Staying Secure When Facing Advanced Persistent Threats

The United States Computer Emergency Readiness Team (US-CERT) and the National Cybersecurity and Communications Integration Center (NCCIC) recently posted a technical alert for Managed Service Providers (MSPs) warning of a campaign conducted by Advanced Persistent Threats that targets MSPs and attempts to break into their computer networks.   Both cloud and on premise technologies are targeted in this attack.  You can read the full alert here, https://www.us-cert.gov/ncas/alerts/TA18-276B.

In this blog post we will look at who and what Advanced Persistent Threats are, what they are doing, how they are doing it, and why they are targeting MSPs.   We will also briefly going into how 3KeyLogic is staying protected and what you can do to make sure to not fall victim to an APT.

Who or What are APTs?

Advanced Persistent Threat actors, or APT actors, are a group of individuals who break into an organization’s network and persist for an extended period of time while they carry out their hostile mission.   APT groups are usually funded by foreign nation states and have a lot of time, money, technical capabilities and resources to pull off an advanced attack on their targeted organizations.   APTs generally have goals that they try to accomplish during their malicious campaign such as stealing intellectual property, committing cyber espionage, or just gaining a cyber foothold in another country.  In the past APTs have targeted victims in the United States that work in several different sectors such as Critical Infrastructure, Information Technology, Energy, Healthcare, Critical Manufacturing and Communications sectors.   APTs are generally targeting high-value corporations since there is a large amount of money and resources that goes into pulling off an APT attack.  This does not preclude smaller business who might be vendors or partners that have connections to high-value targets from getting swept up in the attacks.   One of the largest cyber-crimes in US history started as an attack on a small HVAC company which eventually lead to a major retailer getting hacked and the loss of 70 million customer credit card numbers.


What are APTs doing and how are they doing it?

APTs are generally following a plan that is part of a goal oriented cyber campaign. The specific techniques used will vary greatly depending on the APT group and their specific campaign goals but APTs generally follow the same initial process.  Those steps are often called the APT lifecycle as shown in the graphic below.

APT Lifecycle – from: https://www.secureworks.com/blog/advanced-persistent-threats-apt-a

APTs follow this cycle as they infect and move around the network undetected.   In the Alert (TA18-276B) Advanced Persistent Threat Activity Exploiting Managed Service Providers, APTs stay undetected by using tools that are already preinstalled on windows computers, or already exist in most MSP and MSP customer environments.  This allows APTs to use things such as bash scripts, PowerShell, and other command line scripts as hacking tools to remain undetected because most antivirus programs do not categorize these as malicious.  In addition to command line scripting, APTs have been found to use other tools commonly used by MSPs such as netsh, Robocopy, Xcopy, and PuTTY Secure Copy Client to steal data out of networks.   By using tools native to the MSP environment and their customers, APTs save their more advanced malware, that can cost upwards of several million dollars to create, from undo detection and identification.


Why are APTs now targeting MSPs

MSPs allow for remote management of phones, networks, and end-user systems, along with a long list of other services they perform to help companies manage IT and save money.   MSPs allow companies to easily scale their IT needs on demand and provide lower cost than having dedicated internal resources.   Because of this, the number of MSPs has significantly increased over the past few years.

In order to do their jobs MSPs usually need direct access to the customer’s networks in order to support them.  With this level of access, if one part of the MSP is compromised then it is easy for APTs to spread to other customers and steal their data too.  That is why APTs are now targeting MSPs at scale.  If an APT can get into one MSP then they could potentially get access to hundreds of customer networks will little work on their part.

How is 3KeyLogic staying protected from APTs and keeping customers safe

At 3KeyLogic we implement an ever-changing security program that combines technology, processes, and people in a way that keeps all areas of the business secure.  From secure coding practices, to individual user training on security, 3KeyLogic implements a large number of technological controls that help mitigate, detect, and respond to cyber-security incidents. 3KeyLogic has network security monitoring built-in to our network (including the cloud), which allows for us to collect a rich amount of information such as end-point data, netflow, VPC flow, packet capture, IDS/IPS events, firewall logs and much more. 3KeyLogic also follow industry best practices such as:

  • Having firewalls protect servers and other designated high-risk networks.
  • Separate internal networks by function and risk profile
  • Host based firewalls
  • Host based intrusion detection systems
  • Restricting outbound traffic to only traffic with business purposes
  • Inspecting all outbound traffic at the application layer
  • Disabling or blocking network services not required
  • Restricting access to scripting languages such as PowerShell
  • Turning on PowerShell logging
  • Following proper Authentication Authorization and Accounting guidelines
  • Enable logging on all network systems and devices and send logs to a central location
  • Create a baseline for system and network behavior.
  • Review network device configurations
  • Run continuous vulnerability and patch management
  • Regularly update software and operating systems

This is just part of a list of controls and best practices that 3KeyLogic is following to maintain our security posture.  We are always assessing our security to help make sure that threats can be detected and shutdown as fast as possible.

What can you do to protect from APTs

Protecting yourself from APTs is a hard task to accomplish.  APTs are well funded and resilient but there are some things you can do to help stay secure.

  • First make sure to follow the rule of least privilege, only give access to something if it is critical for someone’s job function.
  • Second lock down the use of administrative privileges on a network.
  • Third limit the use of scripting tools that are on your network and only allow what is absolutely necessary.
  • Lastly make sure to log and audit everything that is happening on your network for signs of abnormal behavior, that could be the APT rummaging through your stuff.

If you are the customer of an MSP feel free to ask them what they do for security and how they can assure they are prepared for today’s advanced attacks.   Also, remember it is important to ask security questions of all vendors and partners that are in your supply chain, as anyone of them could be the vector that leads to your compromise.   If you don’t know what your current security posture is, then you can take our free online security self-assessment that asks questions to determine if you are protected from the top threats that face your unique industry.

Click here to take the assessment.