Attackers can obtain access privileges and access protected data by using nothing more than knowledge of common Windows protocols, basic social engineering and readily available software.
According to research by Imperva, data breaches that are commonly associated with the “APT” theme are often achieved by relatively simple (and commonly available) means, using basic technical skills.
Amichai Shulman, CTO of Imperva, said: “There needs to be a fundamental shift in how we view APTs and how we protect against them. These types of attacks are difficult to prevent and our report shows that they can be conducted relatively easily. In order to mitigate damage, security teams need to understand how to protect critical data assets once intruders have already gained access.”
A new research paper from Imperva, “The Non-Advanced Persistent Threat” claims that Advanced Persistent Threats (APTs) require only basic technical skills, it also found that built-in Windows functionality, combined with seemingly “innocent” file shares and SharePoint sites can provide attackers with an entry-point to accessing an organisation’s most critical data.
Talking to IT Security Guru, Shulman said that many people consider APTs to be technical and “magic”, and it wanted to show how they are used to take hold of a single foothold in the organisation and spread throughout an organisation.
“We are showing that these techniques are actually very simple and not sophisticated, and not resorting to zero-day vulnerabilities, or complex scripts and hacking tactics. The importance of that is once you understand how these techniques work you can put mitigation in place to find them,” he said.
“Attackers are using zero-days to get the first foothold into the organisation, but with exploits going out every week it makes it easier, with phishing or drive-by download, so how do they take advantage of it? There are inherent issues with Windows that allows them to do it in a very simple way, and in order to grab the privileges you need to force the victim to login with a compromised machine.”
Shulman said that this enabled with a folder with public access and no sensitive data in it, that everyone can access and put stuff in and “poison the well” by adding a file to the folder to link to the compromised machine.”
Shulman said that this is enabled with a folder with public access and no sensitive data in it, that everyone can access and put stuff in to “poison the well” by adding a file to the folder, changing an icon to reference a compromised machine.
“Once you have done that, everyone browsing that public folder will try to authenticate to the compromised machine. Then you relay the privileges from the internet, which is simple to do without any great hacking skill and grab privileges from everyone in the organisation.”
Asked what businesses can do to protect themselves, Shulman said it is more about collecting privileges than hacking, so businesses should recognise the abuse pattern and what are users doing in the organisation, such as a lot of users working from one machine or a lot of out of working time on one machine.
“They are relatively easy to detect if you have the right security solution in place. Monitor the activity from your database to your file server, and this allows you to grab intrusions, prevent them and give you the ability to manage access control with a very small set of critical files. You can go to the data owner of that set and that is how you achieve control of your privileges
,” he said.
