Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How a DNS firewall helps in the battle against APT and similar malware

Ken Pohniman, General Manager ASEAN at Infoblox | March 4, 2016
In Singapore, high profile incidents in 2014 included the data exfiltration of a leading bank's customer data, as well as persistent attacks of a government agency's network.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

As more and more information becomes available and is stored in electronic forms, cybercriminals look to breaching the organisation's networks and firewalls to access mission critical data that can then be exploited for financial or illegal gains. A recent security vendor's report revealed that 29% of its customers in South-East Asia have detected malware associated with APT groups in the first half of 2015, which is 50% more than the global average.

In Singapore, high profile incidents in 2014 included the data exfiltration of a leading bank's customer data, as well as persistent attacks of a government agency's network. Both were examples of Advanced Persistent Threats (APT). For all the cases reported, numerous others go undetected and not reported.

Advanced Persistent Threat (APT) actors will focus increasingly on breaching the networks and systems on which such data treasuries can be found. The definition breaks down into "advanced," meaning that intelligence is gathered beforehand about the target, while "persistent" refers to consistent monitoring and interaction of the target organization in order to achieve the goal. The "threat" is that the actors are well-backed financially, are motivated and organized, and have intentionality and capability with specific objectives.

APT attacks have become more purposeful, resourceful and sophisticated. Though the incidence of these attacks is, as yet, small in comparison with the more familiar, automated or commoditized, broadly targeted electronic assaults, APTs can pose a much more serious menace to you and your valuable information.

The "Ideal" APT attack

When seen from the attackers' point of view, the "ideal" APT attack occurs in four discrete stages, each of which is serially dependent on the successful execution of the stage preceding it.

Let's look at each of these four stages in detail to see how APTs achieve their goals.

Stage 1 - Initial infection

Generally, attackers infect an organization with their malware in one of three ways:

1.       Emails

Email attacks involve sending a plausible email that contains either an initial malware executable (embedded in, for example, a PDF document) or a link to an executable on a server. The initial infection begins the moment the recipient opens the attachment or clicks on the link.

2.       Watering Holes

The infection may be made directly to a specific site well-frequented by the users of the targeted organization, or encapsulated in one or more of the ads served on the site. In the latter case, smart attackers ensure that the malware is served only to computers whose IP addresses correspond to the external addresses of the organization in question, thereby reducing the likelihood of detection.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.