Stuxnet. Hydraq. Koobface.
The names may sound innocuous enough, but these recent cyber attacks pose a deadly serious threat to today’s enterprises.
Consider the Stuxnet worm
, which Symantec Security Response described as being “like nothing we’ve seen before.” Stuxnet looks for industrial control systems used in the production of nuclear weapons and destroys them. Officials in Iran admitted that the worm inflicted serious damage on that country’s nuclear program, including large-scale accidents and loss of life. Stuxnet is the first computer virus able to wreak havoc in the physical world.
To say the least, we’ve come a long way from the benign days of the Anna Kournikova virus or the “I Love You” bug.
As the latest Symantec Internet Security Threat Report
demonstrates, today’s attacks are sophisticated, targeted, and rapidly mutating. Last year alone, attackers unleashed more than 286 million distinct malicious programs. That amounts to an average of nine new threats every second of every day. By comparison, Symantec detected 250,000 viruses in 2007. The sheer volume of today’s attacks threatens to overwhelm traditional signature-based security solutions.
Many of these new attacks are known as “advanced persistent threats” (APTs). APTs have been linked to such high-profile incidents as the theft of SecureID authentication technology code from RSA (which security experts say may have given hackers the tools to carry out a serious intrusion at Lockheed Martin, the world’s largest military contractor); the shutdown of the Sony PlayStation Network; and the data breach at online marketing powerhouse Epsilon.
Continue reading to learn what steps you can take to protect your organization against these threats.
Advanced persistent threats are malware that is designed to penetrate even well-protected networks and to stealthily communicate with an attacker. APTs can be used to passively collect passwords and IDs—or to actively allow an attacker to control or even damage remote systems. Because APTs are so hard to spot, they often infect computers for months or even years before being revealed.
The sudden surge in APTs has been fueled by two developments: the relative accessibility of attack toolkits and the rise of so-called rootkits.
Attack toolkits are software programs that can be used by novices and experts alike to launch widespread attacks on networked computers. They enable attackers to continuously generate new mutated malware variants, each targeting a different victim, making traditional discovery and fingerprinting of these threats nearly impossible.
According to Symantec’s Report on Attack Toolkits and Malicious Websites
, as attack kits become more accessible and easier to use, they are being used much more widely. This has attracted traditional criminals—who would otherwise lack the technical expertise—into cyber crime, spawning a profitable and increasingly organized underground economy.
Case in point: the attack kit known as Zeus, which specializes in stealing bank account credentials. The profitability of attacks using Zeus was illustrated by the September 2010 arrests of a ring of cyber criminals who allegedly used a Zeus botnet to steal more than $70 million from online banking and trading accounts over an 18-month period.
A rootkit, meanwhile, is a collection of tools that allow an attacker to hide traces of a computer compromise from the operating system and the user. They use hooks into the operating system to prevent files and processes from being displayed and prevent events from being logged. Rootkits have been around for some time, but they are increasing in sophistication and complexity.
According to the Internet Security Threat Report, “the current frontrunners in the rootkit arena are Tidserv, Mebratix, and Mebroot. These samples all modify the master boot record (MBR) on Windows computers in order to gain control of the computer before the operating system is loaded.”
To protect against advanced persistent threats, organizations need to do more than deploy signature-based antivirus on their endpoints. They need a comprehensive endpoint security product that includes additional layers of protection including:
- File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and website to prevent rapidly mutating and polymorphic malware;
- Endpoint intrusion prevention that protects against unpatched vulnerabilities from being exploited, protects against social engineering attacks, and stops malware from making it onto endpoints;
- Browser protection for protection against stealthy Web-based attacks;
- Heuristic file-based malware prevention to provide more intelligent protection against unknown threats;
- Real-time behavioral analysis capabilities that look at the behavior of applications as they execute for malware-like activity;
- Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;
- Device control settings that prevent and limit the types of USB devices to be used.
Organizations also need to be sure that they’re being smart about prevention and mitigation. In many cases, implementing best practices, sufficient policies, and a program of user education can prevent or expose a targeted attack. For example, restricting the use of USB devices limits exposure to threats designed to propagate through removable media. Educating users not to open unsolicited email attachments and not to click on links in email or instant messages can also help prevent breaches.
The dramatic increase in both the sophistication and frequency of targeted attacks on enterprises has profoundly changed the threat landscape. To increase the likelihood of a successful, undetected infiltration, an increasing number of these attacks leverage zero-day vulnerabilities to break into systems. For example, the Stuxnet worm exploited four different zero-day vulnerabilities to attack its targets.
Given this volatile environment, enterprises must have confidence that they are protected against both known and new cyber threats.
Symantec Endpoint Protection 12
offers that vital protection by detecting sophisticated new threats earlier and more accurately than other security products. Symantec Endpoint Protection 12 is powered by Insight, a reputation-based technology that tracks billions of files from tens of millions of systems to identify new threats as they’re created. Based on advanced data mining techniques, Insight seeks out changing encryption and mutating code. It separates files at risk from those that are safe, for faster and more accurate malware detection.
If you are concerned about the potential presence of APTs on your network, contact your Symantec sales representative or partner
for a Symantec Malicious Activity Assessment.