A tale of two hacks

There have been a lot of buzz around “advanced persistent threats” (APT) — Security professionals need to understand how the world of hacking has evolved into two major cyber attack varieties: industrialized hacking and APT. What’s the difference?

Industrialized Hacking

• Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today's cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability, and profitability. The following describes key characteristics of industrialized attacks: It's ROI focused. All parties involved work to increase the bottom-line. Similar to the way a business works to maximize gain with as little investment as possible.
• It's automated. Botnets, armies of unknowingly enlisted computers controlled by hackers, scan and probe the web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results.
• It's not personal. Automated attacks do not target specific individuals. Rather, they target the masses, both enterprises and users using general selection criteria. For example, a botnet that drives mass SQL injection attacks or brute force password attacks will not discriminate between large or small organizations.
• It's multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.

Common attack types include:

1.     Data theft or SQL injections., Data theft, considered the number one vulnerability in web applications, is commonly administered through SQL injection. Between January and June of 2009, IBM reported nearly 250,000 daily SQL injection attacks on websites around the world.  Imperva researchers reported the use and deployment of SQL injections as the top chat topic on hacker forums.  For example, the 2009 assault against Heartland Payment Systems, which resulted in 130 million dollars of lost records, was attributed to SQL injection.

2.     Business logic attacks. Recently, web application hackers have begun to develop attacks that target vulnerabilities in the business logic, rather than in the application code. Business logic attacks often remain undetected.  In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analyzers, and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests.  A recent hack against Durex India highlights how this type of attack works.

3.     Denial of service attacks. This type of attack is usually executed as part of a blackmail scheme that forces application owners to pay a ransom to free their application from the invasion of useless traffic.  For instance, attackers will threaten to shut-down online gambling sites for a particular ransom.

 Advanced Persistent Threats

Advanced persistent threats (APT) are driven, usually, by government agencies, or their terrorist counterparts. Rarely are APTs led by political or commercial organizations.  However, in some cases, marginal threats do arise from obsessed individuals and legitimate commercial organizations.  The risk posed by criminal charges, if the attack is tracked to its source, is often too big for most individuals and commercial organizations. Just Imagine the implications if the coordinated attack "Operation Aurora" would have been traced back to large company like Microsoft or Oracle. Here are some key characteristics of APT attacks:

• It's controlled focused: APTs are focused on gaining control of crucial infrastructure, such as power grids and communication systems. APTs also target data comprised of intellectual property and sensitive national security information. Personal data, however, is of no interest. Surprisingly, APT hackers are not as concerned with costs or revenue. Thus large budgets may be thrown against individual targets with no "financial" justification. How can you quantify state security?
• It's very personal: The attacking party carefully selects targets based on political, commercial, and security interests.
• It's persistent: If the target shows resistance, the attacker will not leave, but rather change strategy and deploy a new type of attack against the same target. The attacker may also decide to shift from an external threat to an internal threat.
• It's automated on a small scale: Automation is used to enhance the power of an attack against a single target, not to launch broader, multi-target attacks.
• It's one layer. One party owns and controls all hacking roles and responsibilities. In fact, the most serious government organizations operate their own botnets (or at least take control of parts of botnets).

 Advanced Persistent Threats vs. Industrialization:  James Bond or Tony Soprano?

The industrialized hacker wants money but also wants to keep costs down using the "Tony Soprano" business model. If you have a web presence, you are a potential target for industrialized attacks.  You need to use timely updates on attack sources to quickly identify attackers. Since you can be attacked, even if you are a small organization, emphasis must be placed on easy management and operations, with protection against known vulnerabilities and common attack types, such as SQL Injection, XSS, and CSRF.   

• Advanced persistent threats, on the other hand, are much more sophisticated and require a "James Bond" cyber defense strategy to stop the Dr. No's. Consider yourself a target if you hold sensitive information beneficial to governments. Key characteristics include: .mil and .gov sites
• DoD contractors
• Infrastructure companies, including power and water
• Personal information of possible targets, such as the Chinese freedom of speech activists in the recent Google case

If you have identified an APT, then you need to collect and review audit information with regards to accessing sensitive assets.

In both cases, you should protect both your site and customers by using a rapid procedure of scanning for security vulnerabilities.  Additionally, deploying a web application firewall will provide you with a first and last line of defense.  Considering, however, the more "James Bond" nature of APTs, you may also need a powerful, fully customizable solution that integrates with vulnerability assessment technologies.