll those strategies into their own malware delivery mechanisms," said Henderson. "They're not there yet, but I would not be surprised to see a particularly intelligent group try to make money doing the same kind of things [as APTs]."
Henderson pointed to increasingly complex exploit kits with simple, point-and-hack interfaces. There's also a wealth of personal information on sites like LinkedIn and Facebook that are perfect for social engineering. "Open source intelligence could be a bigger deal than espionage, so why not start to take advantage of that?" Henderson asked.
While Henderson seemed broadly optimistic about the future of online security, even as attacks become more complex, his parting wisdom was a little bleak. "We're at the point where visiting a webpage will infect a machine," he said. "Treat every email in your inbox as suspectno matter what."
Image via Flickr user youngthousands.
0 comments:
Post a Comment