Targeted attacks first became the subject of active discussions in the world community back in 2009. Then it became known about the Stuxnet attack. Perhaps we can say that it began with her recent history targeted cyberattacks. What is this type of cybercrime and how such attacks can turn out, in more detail in our material.

What are targeted attacks?

Targeted (or purposeful) attacks are pre-planned actions against a specific state or non-state structure or organization. As a rule, cybercriminals engaged in targeted attacks are professionals, they can be compared to traditional attackers who steal cars on order: they have a specific target, they study the means of car protection in order to successfully bypass them later.

Today, the activity of hackers is acquiring more and more features of a traditional business. There is a kind of "black market" on the market - shadow schemes and places for the implementation of software tools necessary to attack the IT infrastructure of a company. There are fixed rates that can be easily found on the Internet.

You can even find already formed product lines: cybercriminal "companies" are expanding the sales funnel, preparing individual modifications of solutions, taking into account different target segments. There are prices for botnets, new versions of Trojans are being actively announced. You can even purchase targeted attack as a service. Cyber ​​attackers create their own development plans, which are also actively announced.

Announcements, as a rule, are given in closed sources, - says Andrey Arefiev, Product Development Manager at InfoWatch. – But, nevertheless, we can say that the modern botnet industry has all the features of full-fledged commercial products. According to independent research, the number of utilities used to build botnets has increased tenfold in recent years.

In addition, the nature of attacks has changed significantly in recent years: they have become very sophisticated. Today's attacks have become more ramified: the attacking party is trying to adapt to the company's own infrastructure and make the attack as invisible as possible. The attack should either be detected as late as possible or not detected at all. Therefore, such attacks, as a rule, are extended in time and become noticeable only when the time comes to actively manifest themselves.

Targeted attacks on IT infrastructure have the following characteristics:

  • They study the protection system that the company has and bypass it.
  • The nature of the attacks has become more multi-stage: they can start on the secretary's computer, and the ultimate goal will be the accountant's computer - for example, the attackers' task may be to install malware there.

As an intermediate result, it can be noted that if you do not observe visible signs of an attack on the company's IT infrastructure, this does not mean that it is not being attacked, sums up Andrey Arefiev.

Examples of targeted attacks

According to a number of open sources, for the introduction of a Trojan virus program, the “entry point” is often the insider activity of disloyal company employees. A similar example could be observed not so long ago in Iran.

The main purpose of this attack was to contain the Iranian nuclear program. As far as is known, a sovereign state controlled nuclear enrichment centrifuges, and a number of facilities were placed on a freelance basis. Centrifuges quickly broke down, their repair required time and money, so uranium enrichment was postponed. As it turned out, this attack was planned in advance, carried out and carried out for a long time.

The purpose of the attack was not to steal equipment, but to control industrial facilities. It is terrible to imagine what could happen if someone starts to control a nuclear power plant: transferring it to a freelance mode threatens at least a second Chernobyl ...

However, the target of attackers is not only strategically important objects and major government organizations. Recently, one owner of a business organization had a chance to see this for himself. They tried to infect the company's server using contact vulnerabilities - the owner of the company was lucky only that only the accountant's computer was attacked.

Malicious software is a program that allows you to get unauthorized access to confidential information through vulnerabilities. Such programs are usually used to obtain primary access to the enterprise network. Typically, system injection refers to accessing data when the system is rebooted. The "registration" of the executable module in this case is its restart every time.

Malicious software can get onto the computer of an employee of the company not only due to the latter's malicious intent, but also due to the methods used by hackers. social engineering(for example, a cybercriminal may ask the victim to follow a particular link or visit a third-party resource).

As a result, the victim becomes available for attack, and attackers gain access to the operating system of the employee's work computer. Now you can launch malicious files in order to subsequently take control of the organization's computers. The actions listed above are called "zero-day attacks".

What data is most often stolen?

It largely depends on the profile of the company. The purpose of hackers can be industrial secrets and strategic developments of a closed plan, payment and personal data. Curiously, according to research, 63% of respondents understand that a targeted attack on their company is just a matter of time.

Methods for detecting targeted attacks:

signature analysis.

Signature analysis implies that the analysts have a file affected by a virus. The study of such a malicious program allows you to remove its signature (digital fingerprint). After the signature is entered into the database, you can check the file for infection with this virus, simply by comparing the signatures. The advantage of signature analysis is that it allows you to accurately diagnose an attack. If there is a file with a matching signature, then we can safely say that the computer is affected.

