When hackers recently breached the computer systems of the Bangladesh Central Bank and tried to steal nearly $1 billion from its account at the Federal Reserve Bank of New York, cyber security professionals gave it a now all too familiar label – that of an Advanced Persistent Threat (APT). Most of the attempted money transfer was blocked, but $81 million went missing – one of the largest cyber thefts in history.
The label was well placed as the heist had all the hallmarks of an APT. Forensics experts hired by the Bangladesh Bank indicated that attackers infiltrated the bank’s network and stole credentials for sending messages on the SWIFT international money transfer system. Following the hack, SWIFT advised the more than 3,000 global financial institutions in its network to make sure they are following recommended security practices.
The APT label has been used to categorize many of the big security incidents over the last few years. Pulling the term apart, you obviously have two distinct traits – advanced and persistent. At each stage of successful APTs these traits can be seen either in isolation or in unison. A combination of shrewdness, perseverance, and sophistication is at play, as the team behind the attack moves toward meeting its goals.
When cyber attackers target an organization, they look for the weakest element – often this can be the people using the IT systems. For example, a phishing scam aims to manipulate human emotions. If the attackers are shrewd enough, they may convince their target to click on an attachment, for example a new bank statement. The chances of success are further increased by reconnaissance – would-be attackers spend many hours researching their targets to make their emails look credible. Emails often look official, but in reality can contain malicious code designed to gain a foot-hold in the network for the attackers. This can defeat even the best network defenses and firewalls.
Once attackers infiltrate a network, the perpetrators looks to gain the ability to learn and manipulate, often through very sophisticated malicious software aimed to take advantage of unknown flaws in software applications or security controls and processes, which seems to have been the case with the Bangladesh Bank.
Until quite recently, most security incidents given the APT label involved the theft of data, like the breach at insurance provider Anthem that resulted in social security information being stolen from 80 million people; while a similar breach at Home Depot compromised 65 million emails. The hack at Target in late 2013 pilfered customer credit card information – costing the retailer $162 million. However things do change. You may remember stories around this time about ATMs at some banks mysteriously spewing cash at random times. That was the so-called Carbanak attacks. Recent reports suggest a Carbanak 2.0 may be surfacing. If the goal for APTs continues to evolve from data theft to immediate financial gain, we can expect more attacks on banks and financial institutions because, as the early 20th Century bank robber Willy Sutton put it, “that’s where the money is.”
However, labeling something as an APT is not always a straight forward decision. An APT may originate with a nation state actor seeking to disrupt a perceived enemy’s defenses using a zero-day vulnerability. Or it may start with a simple phishing email. In this case, to be successful, the attacker must send many emails. Now, that persistence can eventually pay off when with one or two clicks the thieves gain the bridgehead they need as their payload is delivered.
We live in a hyper-connected world. The explosion of social networks and online forums have created new opportunities for criminal activity as more and more people share personal details, likes and dislikes, contact information, and professional background. Banking, insurance, medical data, and other personal information that has been exposed due to well publicized data breaches are also available online. Today, criminal gangs can buy information and the necessary software and computing power on the Internet’s underground forums to launch an APT without having all the skills themselves. Thus, the plague of APTs is likely to always be with us – the threats that they represent need to be considered as business as usual.
With such variation into how an APT is successfully executed, how then does a CISO prioritize where to focus efforts on defending their business? The decision making process has to start with a focus on risk; the specific risks to the organization and a good understanding of the threat landscape. The goal is to stop an APT before it can do real damage. Start from a prevention perspective. Slow down the attackers. Create as much friction for them as possible. But this alone is not enough - there is no one magic bullet to stopping an APT.
The key to mitigation therefore is rooted in the balance between three well know security postures – prevention, detection, and response. By deploying detection capabilities that can find the underlying suspicious behaviors in their IT systems, companies can discover attackers before they have been able to do the damage they seek to do. This is required if prevention measures are not sufficient. Finally, an effective and efficient ability to respond is essential to ensure early detection. The balance between these three measures is unique to each organization – there is no one size fits all when it comes to business defense.