Golovna  /  browsers  /  Targeting zero-day attacks. Attack targeting: a new word for the world of threats

Targeting zero-day attacks. Attack targeting: a new word for the world of threats

browsers
01.04.2023

How to fight against targeted attacks? It is obvious that a technological solution is needed, in which the best ideas would be combined to reveal unknown threats. Ale first, talk about the new one, varto will be appointed to him, what to take for the target attack, and sort it out, like the stench works.

Blinking at news every once in a while: “As a result of a targeted attack, evildoers managed to steal two billion dollars from 40 banks and financial organizations around the world…”, lower in 50 countries…”, “…Effective and competently deployed shkidlivy programs, recognized for the implementation of attacks on the SWIFT system, allowed cyber-malicious people to steal millions…” and so on, and so on.

Targeting attacks (the stink of APT) is a real scourge of our time, and more than one rich business has already been launched on the defense of them. Looking at whether the exhibition is dedicated to ІБ, and bachish: for the APT side, what is being sold, now the part of the proposition is important, and for the courier - one of the pressing problems. Moreover, it is no less relevant for a great business, taught by a girky dosvid, but for an average one, and for a small one. If an attacker wants to reach a corporation, then a small contractor can appear as a whole by an intermediate method.

Not just words

Unfortunately, the terms “targeted attack” and “targeted attack” are incorrect. Why? Think of the classic definition of a computer attack: "Computer attack - the purpose of directing unauthorized attacks on ...". Stop, stop already enough! Come out, scho meta can be an attack, and not only “targeted”.

Vіdmіnna rice tsіlesprаmovannyh attacks polyaє in the fact that the attacker actively and intellectually approach to choice of entry point to a specific infrastructure, to do a long-term analysis of the information that circulates in the components, and the selection of data for the removal of access to valuable information.

I can feel the thunderous cries from the audience: “People spend pennies, but wines are drunk to the limit!” However, the academic accuracy of the description of the problem is of paramount importance for the creation of this very “siberian kuli”, a universal solution, as Ivan Novikov wrote about it.

The investigators should look at only a few aspects of the attacks and not conduct a comprehensive analysis of the problem. That is why the methods of detecting attacks and fighting them in an already compromised environment were not perfect.

For example, a lot of methods and security systems are based on static lists of templates, that is, on bases for heuristic analysis, "white lists", signature databases, etc. However, such lists are ineffective for identifying "non-standard" threats, for which attackers try to steal their presence from compromised infrastructure.

A method that is up to different standards of safety and guarantees the availability of the system of the breaker, creation and maintenance of closed trusted software and hardware environments. The very same way “paper safety” makes it impossible to compromise at any stage.

Unfortunately, from a practical point of view, this method is not effective. Such software and hardware environments sound inspired on the basis of the possession of the software of different vibrators, like vicorists, it’s different at the same time of development, different methods of updating and support. It is impossible to trace all the products, if there are no bookmarks in them, and without any trusted media, you will not see it.

The second method of defending valuable resources in the form of purposeful unauthorized access to grounds for physical isolation of objects that are protected. І він is also ineffective in real minds. Navіt yakscho vdas close all the side channels of communication, yakі can be vikoristan zlovísniki for viddennya danikh, the human factor is left out. Quite often, side channels are created by the people themselves, interacting with systems - it’s not navmisno or navmisne.

The problem of cherry

It is practically impossible to go out to hide the risk of compromise. Obviously, the system needs to detect unknown attacks in an already compromised medium. This class is decided to be proudly called post-breach (“following the evil one”) and most often it fails the task of response / mitigation, so that the response is that help.

And the axis of methods based on these principles for post-breach detection is really not so rich. For example, one of them is a family of shepherds, yak widely known as "khanipoti".


Correctly broken pasta effectively can help to reveal a goal-directed attack on the singing stage. Ale, with whom, the classic hanipit is unlikely to be more helpful for the revealed other points of presence of the attacker.

Vіdomi ways adaptive laryngeal pasta systems, and search for anomalies in the functioning of the system components. It is better to know the recommendations, how to choose the parameters of the laryngeal hanіpotіv. How many fake working stations are needed at the Merezha? What fake accounts can you create on what machines? More folding to analyze data in this way. “Okay, Google, here's a fake look on our accountant's computer. What is work now?"

Invisible ≠ supernatural

In order not to introduce terminological confusion, I would like to use the term “invisible computer attack”. You can turn on the power of direct attacks, but not between them. Invisible computer attack - it is uninterrupted, purposefully unsanctioned for additional software or software and hardware features with such parameters of functioning, as they do not allow your own solutions to be revealed in real time.

Sound difficult? In fact, everything boils down to three key features: continuity, purposefulness and non-triviality.

Uninterrupted- A characteristic that defines an hourly interval, which will prevent any unauthorized access to the resource or inject it into the new one. Zocrema, targeting attacks are controlled by trivial control of the points of presence in the entire information system.

Purpose straightening- a characteristic that defines the steps of manual work from the side of the attacker for the implementation of unauthorized access to the air and the security of the individual features of the civil infrastructure.

non-triviality for attack detection systems - the same characteristic, which indicates the complexity of the detection of this class of attacks by the systems of the object that is being attacked. Tied from purposeful straightening. This is the key characteristic for evaluating the effectiveness of methods and systems of defense.

Life Cycle of Attack

Whether a cyberattack can be divided into stages, name those who came to us from Russian science. The skin stage is the key to the selection of strategies and methods of implementation. І for dermal stages, it is necessary to use preventive approaches and strategies for elimination.