Signature analysis has a number of advantages:

  • It can be used not only for virus scanning, but also for system traffic filtering.
  • You can "sit down" on the gateway and control the presence of certain unverified signatures.
  • It allows you to carry out diagnostic complexes to counter attacks with great accuracy.

A significant disadvantage of signature analysis is the need to update the signature database. Most companies are forced to update the signature database every 15 minutes. At the same time, every half hour in the world appears new virus. Then there is a long process of its registration and study, and only after that the signature is entered into the database. All the time up to this point, the company is defenseless against a new virus.

Another method of studying previously identified malware is to heuristic analysis.

The function of heuristic analysis is to check the executable code for the presence of suspicious activity, typical for the activity of viruses. This technique is good because it does not depend on the relevance of any databases. However, heuristic analysis also has its drawbacks.

Due to the fact that all major antiviruses are known and available for use by everyone, hackers can test written software and modify it until it bypasses all known tools. antivirus protection. Thus, the effectiveness of the main heuristic algorithms is reduced to nothing.

Another method for detecting targeted attacks involves the use of so-called next-generation firewalls, which, in addition to traditional capabilities, also allow you to filter traffic. The main disadvantage of firewalls is their excessive "suspiciousness", they generate a large number of false positives. In addition, firewalls use technologies that can be fooled (sandboxing, heuristic analysis and signature analysis).

There is also another security method used to run applications. Its idea is very simple: the station can only run individual applications (this is called WhiteListening). The downside is that such a "white list" should contain all applications, without exception, that the user may need. In practice, this method is, of course, quite reliable, but very inconvenient, as it slows down workflows.

Finally, there is a newly developed technology for dynamic attack detection, which is used in the InfoWatch Targeted Attack Detector product, says Andrey Arefiev. - This technology is based on the fact that the actions of intruders inevitably lead to the modification of enterprise IT systems. Therefore, the InfoWatch solution periodically scans the organization's IT system, collecting information about the status of critical objects. The data obtained is compared with the results of past scans, then an intellectual analysis of the changes that have occurred is carried out for the presence of anomalies. When unknown malware is detected, a company analyst is involved in the analysis of its actions and possible harm to the enterprise infrastructure.

- At what stage is it possible to classify an attack as targeted?

In fact, anomaly detection is the primary sign that your system is having problems, it is an indirect sign that the company is under attack. At the same time, the attack does not have to involve a Red October-level virus. Enough, as practice shows, a small Trojan, periodically forwarded further. In principle, this is enough to bring money to specific cyber attackers.

In general, I would like to note that targeted attacks are a powerful tool for influencing corporate policy large government and commercial organizations. That is why it is necessary to counter these types of cybercrime systematically and carefully.

Elena Kharlamova

For those who do not know what a "targeted" attack is, I ask for a podcast :)

Targeted attack - this is a continuous process of unauthorized activity in the infrastructure of the attacked system, manually controlled remotely in real time.

Based on this definition, I draw your attention to the following points:
1) Firstly, this is exactly the process - activity in time, some operation, and not just a one-time technical action.
2) Secondly, the process is designed to work in a specific infrastructure, is designed to overcome specific security mechanisms, certain products, and involve specific employees in the interaction.

There is a significant difference in approach mass mailings standard malware, when attackers pursue completely different goals, in fact, gaining control over a separate endpoint. In the case of a targeted attack, it is built under the victim.

The figure below shows the four phases of a targeted attack, demonstrating it life cycle. Let us briefly formulate the main purpose of each of them:

  1. Training. The main task of the first phase is to find a target, collect enough detailed private information about it, based on which to identify weaknesses in the infrastructure. Build an attack strategy, pick up previously created tools available on the black market, or develop the necessary ones yourself. Typically, planned penetration steps will be thoroughly tested, including non-detection by standard information security tools.
  2. Penetration - the active phase of a targeted attack using various social engineering techniques and zero-day vulnerabilities to initially infect the target and conduct internal reconnaissance. At the end of reconnaissance and after determining the ownership of the infected host (server/workstation), at the command of an attacker, an additional malicious code.
  3. Spreading- the phase of fixing inside the infrastructure, mainly on the key machines of the victim. Extending your control as much as possible, correcting versions of malicious code through control centers if necessary.
  4. Goal Achievement- the key phase of the targeted attack.
In order to investigate some computer attacks, a virtual stand was developed to study the impact of computer attacks on elements of an information and telecommunication network.

