Today is one of those days when security news finds its way to the front page of mainstream news. The New York Times announced in a very detailed report that their network had been breached starting about four months ago in an Advanced Persistent Threat (APT) attack. Their story explains that the attackers have been repelled from their network with help from an outside security company.
What makes this story interesting and important reading is the scope of detail it provides around the attack. Because they’re disclosing an attack after it’s been thwarted, the story provides a broad view into the full lifecycle of an APT attack. The report also provides a level of detail that is rare in these situations. Anyone interested in security and protecting against APTs should take some time and read the full New York Times’s story.
One thing that the New York Times does is to call out that they had security products in place and that those failed to prevent the attack. They go so far as to name the vendor. Some have characterized this as “pointing the finger” at the vendor (who has defended themselves publicly). We don’t have detailed specifics around what products were deployed and how they were maintained. But the New York Times’ story and the vendor’s response would seem to imply that the protection regimen was focused on signature-based endpoint-security. Presumably there were other protections like firewalls and possibly intrusion prevention systems (IPS) that also failed to prevent the attack but there is no specific mention of that.
With that information and what we know about the attacks, we can draw some lessons from that around what it takes to adequately defend an environment against APTs.
The New York Times outlines an attack whose point of entry was through targeting email accounts of specific individuals (presumably identified through appropriate open source intelligence gathering). Having gained access, they established their command and control (C&C) communication foothold with specific malware for that purpose. They then engaged in lateral movement by stealing the corporate passwords for all employees (by targeting Domain Controllers) and using them to access other systems (including the personal computers of 53 employees, most of them outside The Times’ newsroom). Over the course of the attack, they say, there were 45 pieces of custom malware deployed (and not detected). The report goes on to say that no major data was exfiltrated, due in part to the fact that the attack had been detected early and investigators monitored the attack to learn what needed to be done to secure the network.
With an attack that is as measured and sophisticated as this, it’s clear that traditional signature-based endpoint security alone isn’t sufficient. Multifaceted, targeted attacks can be crafted and tested to specifically avoid detection by these kinds of products. They are an important part of the overall security posture but have to be one piece of a broader strategy that also includes heuristic detection, dynamic reputation services, and proactive network monitoring.
Like I said, we can’t know for sure what products the New York Times’ had and how they were deployed. But we can certainly look at the details provided around this attack to understand what attackers are doing these days and thus what protection strategy is best suited for it. The answer clearly is proactive, multilayered defenses designed to protect against advanced threats: targeted and increasingly customized attacks now require a custom defense. For customers of Trend Micro, this means Deep Discovery and the Trend Micro Custom Defense to help better protect against targeted attacks.
As always, if you want to learn more about APTs, be sure to visit the Trend Micro APT portal. You can also check out our new whitepaper The Custom Defense Against Targeted Attacks, which delves on protection against targeted attacks and our primer, Targeted Attack Entry Points: Are your Business Communications Secure? that tackles on the role of email in APT attacks.
Tom Kellerman, Vice-president of Cybersecurity shares his insights and thoughts on the recent NYT attack in this interview.