The inability for network defenders to tell between a human-led attack and one that was led by automated malware is crucial to defending against advanced persistent threats (APTs), according to US security firm, HB Gary.
Spear-phishing, which makes up very little of the spam consumers receive every day, has had a huge impact on enterprise security, according to the firm which recently suffered an embarassing data breach at the hands of hackers rallying under the Anonymous banner
The company warned that organisations that may be worried they had fallen victim to McAfee’s so-called ShadyRAT threat should first be worried about spear-phishing aimed at staff.
“In almost all cases we have investigated, spear-phishing was the initial point of infection,” wrote HB Gary’s CEO and co-founder, Greg Hoglund.
He claimed that a group called the “Comment Crew” were associated with the style of attack mentioned in McAfee’s recent ShadyRAT exposé.
“It is very clear that the hacking group is using stolen email to learn about their targets before crafting a very convincing email.”
Spear-phishing, which involves convincing a specific target to cough-up their credentials, was the gateway for the attacker to “laterally move” in the target’s systems once they had been compromised, he argued.
“This underscores why the recent spate of [SQL injection] attacks over the last few months pose a far greater threat than most people realise.”
An SQL injection flaw was the same vulnerability that allowed Anonymous’ subscribers to compromise HB Gary's systems.
Much like security vendor RSA’s compromise, which relied on an email containing a rigged Excel file, the Comment Crew’s multi-stage attack used “droppers” as a first step that were installed on a corporate network. These were “detonated” by a staff member opening the attachment. In doing so, they unwittingly downloaded a second, more potent backdoor to the network.
“Once the dropper has established a beachhead into the network, a hacker will access the host and uninstall the original backdoor, replacing it with a new and more powerful backdoor,” explained Hoglund.
The attackers then exploit port 80 or 443 because it is often allowed to make outbound connections by most firewall polices.
“Once the outbound connection is made, the attacker can use the established [Transmission Control Protocol] session to interact with the host, download tools, run command line programs, and laterally move about the network.”
The real problem for network defenders was discovering whether the attack was launched by a real human or a machine. Real humans did not typically employ software “packers”, designed to hide malware from antivirus engines.
Instead, humans interacted with the network, which can be gleaned from logs of the last time they accessed the “master file table” and browsing history from Internet Explorer files under “index.DAT”.
“This is a fast and easy way to discern the difference between a non-targeted external threat (which over 80% of all adverse events will fall into this category) and external targeted attacks (of which APT is included, probably less than 2% of all adverse events),” said Hoglund.