This stand (polygon) consisting of:

1. models of the open segment of the information and telecommunications network;

2. models of the closed segment of the information and telecommunications network.

The simulated network consists of many components.

In the open segment, the hosts (PC1–PC7) are connected into a single network using Cisco 3745 (c3745) routers. In individual subdivisions, hosts are networked for data transmission using a switch (SW1). In this scheme, the switch (switch) only transfers data from one port to another based on the information contained in the packet, which came through the router.

In a closed network segment, cryptorouters are used to encrypt data packets that will go from a closed network segment to an open one. If an attacker succeeds in intercepting the packets of the transmitted data of this network, then he will not be able to extract useful information from these data.

Windows XP, which is part of the segment of the information and telecommunications network, was chosen as the attacked object. This system is connected to the cloud "Real network Exit" with ip-address: 192.168.8.101

Okay, let's start researching. local network in order to determine the elements of a computer network for subsequent exploitation. Let's use Netdiscovery.

To find out the possible vulnerabilities of the attacked network, let's scan this network using the Nmap ("NetworkMapper") network research and security utility.

During the scan, we found that the system has open ports, which represent potential vulnerabilities.
For example, 445/TCPMICROSOFT-DS - used in Microsoft Windows 2000 and later versions for direct TCP/IP access without using NetBIOS (for example, in Active Directory). We will use this port to gain access to the system.

Now we carry out a network attack using Metasploit. This tool allows you to simulate a network attack and identify system vulnerabilities, check the effectiveness of IDS / IPS, or develop new exploits, with a detailed report.


The exploit will work, but you must specify what will happen after the exploit works. To do this, we will open the shellcode, we will use it as an exploit payload that provides us with access to a command shell in a computer system.

In LHOST, we specify the IP address of the system from which the attack will be performed.

Every year, organizations improve their business tools, introducing new solutions, while at the same time complicating the IT infrastructure. Now, in a situation where a mail server hangs in a company, important information is erased from end workstations, or the operation of an automated billing system is disrupted, business processes simply stop.

Benjamin
Levtsov

Vice President, Head of Corporate Division, Kaspersky Lab

Nicholas
Demidov

Technical consultant for information security at Kaspersky Lab

Realizing the growing dependence on automated systems, businesses are also ready to take more and more care about ensuring information security. Moreover, the way to create an IS system depends on the situation in this particular organization - on the incidents that have taken place, the beliefs of specific employees - and is often formed "from below", from individual IS subsystems to the overall picture. As a result, a multi-stage one-of-a-kind system is created, consisting of various products and services, complex, as a rule, unique for each company, where information security specialists can:

  • scan files using endpoint security systems;
  • filter mail and web traffic using gateway solutions;
  • monitor the integrity and immutability of files and system settings;
  • monitor user behavior and respond to deviations from the normal traffic pattern;
  • scan the perimeter and internal network for vulnerabilities and weak configurations;
  • implement identification and authentication systems, encrypt drives and network connections;
  • invest in SOC to collect and correlate logs and events from the above mentioned subsystems;
  • order penetration tests and other services to assess the level of security;
  • bring the system in line with the requirements of standards and conduct certification;
  • teach staff the basics of computer hygiene and solve an infinite number of similar problems.

But despite all this, the number of successful, i.e. attacks on IT infrastructures that achieve their goal are not decreasing, but the damage from them is growing. How do attackers manage to overcome complex security systems, which, as a rule, are unique in their composition and structure?

Concept of targeted attack

It's time to give a definition that accurately reflects the concept of a targeted, or targeted attack. A targeted attack is a continuous process of unauthorized activity in the infrastructure of the attacked system, remotely controlled manually in real time.

Firstly, this is precisely a process - an activity in time, a certain operation, and not just a one-time technical action.

Secondly, the process is aimed at working in a specific infrastructure, designed to overcome specific security mechanisms, certain products, and involve specific employees in the interaction. It should be noted that there is a significant difference in the approach of mass mailings of standard malware, when attackers pursue completely different goals - in fact, gaining control over a separate endpoint. In the case of a targeted attack, it is built for the victim.