Let's take a look at the butts of the skin stage of the life cycle of the attack and illustrate the strategy for implementing the stages. We call the attacker Vasil.


May on uvazі, scho tsі scenarios less okremy vipadok z raznomanіttya tactics and zasobіv, yakі mozhe vikoristovuvat attacking.

Research, preparation

Under the hour of reconnaissance, Vasil is trying to find the entry points to the target infrastructure. For which wine, it is important to use your web crawler scanner, which has scanned a public web addendum that should be sacrificed.

In addition, Vasya, analyzing the search for poke systems, looking for exploitable resources, the IP of which is included in the range of the address of the target organization.

Vasil knows the profiles of a number of sponsors in social organizations and corporate email addresses. On the basis of obsession with data, Vasil prepared an offensive plan for action.

  1. Try to compromise the working stations of the revealed practitioners.
  2. If you don't dare, Vasil will try to use public exploits to attack the organization's servers available on the Internet, as well as Wi-Fi routers in the company's offices.
  3. In parallel with the first two crocodile Vasil shukatim strife at the public web addendum, supposing that compromising addenda give him access to the internal infrastructure.

In order to implement everything, Vasil prepares the text of the sheet for the help of spivrobitnik attachments, customizes the knowledge of the exploit, and also launches a password search for the administration of the revealed web resource.

Delivery, operation, fixing

How do you know which of the points has a greater chance of success? Perhaps, if you call consulting companies, you can tell me what a web add-on is. Abo guess about the human factor and the incompetence of the staff in catering ІБ і let's assume that we can overcome the phishing list with attachments. Ale Vasi is all the same, what do you think, that you are already sitting with a laptop in the office of the company and checks for connection of mobile devices in її spіvrobіtnikіv.

So chi іnakshe, pіdzumok ієї stаії: vіdstuk zavantazhennogo shkіdlyvogo code on the server Vasily, scho manage.

Diya

The axis here starts all the same. In fact, it often appears that the intruder of confusion conducts a whole special operation and creates new points of presence in order to secure his own permanent control (persistent). You will have to conduct a search in the middle of a compromised infrastructure and move to valuable resources. This is called a lateral movement: it is unlikely that access to the accountant's computer will be able to satisfy Vasyl's deputy - their intellectual power of the company. Well, it will be necessary for you to allow you to carry out an unmemorable banquet of tribute (exfiltration).

Protidia

Of course, the protid stage can be started earlier, but not after all the descriptions of the stages. But sometimes it’s so that Vasil is repaired by shukati even after that, as a sign of valuable tribute. In most cases, it is not only due to the incompetence of the side that is being protected. It’s just that Vasil’s time was enough to make the sacrifice, first of all, he spoke like active children, and he was well aware of all the systems behind him. That basil is often rich, and the deacons of them are honored even among the inner circles.

For the same reasons described above, we will try to find out about you that way, even before we realize all the stages of our attack. For whom it is necessary to learn how to recognize yoga when you appear at our infrastructure. To that, as a matter of urgency, I will dedicate the next edition of my column.

03/29/2013, Fri, 13:03, Moscow time

Shkidlivy programs that win in complex targeting threats (eng. advanced persistent threats, fast. APT), are constantly getting better. Now the stench can secretly penetrate into the borders, often following on the heels of the working places and the splendid noses. Today, if jobs become more and more mobile and come under control of the corporate IT security infrastructure, the problem is less likely to get worse.

With the butt of such a threat, the Flame worm is a new cyberweapon attack, as it attacked the Iranian energy sector and is now expanding by the Close Retreat. Flame1 is a tricky program, identified by the Kaspersky Lab's facsimiles, as "one of the most common threats of all watches." I want to catch the Flame virus and sabotage Iran's nuclear program, do not give the experts peace of mind. On the right, in that, at the same time, the wines have expanded beyond the inter-civil infrastructure, infecting corporate systems in the world.

This is the predecessor of the Stuxnet virus, a kind of fragmentation specifically for infecting and destroying the robots of dispatcher control and data collection (SCADA) systems, as they were carried out by Iranian centrifuges for enriching uranium. Successful tsієї shkіdlivoї programs having overturned ochіkuvannya її vortsіv: poslavnannya has passed from uncontrollable mode of robotics with a course on self-destruction. It's a pity that Stuxnet has become viyshov for inter-city objects in Iran and became infecting SCADA systems in Germany, and then in other parts of the world.

І Flame, і Stuxnet are considered complex threats that they target. This is a new generation for military operations under control in a row, terrorists and cyber-malicious syndicates, which are well financed. These large programs are equipped with impersonal functions for attaching one's activities, transferring to theft of intellectual power, plans for military organizations and other values ​​of corporate assets.

However, the victims of this war will become, more for everything, medium and small enterprises, like leaning on crossfire, so as not to ignite a comprehensive security-free infrastructure for the attack of the last points. Gone are the days when middle-sized and great companies could enjoy themselves with respectable anonymity or save on security costs. Complex targeting threats and zero-day attacks are becoming ubiquitous and merciless.

The evolution of threats

If threats were made in bulk, as a rule, by electronic mail. The victim was lured into pasture for the help of a phishing information, nibito administered by a foreign financier or relative, which had been known for a long time. And even though the threats were potentially unsafe, the stench rose indiscriminately. In addition, they can be found and saved for additional basic safety benefits. If you see attacks, like before, they are transported on the Internet. However, in the rest of the hour, the level of complexity of threats has significantly increased: now complex targeting threats and "zero day" attacks are more and more often trapping, as if they give rise to fear and restlessness of koristuvachivs.

