Anatomy of an Advanced Persistent Threat Attack

What can banks learn from recent APT attacks on the retail industry?

The previous post of this blog series discussed the Federal Financial Institutions Examination Council (FFIEC) warning about imminent, advanced persistent threat (APT) attacks on ATMs. Specifically, criminals might hack into banks web-based, ATM management systems, eliminate cash withdrawal limits imposed on the ATMs and thereby steal all the cash stored in the ATMs.

Unlike the cybercrimes that banks have dealt with so far -- including numerous Trojans, DDoS attacks, and ATM skimming -- the attack that the FFIEC is warning about is far more advanced and very similar to the ongoing attacks on the retail industry. So in this post, well dissect recent APT attacks on the retail industry, which will yield valuable lessons and help us build better defense strategies against the cyberage Pancho Villas and John Dillingers.

[JPMorgan Chase Breach Impacts 76 Million Consumers]

Anatomy of an advanced persistent threat attackIn an APT attack, the intruders break into a network, implant advanced malware, and sustain an indiscernible presence until they are able to siphon off the targeted data. Typically, an APT involves the following phases:

Target selection. Some attackers choose a victim first and research that party as if they were doing a PhD. Some simply go scouring the available sources on the Internet -- such as company websites, case studies, and employee resumes -- looking for companies that use IT systems that are exploitable or comfortable to work with. Others go hunting for accidental victims. For example, in 2007, hacker Albert Gonzalez went war-driving in search of organizations that had vulnerable WiFi networks, and he found his victim, retail giant T.J. Maxx.

Footprinting. Once the target is identified, the attackers use various kinds of surveying tools to create a blueprint of the targets IT infrastructure. Details about sites, network topology, domain, internal DNS and DHCP servers, internal IP address ranges, and any other exploitable ports or services are captured.

Malware engineering. Now that the attackers know their targets IT systems and exploitable vulnerabilities, they plan the attack. They engineer or procure the core and supplementary malware required to carry out the attack.

Initial breakthrough. Usually, the attackers phish their target companys employees into downloading the malware. Alternatively, they can also exploit any zero-day vulnerabilities of the software used by the employees. For instance, attackers used Adobe ColdFusions vulnerabilities to break into the networks of LaCie, the computer hardware manufacturer.

Capturing admin privileges. In almost all of the attacks, the hackers attempt to steal the local administrator credentials of the victims computer (and eventually steal domain-level admin credentials), since some of their malware requires admin-level operational context.

The rest is here:
Anatomy of an Advanced Persistent Threat Attack