Thirdly, this operation is usually managed by an organized group of professionals, sometimes international, armed with sophisticated technical tools, essentially a gang. Their activity is indeed very similar to a multi-pass military operation. For example, attackers compile a list of employees who could potentially become "entrance gates" to the company, contact them on social networks, and study their profiles. After that, the task of obtaining control over the working computer of the victim is solved. As a result, his computer is infected, and the attackers proceed to seize control of the network and directly engage in criminal activities.

In a targeted attack situation, computer systems fight each other, and people - some attack, others - repel a well-prepared attack, taking into account weak sides and features of countermeasure systems.

Currently, the term APT - Advanced Persistent Threat is becoming more common. Let's take a look at its definition. APT is a combination of utilities, malware, zero-day exploits, and other components specifically designed to implement this attack. Practice shows that APTs are used repeatedly and repeatedly in the future to carry out repeated attacks with a similar vector against other organizations. Targeted or targeted attack is a process, an activity. APT is a technical tool that allows you to implement an attack.

We can safely say that the active spread of targeted attacks is due, among other things, to a strong reduction in the cost and labor costs in the implementation of the attack itself. A large number of previously developed tools are available to hacker groups, sometimes there is no urgent need to create exotic malware from scratch. For the most part, modern targeted attacks are built on previously created exploits and malware, only a small part uses completely new techniques, which are mainly related to APT-class threats. Sometimes completely legal utilities created for "peaceful" purposes are also used as part of the attack - we will return to this issue below.

Stages of a targeted attack

In this material, the main stages of a targeted attack will be announced, the skeleton of the general model and the differences in the methods of penetration used will be shown. The expert community has an idea that a targeted attack, as a rule, goes through 4 phases in its development (Fig. 1).


On fig. 1 shows 4 phases of a targeted attack, showing its life cycle. Let us briefly formulate the main purpose of each of them:

1. Preparation - the main task of the first phase is to find the target, collect enough detailed private information about it, based on which, identify weaknesses in the infrastructure. Build an attack strategy, pick up previously created tools available on the black market, or develop the necessary ones yourself. Typically, planned penetration steps will be thoroughly tested, including non-detection by standard information security tools.

2. Penetration - the active phase of a targeted attack, using various social engineering techniques and zero-day vulnerabilities to initially infect the target and conduct internal reconnaissance. After reconnaissance is completed and the ownership of the infected host (server/workstation) is determined, additional malicious code can be downloaded via the control center at the attacker's command.

3. Distribution - the phase of fixing within the infrastructure, mainly on the victim's key machines. Extending your control as much as possible, correcting versions of malicious code through control centers if necessary.

4. Achieving the goal is the key phase of a targeted attack, depending on the chosen strategy, it can use:

  • theft of classified information;
  • deliberate change of classified information;
  • manipulation of the company's business processes.

At all stages, a mandatory condition is met to hide traces of the activity of a targeted attack. When an attack ends, it often happens that cybercriminals create a "Point of Return" for themselves, allowing them to return in the future.

Targeted Attack Phase 1 - Preparation

Target identification

Number of successful, i.e. attacks on IT infrastructures that achieve their goal are not decreasing, but the damage from them is growing. How do attackers manage to overcome complex security systems, which, as a rule, are unique in their composition and structure?
The answer is quite short: by preparing and carrying out complex attacks that take into account the characteristics of the target system.

Any organization can become a target for an attack. And it all starts with an order, or general intelligence, or, more precisely, monitoring. In the course of continuous monitoring of the global business landscape, hacker groups use publicly available tools such as RSS feeds, official Twitter accounts of companies, specialized forums where various employees exchange information. All this helps to determine the victim and the objectives of the attack, after which the group's resources move to the stage of active reconnaissance.

Collection of information

For obvious reasons, no company provides information about what technical means it uses, including for the protection of information, internal regulations and so on. Therefore, the process of collecting information about the victim is called reconnaissance. The main task of intelligence is to collect targeted private information about the victim. Here, all the little things are important that will help identify potential weaknesses. The most non-trivial approaches can be used in the work to obtain closed primary data, for example, social engineering. We will present several social engineering techniques and other intelligence mechanisms used in practice.

Exploration methods:

1. Inside.

A targeted attack is a continuous process of unauthorized activity in the infrastructure of the attacked system, manually controlled remotely in real time.