In the rest of the years, the most important attacks from the stagnation of complex targeting threats overwhelm the most famous scenarios. Operation Aurora: attack on Google under the hour of the Chinese attack through quibbles, Windows Internet Explorer was stripped of the code and other types of intellectual power of Google and about 30 other global corporations.

Attack on RSA. Zavdyaki tsіy atacii zі evil provіdnoї razrobki kompanії, keys SecurID, nadіynistyu such a postal worker of security solution was written in 2011. Cyber-malware could get through to the US military contracting system: Lockheed Martin, Northrop Grumman and L3 Communications.

Okrija National Laboratory. The laboratory of the Ministry of Energy had to be transferred to an offline mode, if the administrators revealed that as a result of a phishing attack, confidential data was taken from the server.

ghost net. Tsia form for the Kireshpigonism, Shcho warehouse Z 1295 INFIKOVAKHACHOKENAST in 103 cores, Bula National Buhnikov Rukhuv Rukhu for the uninhabited Tibeta, and such a great organized, include the Minskiyas, the Komi -іza іza, the leadership,

ShadyRat. Within the framework of this resonant campaign, there were a lot of damages between state bodies, non-commercial organizations and great enterprises in 14 countries of the world, in total there are 70 affected organizations.

Basic signs

In our day of complex targeting, the threats of a "zero-day" attack are going around and around and are widely seen in ZMI. And yet, what are the stinks themselves and what do they see in the face of such threats, like Trojans or worms?

It can be said that these are not typical amateur attacks. Name clearly what threats are based on advanced technologies, as well as how many methods and vectors for targeting attacks on specific organizations with the method of removing confidential and secret information.

The creators of complex targeting threats are highly dependent on the authors of threats like script-kiddies, like launching SQL attacks, or the average statistical author of a shkidlivy PZ, who creates a botnet to the one who propagates the highest price. Sound such advanced threats planned by the great organized syndicates, as they may have a team of experts at their disposal, as they may be impersonal technologies for the collection of rozvіduvalnyh data. Shards and menaces act step by step, not turning on respect, and still keep track of their activities, they more and more often give priority to cyber-malicious people, guarding moody orders, terrorists and evil-doing syndicates.

Robotic scheme

In the implementation of complex targeting of cyber-malware threats, there are tricky programs for retrieving personalized information, as well as helping to create another stage of the attack. If you want to go to xіd іndivіdualіnі technоії ї ї ії інінініїії іengeneriї, meta yakіh – get into the organization through її the weakest place: the end of the koristuvach.

At any stage of the attack, individuals are used to gain access to the required cloud records. At the same time, the leaves are re-converted, as if nothing was sent to the caddy of the cadres of the other nadial dzherel. One carelessly clacking a mouse in such a list - and cyber-malicious people deny free access to the most important information of the organization, but don’t suspect anything about the price. Denied access to the system, a complex threat that targets, installs various Trojans, viruses and other malicious programs. The stench infects merezh and creates impersonal "holes", which can remain undetectable for a long time on working stations and servers. For the whole hour, the threat of the unmarked is moving from one computer to the next one in searches of a given target.

Zero day exploit

We love the tool of complex threats, which are targeted, invariably "zero-day" exploits. Tsya I name the good to reflect the essence of the threats, as if there are security concerns in the programs before that, as a postal worker usune їх or I want to know about their reasons. In this order, between the first attack and the correction, it takes less than one day - "zero days". The result of cyber-maliciousness is gaining new freedom. Do not be afraid to pay the stench of victorious attacks, as there are no other ways to defend.

Shkіdlіvі programs, scho vikoristovuyu vrazlivії "zero day", can indefinitely lead a serious shkodi organization. The stench is aimed at stealing information that is being protected, such as a code, intellectual power, plans of military organizations, defense secrets and other orders of secrets, like cheating in espionage. If the organization finds out about the attack, for the viddila the calls from the community turn into a waking nightmare. The costs are calculated in millions: even if it is necessary not only to carry out an audit of the security infrastructure, but also to pay the courts, and also to pay attention to the influx of customers. Not seeming already about those, how many forces, the hour that cost goes to renew the reputation and trust the customers.

Complex targeting threats and "zero-day" exploits are by no means new phenomena. In the past, the stench was stagnant and the fate of that, long before that, as these terms had gone to the jargon of fahivtsiv from safety. Dosі rich organizations navit not guess about those who already a few months (and sometimes і rokіv) became a victim of the "zero day" attack. According to Verizon's announcement about data safety injuries, 2.44% of such injuries, due to intellectual power, appear only for a few years.

Illustrative butt: in a story published by the Christian Science Monitor3 newspaper, there is more than 2008. three oil companies - ExxonMobil, Marathon Oil and ConocoPhilips - became victims of cyberattacks carried out against various complex threats. In the course of the attacks (imovirno, the Chinese campaign), cyber-malicious people harassed the server with critically important information about the number, value and distribution of oil deposits in the world. The very fact of the attack by the company was revealed only after the fact that the FBI had informed about the theft of confidential information from them.

Until 2011 complex targeting threats have rightly become one of the first places among the lowest security threats. And even through them, such companies as Sony, Epsilon, HBGary and DigiNotar, recognized the fate of great beats. It doesn't seem like it's about the RSA company, as it may have spent 40 million files with one-time passwords for electronic keys. In total, the company's RSA4 security systems cost the company approximately $66 million, while Sony5's losses in spending 100 million records amounted to $170 million.

