The Non-Advanced Persistent Threat
Today, we are releasing our latest installment in the Hacker Intelligence Initiative (HII) report series, and our focus this time is on insider threats. Specifically, our focus is on the causes for data exfiltration from an organization.
In our research, we tried to identify techniques other than Advanced Persistent Threats (APT) that hackers or malicious insiders can use in order to break into the datacenter, grab data, and then take it out of the organization. One of the elements that we focused on, of course, was complexity.
In order to understand how hard it is for cyber criminals to break into an organization and steal data, our researchers decided to compare APT activity to hands-on activity that can be performed by a hacker, using available tools and no zero-day exploits.
We were able to demonstrate that a hacker can break into an organization using existing open source tools and known techniques, while mimicking the technique used by different flavors of malware kits. And the hacker can do this without the complexity of going after newly discovered attack vectors.
Why does this matter?
By attacking an organization using non-advanced techniques and still achieving the same goals, we learn that the problem of data exfiltration is in fact bigger than just the APT problem, and that companies should take a more holistic approach to protect their data centers and the data that resides in them.
If a hacker can achieve the same results with or without APT, it becomes a different ball game.
Is the compromised and malicious insider really that big of a problem?
Last year, DISA’s Lt. Gen. Ronnie Hawkins JR was quoted, when he said that DISA is eliminating network firewalls. And while for many that sounded absurd, for data security experts it made lots of sense. Data should be protected as it is accessed and where it is accessed. By monitoring a transaction between a user and the corporate data, data leakage can be prevented and quickly responded to.
What can my company do to protect itself?
When planning a corporate security strategy, one of the things I truly believe is that the CIO should not only try to prevent hackers from getting in, but should assume that hackers can get in and that they may access your data. From that point the game is all about knowing that this happens. Monitoring, audit, and blocking controls around data are essential in order to prevent the next big data breach.
Consider some of the following scenarios:
- A user that normally accesses corporate documents starts retrieving a whole bunch of financial files. Do you have a way to detect that today?
- A DBA at a bank skims through the credit card table in a database. Do you have a way of knowing that?
- A user downloads files from your SharePoint, thousands at a time. Will you be alerted?
Our HII report can be downloaded here.