There is an approach with the search for recently laid off employees of the company. A former employee of the company receives an invitation to a regular interview for a very tempting position. We know that an experienced recruiting psychologist is able to talk to almost any employee who is competing for a position. From such people, a sufficiently large amount of information is obtained to prepare and select an attack vector: from the network topology and the means of protection used to information about the private lives of other employees.

It happens that cybercriminals resort to bribing the people they need in the company of those who own information or enter the circle of trust through friendly communication in public places.

2. Open sources.

In this example, hackers use the unscrupulous attitude of companies towards paper media that are thrown into the trash without proper destruction; reports and internal information can be found among the garbage, or, for example, company websites that contain the real names of employees in public access. The data obtained can be combined with other social engineering techniques.

In a targeted attack situation, it is not computer systems that fight each other, but people: some attack, others repel a well-prepared attack, taking into account the weaknesses and features of countermeasure systems.

As a result of this work, the organizers of the attack can have fairly complete information about the victim, including:

  • names of employees, e-mail, phone;
  • work schedule of the company's divisions;
  • internal information about the processes in the company;
  • information about business partners.

State procurement portals are also a good source of information about the solutions implemented by the customer, including information security systems.

At first glance, this example may seem insignificant, but in fact it is not. The listed information is successfully used in social engineering methods, allowing a hacker to easily gain trust using the information received.

3. Social engineering.

  • Phone calls on behalf of internal employees.
  • Social networks.

Using social engineering, you can achieve significant success in obtaining confidential company information: for example, in the case of a phone call, an attacker can introduce himself on behalf of an information service worker, ask the right questions, or ask you to execute the right command on a computer. Social networks are good at helping to determine the circle of friends and interests of the right person, such information can help cybercriminals develop the right strategy for communicating with a future victim.

Strategy Development

The strategy is mandatory in the implementation of a successful targeted attack, it takes into account the entire plan of action at all stages of the attack:

  • description of the stages of the attack: penetration, development, achievement of goals;
  • social engineering methods, used vulnerabilities, bypassing standard security tools;
  • stages of attack development, taking into account possible emergency situations;
  • consolidation within, privilege escalation, control over key resources;
  • extraction of data, removal of traces, destructive actions.

Creating a stand

Based on the collected information, a group of attackers proceeds to create a stand with identical versions of the software being used. A test site that makes it possible to test the penetration stages already on a working model. To work out various techniques of covert implementation and circumvention of standard information security tools. In essence, the stand serves as the main bridge between the passive and active phases of infiltrating the victim's infrastructure. It is important to note that the creation of such a stand is not cheap for hackers. The cost of performing a successful targeted attack increases with each stage.

Development of a set of tools

Cybercriminals face a difficult choice: it is important for them to decide between the financial costs of buying ready-made tools on the shadow market and the labor costs and time to create their own. The shadow market offers a fairly wide range of different instruments, which significantly reduces the time, except for unique cases. This is the second step, which significantly highlights the targeted attack as one of the most resource-intensive among cyberattacks.

Let's look at a tool set in detail: a Toolset typically consists of three main components:

1. Command Center, or Command and Control Center (C&C).

The attackers' infrastructure is based on C&C command and control centers, which ensure the transmission of commands to controlled malicious modules from which they collect the results of their work. The center of the attack is the people conducting the attack. Most often, the centers are located on the Internet with providers that provide hosting, collocation and rental services. virtual machines. The update algorithm, like all algorithms for interacting with "hosts", can change dynamically along with malicious modules.

2. Penetration tools, problem solving"opening the door" of the attacked remote host:

  • exploit (Exploit) - malicious code that uses vulnerabilities in software;
  • validator - a malicious code that is used in cases of primary infection, is able to collect information about the host, transfer it to C&C for further decision-making on the development of an attack or its complete cancellation on a specific machine;
  • Downloader - Dropper delivery module; the loader is extremely often used in attacks based on social engineering methods, sent as an attachment in email messages;
  • Dropper delivery module is a malicious program (usually a Trojan) whose task is to deliver the main Payload virus to the victim's infected machine. It is designed to:
    • fixing inside the infected machine, hidden autoloading, injecting processes after rebooting the machine;
    • Inject into a legitimate process to download and activate the Payload virus over an encrypted channel, or extract and run an encrypted copy of the Payload virus from disk.