At the end of 2011 no less than 535 losses were recorded for the protection of data, after which 30.4 million records were wasted. A lot of companies have fallen victim to a series of sensational attacks that fate, according to Privacy Rights Clearinghouse. And only a small part of the damaged ones, even if there are thousands of damages to the security systems, they don’t show up or they don’t open up.

In the face of complex threats that are targeted, it is possible and necessary to protect. You can read about the methods of zakhist in the article "Complex targeting of threats: safe zakhist".

For those who don't know what kind of "targeted" attack I ask for a podcast :)

Targeted attack - This is a seamless process of unauthorized activity in the infrastructure of the system that is being attacked, remotely checked in real time manually.

On the occasion of my appointment, I will pay your respect to the upcoming moments:
1) First, the same process - activity at the hour, like operation, and not just a one-time technical action.
2) In another way, the process of appointments for work in the minds of a specific infrastructure, calls to fix specific security mechanisms, products, get to the interplay of specific practitioners.

Slid assign a difference to the difference between the approaches of the mass distributions of the standard shkidly PZ, if the evil-doers may have a different goal, in fact, taking away control over the end point. At the time of the target attack, there will be a victim.

On the pointed little one, it was shown the phases of the target attack, which demonstrate the cycle of life. Briefly formulate the main skin recognition of them:

  1. Preparation. The main task of the first phase is to know the meta, pick up detailed private information about it, spying on how to reveal weak spots in the infrastructure. Vibuduvat attack strategy, pick up earlier created tools available on the black market or develop the necessary independently. Call the planned croki of penetration will be strongly protested, zokrema, against the non-display by standard methods of protection of information.
  2. Penetration - the active phase of the target attack, which is based on the different techniques of social engineering and zero-day strife, for the primary infection, should be carried out internal exploration. After the completion of the investigation and after the identification of the presence of the infected host (server/working station), after the attacker's command through the control center, an additional code can be entered.
  3. Roseeveryday- The phase of anchoring in the middle of the infrastructure is more important on the key machine of the victim. As much as possible rozpovsyujuyuchi your control, for the necessary correction of the version of the shkidlivy code through the center of keruvannya.
  4. reach meti- The key phase of the target attack.
In order to follow up computer attacks, break up the virtual stand to continue the injection of computer attacks on the elements of the information and telecommunication network.

Tsey stand (polygon) is composed of:

1. Models of the open segment of the information and telecommunications industry;

2. Models of the closed segment of the information and telecommunications industry.

The modeled mesh is made up of a variety of components.

A single segment of the host (PC1-PC7) is connected in one line behind an auxiliary Cisco 3745 router (c3745). In the next subdivisions, the hosts are combined in a measure of data transfer for an additional switch (SW1). In this scheme, the switch (switch) only transmits data from one port to another based on the information that is sent in the packet, as it came through the router.

Cryptorouters are installed at the closed segment of the network to encrypt the data packets that come out of the closed segment of the network at the destination. If the evildoer can get into the packets of these data, then it is impossible to extract the basic information from these data.

As an object that is being attacked, it is Windows XP, which is part of the segment of the information and telecommunication network. This system is connected to "Real Mera Vihid" with IP-address: 192.168.8.101

Well, you can proceed to the development of the local network with the method of designating the elements of the computer network for further exploitation. Hurry Netdiscovery.

In order to recognize the possibility of the inconsistency of the merge that is being attacked, we can scan the merge for an additional utility for the follow-up of the merge and the security re-verification - Nmap ("NetworkMapper").

Under the hour of scanning, we were told that the system could detect damage, as to represent potential inconsistency.
For example, 445/TCPMICROSOFT-DS wins in Microsoft Windows 2000 and later versions for direct TCP/IP access without the NetBIOS win (eg Active Directory). Tsey port mi i zaluchimo, shchob otrimati access to the system.

Now I'm running an attack for the help of Metasploit. This tool allows you to simulate a minor attack and detect system inconsistency, override the efficiency of IDS / IPS, or expand new exploits, creating a detailed sound.


Exploit operation, but it is necessary to indicate what should be done after that, how to operate the exploit. For which shellcode is used, it is possible to use it as a way to exploit the exploit, which will secure us access to the command shell in the computer system.

At LHOST, it is possible to indicate the IP address of the system, in which case the attack will be launched.

The main trend of the rest of the years is called the use of an emphasis on mass attacks on targeting, or goals, directed against a specific company, organization of a sovereign body. And it is not easy to resist them, even if it is possible.

Traditional mass virus epidemics - acts of banal vandalism, yak, vzagali seeming, do not bring annual material dividends. Tilki zdobuttya sumnіvnoї popularity, yak, until then, thrive not long ago and yak, better for everything, culminates in an arrest and a trivial prison term. The goals of the attack - on the right, we call it another. Here, cyberattacks are used either for direct stealing of money, or for information, as it is easy to monetize, for example, the details of payment cards or personal data, the black market of some kind of explanations.

So behind the attacks, what to target, there can be competitors. By this method, you can get all the know-how, information about projects that are being prepared, and new products, and other information is critical for business. At the same time, such information can be obtained in other ways, for example, for the help of disloyal spivrobitniks. However, the number of target attacks is often less cumbersome from the organizational point of view and takes less than an hour, and that material cost can be lower.

There is a great practical interest in this kind of tools and special services. This category is the most accessible and unsafe, the rocks for their actions, the best for everything, there is no direct material motive, but with all the stench, there can be significant resources and qualified personnel, like the authorities, so hire. Before the speech, behind the biggest shares of the rest of the hour, the big attack on the company Sony Pictures, there were just hired hackers. The reporters of the infamous British tabloid News of the World went as far as the services of the Cyberneimants, and they squandered their time.

Also, the method of hacktivists and cyberspies can be not only information, but also various dispatching systems and key complexes, an attack on yaks can lead to majestic shodi. So, these objects can become a target for terrorist attacks.

As a result, for the sake of global experience, how to carry out the consulting and auditing company PricewaterhouseCoopers (PwC), risks related to cyberattacks, from 2012 will steadily enter the first five years. Likewise, similar threats are called one of the main transitions for business growth, and the shards of the security service often switch to the implementation of new critical IT systems in the aftermath of fighting for their possible susceptibility to cyberattacks. Similarly, PwC's experience stated that there was an increase in cyberattacks, which accounted for 60% of the total number of attacks. The average cost of a cyber attack on a company, following the results of the “2014 Cost of Cyber ​​Crime Study” conducted by the Ponemone Institute, the results of which was presented in the fall of 2014, amounted to 2.3 million dollars.

The main problem of cyberattacks is to become great companies. The stink mayut znachnі obsyagi koshtіv or liquid information, as it is easy to monetize. The very fact of the evil can be the subject of blackmail, shards of great regulatory and reputational risks, bribes like those can be greater, sometimes bagatorazovo, lower vitrati, tied to theft like that. Such great battles can be a public demonstration of all sorts of brudish whiteness, like Sony Pictures or the victims of the News of the World reporters' stagger. Small businesses may simply not accept the card payments themselves and the stench cannot operate with great obligations of personal data.

The biggest shilln before the attacks came from such galleys as PEK, telecommunications, high technologies, military-industrial complex. It’s easier for them to steal from a competitor, or create an analogue of a successful product from scratch.

Cell attack. How to fight

It all comes down to the fact that control over some kind of outbuilding in the middle of a company is being attacked, getting access to business add-ons and/or file servers. Gave the necessary information to the evildoers and collect it and pass it on for confession, don't call it in the middle.

As a rule, for such purposes it is necessary to use remotely controlled PCs or servers. More importantly, you can find the necessary information in the corporate environment. Otzhe, it is necessary to carry out a frontal exploration, or the presence of a sleeper in the middle. For example, it is necessary to know, on such a platform, KIS companies were motivated to attack. And the procedure for retrieving the necessary information in systems based on 1C, SAP, Oracle, Microsoft is being significantly challenged.

Also, the cover of the rich category of information in the fully automatic mode has been enlarged. Such tools are the most popular, but the problem is lack of personnel for evil-doers, even more severely. Centrivannya Baganta Bagatma Bot-Meshs permitted by Nalasteuvati unawns not tilki on the ROZILIK ABOUNED DDOS attacks, Ale to the bore of the Miss Riznikh categories of Bankiyvyki) Abo Abo-AutoTifice Danced for systems of Distani . Tim more, that the clients of the bot-merezh can and be supplemented according to their consumption for a fee, I will pay the whole fee. For example, the author of one of the "popular" banking Trojans took about 2,000 dollars for the extension of his programs.

The technology of zastosuvannya shkidlivy PZ is also quite simple, wanting to change from time to time. At the same time, corystuvachs more easily open files that are checked out, and corporate mail servers and attachments can be blocked. Prote y іnshі methods. For example, lure to the infected side. Preparation її borrows lіchenі hvilini. For the rest of the hour, it is more popular to win as a container for documents in Microsoft Office or Adobe PDF formats. In Russian minds, the traditions that have been folded together, work with electronic mail. Before that, the bots themselves automatically infect PCs in bulk, including corporate ones. For whom vikoristovuyutsya all sorts of volatility in PZ. As shown by a study conducted in 2014 by HP, 70% of corporate software avenge quirkiness. Even more often, malware penetrates through public unprotected Wi-Fi networks, up to some people connecting service laptops.

Sometimes, insults come and combine. If the evil-doers realize that their bot having consumed a merezha, for example, a jar of loose merezha, a remote control system will be installed on the infected computer, and those who do not allow the bot to be exploited will be carried out.

Є ways to get into the mesh, vikoristovuyuchi іnshі outbuildings, for example, printers, multifunction printers, deyakі see merezha obladnannya. In these firmwares, there are also inconsistencies, often serious, and with these firmwares, they are significantly upgraded, lower operating systems on work stations and servers, and the same chimes are corrupted. And IT personnel often, as it is called, cannot get their hands on the tight fencing of the lace possession. So you can often send a switch, a router, or a wireless access point, so you can’t change the factory password, which is good. If passwords are changed, then it is often not a problem for attackers. So, hacking the WEP protocol borrows a lot of information on smartphones. And such a vicorist itself is rich, including Russian trade merezhi for the defense of its non-dart nets. Methods have appeared for the evil and more encrypted WPA protocol, but the process can take a year.

One can know for help with wardriving. This method can take a lot of time, but at the same time it is cheap and simple with the Vikonan. The very same was carried out by many evils of the American retail trades of Target and TJX, in the course of which dozens of millions of credit cards were compromised, and billions of dollars were exchanged. But again, I still need to know well, where to know the necessary information.

Also, according to PwC, the number of incidents related to the activities of the leading companies is growing at a faster pace. Vtіm, sing tse pov'azano z tim, scho rіven zakhistu at zvnіshnіh podryadnіv significantly lower, nіzh evil-doers often koristuyutsya. Buvaє and so, scho change names in the information system to make retailers, like staff, so and ovnishnі. As a rule, there is a regular exchange of penny sums (however small) for the accounts of evildoers. But this kind of vipadkas do not trap very often.