Code execution takes place in an injected legitimate process with system rights, such activity is extremely difficult to detect by standard security tools.

3. Payload virus body. The main malicious module in a targeted attack, loaded onto an infected host by Dropper, may consist of several functional add-ons. modules, each of which will perform its function:

APT (Advanced Persistent Threat) is a combination of utilities, malware, zero-day exploits, and other components specifically designed to implement this attack.

  • keyboard spy;
  • screen recording;
  • remote access;
  • distribution module within the infrastructure;
  • interaction with C&C and updating;
  • encryption;
  • cleaning traces of activity, self-destruction;
  • reading local mail;
  • searching for information on disk.

As we can see, the potential of the considered set of tools is impressive, and the functionality of the modules and techniques used can vary greatly depending on the plans of the targeted attack. This fact emphasizes the uniqueness of such attacks.

Summarizing

It is important to note the growth of targeted attacks against companies in various market sectors (other risks are shown in Fig. 2), the high complexity of their detection and the enormous damage from their actions, which cannot be guaranteed to be detected after a long time. On average, a targeted attack is detected 200 days after it was active 1 , which means that the hackers not only achieved their goals, but were in control for more than half a year. Also, organizations that have identified the presence of APT in their infrastructure are not able to properly respond and minimize risks and neutralize activity: personnel responsible for information security simply do not train this. As a result, every third company suspends its operations for more than one week in an attempt to regain control of its own infrastructure, then faced with a complex process of investigating incidents.


Losses resulting from a major incident average $551,000 globally for a corporation, including lost business opportunities and system downtime, as well as the cost of professional remediation services 2 .

About how the attack develops, methods for bypassing standard protection tools and exploiting zero-day threats, social engineering, spreading and hiding traces when key information is stolen, and much more - in the following articles in the Anatomy of a Targeted Attack series.

___________________________________________
1 Based on Kaspersky Lab statistics.
2 Study data “ Information Security business" conducted by Kaspersky Lab and B2B International in 2015. More than 5,500 IT professionals from 26 countries, including Russia, took part in the study.

Malicious programs have long ceased to be a tool for committing petty mischief, which aims to organize a botnet to send spam or, in extreme cases, steal a user's Internet banking password to carry out an unauthorized operation. For companies, common viruses can be seen as "minor sabotage" without major risks. In turn, for attackers, this method of profiting is not of particular interest, because. There are many protections available (anti-virus tools, applications with enhanced financial control measures, etc.) that do not allow a criminal to take advantage of an attack.

End justifies the means
Niccolo Machiavelli

In the era of total informatization and technological progress, when billions of dollars are stored in e-commerce systems, it would be naive to assume that there are no highly qualified criminals who would not want to steal these funds. Today, there is a clearly defined and growing trend of using targeted attacks on the infrastructures of medium and large companies.

Targeted (targeted) attacks (APT, Advanced Persistent Threats) are attacks (malicious software) aimed at specific objects or industries. They take into account the specifics of the company to which they apply or to the field of activity of the company as a whole.

All attacks of this kind contain a number of features:

    Industry focus (the virus/attack is used in a certain industry, it will be irrelevant for another);

    "Non-trivial" programming code. As mentioned earlier, highly qualified specialists are engaged in writing custom viruses. When writing, they take into account most of the nuances that can work standard means protection. For this reason, for example, signature-based antivirus tools will most likely not be able to detect such program code as malicious. For this reason, an attacker can remain unnoticed in systems for a long time and collect the necessary statistics to successfully complete the attack.

Typically, attackers use zero-day exploits to implement targeted threats.

0day- a term denoting unpatched vulnerabilities, as well as malicious programs against which protection mechanisms have not yet been developed.

The main task of the exploit is to unnoticed get inside the corporate perimeter, gain a foothold by eliminating the anti-virus tool if possible, and pull up all the attacker's equipment for comfortable and "productive" work.

As statistics for 2013-2014 show, attackers in this direction have achieved huge victories. First Zeus, and then Carberp, both in Russia and around the world, became a real scourge. The amount of theft only using these two families of viruses for the year amounted to several billion dollars. The average successfully implemented attack on a company in the financial sector in Russia was 30 million rubles.

Such suspicious activity recent years associated with a story about a source of very “high-quality” malicious software being leaked into the network.

“The sources of the well-known banking Trojan Carberp have been leaked to the public. The Carberp source codes in a 1.88 GB RAR archive are now easily found by Google. When unpacked, the project contains about 5 GB of files with a detailed listing. Obviously, now we can expect a new wave of creativity from beginners and continuing virus writers. Someone even joked: “The Zeus leak was like a free machine. The Carberp leak is already a free rocket launcher”…”, IS expert, author of the Hacker magazine, Denis Mirkov

“So what to do now?!” - A question that involuntarily rolls up to the throat of any security guard. This recalls a quote said by Emanuel Lasker in 1899, "The only way to get smarter is to play with a stronger opponent." Technologies and developers do not stand still, if there is a demand, there will be a worthy offer. The main problem in detecting zero-day threats is the inability to find familiar signatures when analyzing the code. But this does not mean that the behavior of any file cannot be traced, tested using the "black box" method and draw the appropriate conclusions!

Behavioral analysis in the sandbox is by far the most effective way analysis and detection of zero-day threats and targeted attacks. Various manufacturers offer their own solutions, claiming that their product is the most productive and accurate. However, this is not the case, the main problem of such solutions is false alarms (false positive), which can nullify the entire work of the security service. The chosen solution should be sensitive only to serious threats. To implement such a concept is already professionalism and experience that had to be transferred to complex algorithms and implemented in the final product.

03/29/2013, Fri, 13:03, Moscow time

Malicious programs used in advanced persistent threats (abbr. APT) are constantly being improved. Now they can surreptitiously infiltrate networks, often trailing jobs and removable media. Today, as workplaces become increasingly mobile and out of control of corporate IT security infrastructure, the problem is only getting worse.

An example of such a threat is the Flame worm, a new cyber warfare weapon that has attacked the Iranian energy sector and is now spreading across the Middle East. The Flame1 malware, discovered by Kaspersky Lab experts, is known as "one of the most complex threats of all time." And although the Flame virus was originally supposed to sabotage Iran's nuclear program, it still haunts security experts. The fact is that it has now spread beyond the target infrastructure, infecting corporate systems worldwide.

Its predecessor was the Stuxnet virus, which was designed specifically to infect and disrupt the Supervisory Control and Data Acquisition (SCADA) systems that controlled Iran's uranium enrichment centrifuges. The success of this malicious program exceeded the expectations of its creators: the equipment went into an uncontrolled mode of operation with a course of self-destruction. Unfortunately, Stuxnet also went beyond the Iranian targets and began to infect SCADA systems in Germany, and then in other countries of the world.

Both Flame and Stuxnet are complex targeted threats. This is a next generation weapon for military operations controlled by the government, terrorists and well-funded cybercrime syndicates. Equipped with many features to hide their activities, these malicious programs are primarily aimed at stealing intellectual property, plans of military organizations and other valuable corporate assets.

However, the victims of this war will most likely be medium and small enterprises that will find themselves in the crossfire if not deployed complex infrastructure security to protect endpoints. Gone are the days when medium and large companies could enjoy relative anonymity or skimp on security. Complex targeted threats and zero-day attacks are becoming ubiquitous and merciless.

The evolution of threats

Once upon a time, threats were sent in bulk, usually by e-mail. The victim was lured into a trap using a phishing message, allegedly sent by an overseas financier or a long-lost relative. And although these threats were potentially dangerous, they were sent indiscriminately. In addition, they could be detected and prevented using basic security tools. These types of attacks still dominate the Internet. However, in recent years, the level of complexity of threats has increased significantly: now complex targeted threats and zero-day attacks are increasingly common, which generate fear and anxiety among users.

In the past few years, the most high-profile attacks using sophisticated targeted threats have overshadowed even the most improbable scenarios. Operation Aurora: attack on Google. In 2009, during this attack of Chinese origin, through vulnerabilities in Windows Internet Explorer has been received source and other types of intellectual property of Google and about 30 other global corporations.

Attack on RSA. In 2011, cybercriminals were able to infiltrate the systems of US military contractors Lockheed Martin, Northrop Grumman, and L3 Communications through this hacking attack on the company's flagship SecurID keys, which the security solutions provider prided itself on being reliable.

Oak Ridge National Laboratory. The DOE lab had to be taken offline when administrators discovered that a phishing attack was uploading sensitive data from the server.

ghost net. This cyber-espionage network, consisting of 1,295 infected computers in 103 countries, targeted a number of supporters of the Tibetan independence movement, as well as other large organizations, including local ministries, foreign affairs commissions, embassies, international and non-governmental organizations.