How to show attacks and resist them

As it has already been said above, traditionally protect yourself, persh for everything, antiviruses and intermediary screens are of little effect against the shkidlivy PZ, as if victorious in the course of strong attacks. Also, there are a lot of practitioners in the information security area to recommend that the attack is already on the way.

As a rule, the very fact of an attack is shown as a result of atypical fencing activity. For example, if the network traffic was covered by a rapt for an unclear reason, that led to a significant increase in the operator's traffic. But it appeared that the streams of tribute were going to the country, for sure, there weren’t any happy post-employees, buyers, patrons, partners.

Obviously, it is not varto to rely on those who would like to reveal such a fact from the staff and attribute malicious activity. Prote so class zabiv v zahistu, like systems for detecting and preventing attacks (IDS / IPS) or monitoring and correlating subdivisions (SIEM) are allowed to detect them. As shown by the “2014 Cost of Cyber ​​Crime Study” report, those who managed to do it, saved 5.3 million dollars in the company's expenses. for the sake of greater efficiency.

It is important that these are IDS / IPD, and SIEM systems with a valid code, licensing none of them. It’s more necessary to see the server’s tension, moreover, it’s good to practice well in the virtual environment. Also, guess what, before the delivery set of the largest number of software and hardware devices introduced to the market, the intermediary screen includes IDS / IPS systems, the possibilities of which are possible.

As a result, the entry threshold is not so great. However, the reverse side is the need for a resolute mood, as, before that, it is necessary to update every hour. With any need for knowledge of the air infrastructure. However, the whole world is worthy of commercial systems. In addition, on the Habrahabr portal, a random test of wired IDS / IPS systems out of the box was carried out. The result was beneficial: the systems missed half of the attacks in the shortest time, moreover, it was about good scenarios (http://habrahabr.ru/company/it/blog/209714/).

It is also important for a SIEM system to keep logs safe for long periods of time, which often causes problems. The stinks reach great volumes (up to tens of gigabytes per working day), but the capacities never last. Plus, again, the need for a relatable upgrade by a qualified tradesman.

They are and specialize in products, specifically aimed at combating attacks that are targeted, as they are in the arsenal of a number of vendors, including BlueCoat, CheckPoint, InfoWatch. However, it is worth to finish the young class of PZ with a great number of "childish ailments", and win over yoga varto with protection.

It is also necessary to regularly conduct penetration tests, moreover, for intelligence, as it is called, as close as possible to combat. Only in such a rank can one show the potential “dirks” of the defenders, with which evil-doers can scurry.

The most important intellectual promotion of staff awareness. It is necessary to regularly bring those, by which methods the evil-doers can be corrupted, as children in the minds of quiet and other incidents. What is less quiet, who is potentially able to drink on the occasion of the evil-doers, then more beautifully.

VENIAMIN LEVTSIV, Vice President, Head of the Corporate Division of Kaspersky Lab
MYKOLA DEMIDIV, technical consultant for information security at Kaspersky Lab

Anatomy of a targeted attack
part 1

With the help of skin fate, organizations improve business tools, implement new solutions, and simultaneously improve IT infrastructure. Now, if the mail server freezes in the company, important information is erased from the last working areas, or the robot of the automated system and the formation of bills before payment is destroyed, business processes simply stop

Considering the growing staleness of automated systems, business is also getting ready to do more and more about the security of information security. Moreover, the ways of the creation of the IB system lie down in the situation of this particular organization - in the case of incidents, reconcile specific spivrobitnikiv - and often form "from the bottom", in the case of the other subsystems of the IB to the big picture.

As a result, a richly differentiated system is created in one’s family, which is composed of various products and services, is foldable, as a rule, unique in a skin company, de fahivtsі z ІB can:

  • revise files for additional security systems at the end points;
  • filter mail and web traffic for additional gateway solutions;
  • check the integrity and immutability of files and system updates;
  • to control the behavior of koristuvachіv and react to respite from the savvy traffic pattern;
  • scan the perimeter and the inner line for quirks and weak configurations;
  • vprovadzhuvati systems іdentifіkatsії аnd autentifіkatsії, cipher disks and z'ednannya;
  • invest in SOC to select and correlate logs and subsystems;
  • request penetration tests and other services to assess the level of security;
  • bring the system up to the highest standards and carry out certification;
  • educate the personnel of the basics of computer hygiene and virishuvati sche impersonal similar tasks.

Ale, after all, the number of successful ones, tobto. attacks that reach their targets do not change on the IT infrastructure, but the attacks against them grow. Why should the evil-doers pay for folding security systems, which, as a rule, are unique for their warehouse and structure?

The answer is short: for the preparation, that carrying out folding attacks, which will protect the features of the target system.

Understanding the target attack

It’s time to give the appointment itself, for sure, on a thought, to understand the purpose of the attack, which is targeted.

A targeted attack is an uninterrupted process of unauthorized activity in the infrastructure of the system that is being attacked, manually attacked in real time.

In the first place, the process itself is action at the hour, like an operation, and not just a one-time technical action. After analyzing such attacks, the experts of Kaspersky Lab determine that it will last 100 days or more.

In another way, the process of directing to work in the minds of a specific infrastructure, calling out to fix specific security mechanisms, produce songs, and get to the point of interaction of specific spivrobitniks. Slid assign a difference to the difference between the approaches of the mass distributions of the standard shkidly PZ, if the evil-doers may have a different goal - in fact, depriving the control of the okremoyu end point. At the time of the target attack, there will be a victim.