ShadyRat. As part of this resonant campaign, the networks of government agencies, non-profit organizations and large enterprises in 14 countries of the world were hacked, in total there are 70 affected organizations.

Main features

These days, complex targeted threats and zero-day attacks go hand in hand and are widely covered in the media. And yet, what are they and how do they differ from threats such as Trojans or worms?

It is safe to say that these are not ordinary amateur attacks. From the name it is clear that such threats work on the basis of advanced technologies, as well as several methods and vectors for targeted attacks on specific organizations in order to obtain confidential or secret information.

The creators of complex targeted threats are very different from script kiddies that launch SQL attacks, or the average malware writer who sells botnets to someone who offers the most high price. Typically, these advanced threats are planned by large, organized syndicates that have entire teams of experts at their disposal, with multiple intelligence gathering technologies at their disposal. Because these threats are slow, stealthy, and cover their tracks, they are increasingly preferred by cybercriminals, hostile governments, terrorists, and crime syndicates.

Scheme of work

In the implementation of complex targeted threats, cybercriminals use malware to obtain personalized information that helps to carry out the second stage of the attack. After that, individual social engineering technologies are used, the purpose of which is to infiltrate the organization through its weakest point: the end user.

At this stage of the attack, the targets are individuals who have access to the necessary accounts. This uses persuasive letters that purport to be from Human Resources or another reliable source. One careless click on such an email and cybercriminals get free access to the most valuable information of the organization, without anyone even suspecting it. Having gained access to the system, a complex targeted threat uses a variety of Trojans, viruses and other malicious programs. They infect the network and create many loopholes that can remain on workstations and servers indefinitely. All this time, the threat moves unnoticed from one computer to another in search of a given target.

Zero day exploits

The favorite tool of complex targeted threats is invariably zero-day exploits. This capacious name well captures the essence of threats that take advantage of security vulnerabilities in programs before the vendor fixes them or even knows about their existence. Thus, less than one day passes between the first attack and the correction - "zero days". As a result, cybercriminals have complete freedom of action. Unafraid of retribution, they take advantage of an attack against which there is no known defense.

Malware that exploits zero-day vulnerabilities can cause serious damage to an organization without being noticed. They aim to steal sensitive information such as source code, intellectual property, plans for military organizations, defense industry data, and other government secrets used in espionage. When the organization learns of the attack, it becomes a real life nightmare for the PR department. The damage is in the millions, not only to overhaul the security infrastructure, but also to pay legal fees and deal with customer churn. Not to mention how much effort, time and money goes into restoring the reputation and trust of customers.

Complex targeted threats and zero-day exploits are not new phenomena. They were first used a few years ago, long before these terms entered the jargon of security professionals. Until now, many organizations do not even realize that several months (and sometimes even years) ago they fell victim to a covert zero-day attack. According to Verizon's Data Breach Report, 2.44% of these intellectual property breaches are discovered after several years.

Case in point: a report published by the Christian Science Monitor3 found that back in 2008, three oil companies—ExxonMobil, Marathon Oil, and ConocoPhilips—were the victims of targeted cyberattacks carried out using complex, targeted threats. In attacks believed to be of Chinese origin, cybercriminals uploaded critical information about the number, value, and location of discovered oil fields in the world to a remote server. However, the very fact of the attack of the company was discovered only after the FBI reported the theft of confidential information from them.

By 2011, complex targeted threats rightfully took one of the first places among security threats. After all, it is because of them that companies such as Sony, Epsilon, HBGary and DigiNotar suffered huge losses this year. Not to mention RSA, which lost almost 40 million files from one-time passwords for electronic keys. In total, the RSA4 security failure cost the company approximately $66 million, while Sony5 lost $170 million from the loss of 100 million records.

At the end of 2011, there were at least 535 data breaches resulting in the loss of 30.4 million records. Many companies have fallen victim to a series of sensational attacks this year, according to Privacy Rights Clearinghouse. And this is only a small part of the known violations, because every year there are thousands of security violations that are not detected or disclosed.

It is possible and necessary to defend against complex targeted threats. Protection methods will be discussed in the article "Complex Targeted Threats: Ensuring Protection".