Thirdly, this operation is controlled by an organized group of professionals, an hour of international, sophisticated technical tools, in fact - a gang. The action of the truth is even more similar to the bagatohod's military operation. For example, evil-doers compile a list of spivrobitnikiv, which can potentially become the "entrance gate" to the company, they are connected with social networks, their profiles are displayed. Because of this, the task of taking control of the victim's work computer is violated. As a result, the computer is infected, and the attackers go over to the control of the system, which is completely malicious.

In a target attack situation, it is not the computer systems that are one by one, but people: one to attack, the other to make good preparations for the attack, which is the weak side of the enemy and the particularity of the systems against it.

Nowadays, the term APT - Advanced Persistent Threat is becoming more and more widespread. Let's take a look at the appointments.

APT is a combination of utilities, sloppy software, zero-day mechanisms for violating the "zero day", other components, specially developed for the implementation of the attack.

Practice shows that APT wins again and again and again and again, they attacked a lot of repeated attacks, making a similar vector, against other organizations.

Tsіlova, or the attack is targeted - the whole process, activity. APT - technical zasib, which allows the implementation of an attack.

It can be boldly affirmed that an active expansion of the target attacks is smart, zocrema, and strong shortness of the wart and labor in the implementation of the attack itself. A large number of previously developed tools are available to hacker groups, and every day there is a need to create exotic smart programs from scratch. Most of the current attacks were triggered on earlier exploits and in a shoddy PZ, only a small part of the completely new technology, which is more important to be placed before threats to the APT class. Others within the framework of the attack are victorious and absolutely legal, created for the “peaceful” purposes of the utility – let’s turn down to this food.

Stages of target attack

With this material, we would like to voice the main stages of the attack, what it is targeting, look inside, show the skeleton of the global model and the visibility of the penetration methods. The expert spivtovaristvo had a notification that the goal attack, sound, at the development to pass through the chotiri phase (div. Fig. 1).

On the pointed little one, it was shown the phases of the target attack, which demonstrate the cycle of life. Briefly formulate the main skin recognition of them:

  • Preparation– the main task of the first phase is to know the place, learn about it, get detailed private information, spying on the yak, reveal weak spots in the infrastructure. Vibuduvat attack strategy, pick up earlier created tools available on the black market or develop the necessary independently. Call the planned croki of penetration will be strongly protested, zokrema, against the non-display by standard methods of protection of information.
  • penetration- the active phase of the target attack, which allows the victorious different techniques of social engineering and zero-day strife for the primary infection to mark and carry out internal exploration. After the completion of the investigation and the designation of the presence of the infected host (server/working station), after the attacker's command through the control center, an additional code can be entered.
  • Roseeveryday- The phase of anchoring in the middle of the infrastructure is more important on the key machine of the victim. As much as possible rozpovsyujuyuchi your control, for the necessary correction of the version of the shkidlivy code through the center of keruvannya.
  • reach meti- the key phase of the target attack, depending on the chosen strategy, it can be stagnant:
    • disclosure of classified information;
    • umisne change of closed information;
    • manipulation of the company's business processes.

At all stages, the obov'yazkovy umova prihovuvannya traces of the activity of the target attack are victorious. When an attack is completed, it often happens that cyber-malicious people create a "Turning Point" for themselves, which allows them to turn around at the future.

The first phase of the target attack - Preparation

Methi manifestation

Metoyu to attack mozhe become an organization. And everything starts from the beginning of a global investigation or, to be more precise, monitoring. Under the hour of trivial monitoring of the world's business landscape, hacker groups use widely accessible tools, such as RSS feeds, official Twitter accounts of companies, profile forums, and exchange of information from various spivrobitniks. Everything helps to identify the victim and the task of the attack, after which the resources of the group go to the stage of active exploration.

Selected information

For obvious reasons, the company does not give information about those who are technically successful, including the protection of information, internal regulations, too. That is why the process of collecting information about the victim is called “reconnaissance”. The main task of investigation, collection of personal private information about the victim. Here, all the drugs are important, as they will help to reveal the potential of the weak. The robots can also use the most trivial approaches to win the closing of the first data, for example, social engineering. We will introduce a small number of social engineering technicians and other mechanisms of exploration, so that they can be put into practice.

Exploration methods:

Inside.Іsnuє pіdkhіd iz poshukom recently called spіvrobіtnikі v kompanії. A large number of the company's spokesman will accept a request for a high-level conversation at an additional position. We know that a psychologist-recruiter can tell you if there is any kind of supporter, who will fight for a position. For such people, it is necessary to obtain a great deal of information for preparing and choosing an attack vector: in terms of topology and measures, you can protect yourself to information about the private life of other spivrobitniks.

Buvay, scho cyberzlochintsy go to buy the people they need from the company, like volodyut information, or go to the stake, trust the way of friendly splintering from the community.

Vidkrit dzherela. At the Tsomo Hackery Vikoristovoye, the imperial imprisonment is the sagged to the paperovikh nose, yaki Vikidayut to the Smіnik without the right tunnel, the middle of the Smitty is Know -Forman, abstain, sails, saga companent Withdrawal of data can be compared with other social engineering technicians.

After all, robots and organizers of the attack can provide sufficient information about the victim, including:

  • names of spokespersons, email, phone;
  • schedule of work and delivery of enterprises;
  • internal information about the company's processes;
  • information about business partners.

Sovereign portals have also purchased information about solutions, as it was obtained from the deputy, including about the system of protection of information. At first glance, pointing the butt can be unrealistic, but in reality it is not so. Recovered information successfully zastosovuєtsya in the methods of social engineering, allowing the hacker to easily win trust, operating on the captured information.

Social engineering

  • Telephone calls to the names of internal practitioners.
  • Social services.

Vikoristovuyuchi social engineering, you can achieve significant success in a closed information company: for example, at the time of a telephone call, an intruder can introduce himself as the name of an information service practitioner, the command to put the correct computer on the computer or ask for power supply. Social measures do a good job of helping to identify a number of friends and the interests of a necessary person, such information can help cyber-malicious people to make the right strategy for dealing with a future victim.

Strategy development

The strategy of obov'yazkovoy in the implementation of a successful target attack, won't hurt the whole plan for the usual stages of the attack:

  • description of attack stages: penetration, development, reach of goals;
  • methods of social engineering, like vikoristovuyutsya strife, circumvention of standard security measures;
  • stages of the development of an attack with the improvement of possible out-of-the-ordinary situations;
  • fixed in the middle; promotion of privileges; control over key resources;
  • foreshadowing of data, visualization of slids, destructive actions.

Folding stand

Spying on the selected information, a group of evil-doers start creating a stand with identical versions of the exploited software. Polygon, which allows you to try the penetration stages already on the working model. Vіdpratsyuvati raznі vіznі tekhnі prihovannogo vprovadzhennya і bypassing standard zasobіv vakhistu information. In fact, the stand is the main bridge between the passive and active phases of penetration into the infrastructure of the victim. Building a similar stand is expensive for hackers. Vitrati vikonannya successful target attacks grow with the skin stage.

Development of a set of tools

Before the cybercriminals there is a difficult choice: it is important to appoint them between financial investments for the purchase of ready-made tools on the dark market and labor costs and hours for the creation of the masters. Tіnyovy rynok promotes a wide selection of various tools, which means that the hour will pass, for a little bit of unique vipadkіv. This is another crochet, which sees a target attack as one of the most resource-intensive cyber-attacks.

Let's take a look at the set of tools in detail. As a rule, Toolset consists of three main components:

1. Command Center, or Command and Control Center (C&C). The basis of the attacking infrastructure is the C&C command and control center, which ensures the transmission of commands to controllable shkidli modules, from which the results of the work are taken. The center of the attack is the people who will carry out the attack. Most of the centers are located on the Internet from providers that provide services to hosting, collocation and rent of virtual machines. The update algorithm, like all algorithms in interaction with the "masters", can be dynamically changed at the same time by three small modules.

2. Penetration tools disable the “open doors” task of the remote host that is being attacked:

  • Exploit- shkidlivy code, a kind of victorious inconsistency in software security.
  • Validator- Shkіdlivy code zastosovuєtsya in the case of the primary infection, building zіbrati іnformatsiyu about the host, transfer її С&C for a further decision about the development of the attack or її skasuvannya on a specific machine.
  • Downloader (Downloader) of the Dropper delivery module. The zavantazhuvach is also often victorious in attacks, inspired by the methods of social engineering, and is guided by attachments from postal notifications.
  • Dropper delivery module- A malicious program (usually a Trojan), which is responsible for the delivery of the main Payload virus to the infected victim's machine, is recognized for:
    • fixing in the middle of the infected machine, attached auto-injection, injecting processes after re-engineering the machine;
    • Inject a legitimate process for downloading and activating the Payload virus over an encrypted channel, or for launching an encrypted copy of the Payload virus from disk.

Vikonannya code flows into the injected legitimate process from system rights, such activity is more easily detected by standard security methods.

3. Tіlo virus Payload. The main shkіdlivy module in the whole attack, which is zavantazhuetsya on іnfіkovaniya host Dropper, can be composed of a number of functional additional modules, skin z such vikonuvatime its function:

  • keyboard shpigun;
  • screen recording;
  • remote access;
  • the module of rozpovsyudzhennya in the middle of the infrastructure;
  • interaction with C&C and updating;
  • encryption;
  • purification of trace activity, self-defeat;
  • reading local mail;
  • Search for information on disk

Like Bachimo, the potential of the considered set of tools is hostile, and the functionality of the modules and techniques can be greatly altered in the future due to the plans of the target attack. This fact confirms the uniqueness of such attacks.

Significantly, it is important to indicate the increase in the number of attacks directed against the companies of the most reputable sectors in the market, the high degree of folding of their manifestations and the colossal crowding in them, which is not guaranteed to be manifestations through the tribal term. According to the statistics of "Kaspersky Lab", on average, the number of targeted attacks occurs after 200 days from the moment of activity, which means that the hackers not only reached their goals, but controlled the situation for more than half the time.

Also, the organizations, which revealed the fact of the presence of APT in their infrastructure, did not correctly respond and minimize the risks and neutralize the activity: this is simply not the case for personnel who act for information security. As a result of this third skin company, for more than one day, it takes its activity in attempts to regain control over the water infrastructure, then sticking out of the folding process of investigating incidents.

For the sake of experience of Kaspersky Lab, as a result of the great incident, the average cost of the world is $ 551,000 for the corporation: this amount includes expenses for business and an hour of system downtime, as well as spending on professional services for liquidation. (Data from the survey "Information Security for Business" conducted by Kaspersky Lab and B2B International in 2015. Over 5,500 IT-facilitators from 26 countries of the world, including Russia, took part in the survey.)

About how the attack develops, about the methods of bypassing standard defenses and exploiting zero-day threats, social engineering, expanding and catching up with the disclosure of key information and richly different - offensive articles of the Anatomy of a Targeted Attack cycle.


In contact with