Facing the increasing APT attacks with the more sophisticated nature and the scale of expansion, typically the Vietnam cyber attack campaign caused more than 400,000 IPs to be infected on October 30, 2019 (according to data from the Department of Information Security), Mr. Nguyen Minh Duc – CEO of CyRadar made some suggestions on how to prevent APT attacks for organizations and businesses.
APT (Advanced Persistent Threat) is a form of targeted cyber attack by hackers use advanced technologies and phishing techniques to break into the target network and persistently focus on that target for a long time until the attack succeeds (or is stopped). Common attack techniques such as RFI, SQL injection, XSS, phishing are often used by hackers to establish a foothold in the target network. Next, malware is often used to expand the scope, maintain the presence at the network and then exploit and retrieve data for malicious purposes.
The consequences of these attacks are immense: intellectual property is stolen (trade secrets or patents, etc.); Sensitive information has been compromised (personal data, employee records …); critical organization’s infrastructure has been destroyed (databases, administrative servers, etc.) or the domain name of the organization has been taken over.
The Department of Information Security said it was a targeted attack from an organized group of foreign hackers. The malware used by the hacker group during the APT attack is very dangerous, which has attacked government agencies, national key information infrastructure and users on Vietnam’s Internet via email attachments as a file (.doc).
Facing the complicated situation of the attack, CyRadar Information Security Joint Stock Company quickly coordinated with the Information Security Department to come up with a tool to remove malware for the computers suspected of infection.
Businesses, organizations and users can download the scan and remove malware of APT campaign tool by following the link: http://remove-apt.vnpt.vn/download/tools/incident-response-v1.0.exe
With more than 15 years of experience in the Information security industry, Mr. Nguyen Minh Duc also suggested 4 solutions to help improve APT anti-attack capacity:
1. Deploy defense in depth and more security level:
Businesses and organizations need to pay attention to controlling network access points, installing new generation firewalls, implementing intrusion detection/prevention systems (IDS/IPS), Security information and event management (SIEM), regularly adding and upgrading vulnerability management systems, using identity management methods, updating security patches and implementing terminal protection.
2. Use detection and monitoring techniques
Tracking incoming and outgoing traffic is considered as the best method to prevent backdoor installation and extract stolen data. Continuous monitoring not only helps detect suspicious activity as soon as possible but also reduces the risk of escalation or prolongation of the intrusions. Monitoring results can also be used as legal evidence if an attack occurs.
3. Use evaluate and analysis services
Gathering raw data on emerging threats comes from a variety of sources, then analyzing and refining to produce useful information is the core action when there are unusual developments in network.
4. Training to improve security awareness and planning for incidents
Machines are controlled by humans so employees must understand the risks of clicking on unclear links in emails, be aware of phishing techniques that will make them become partners of hackers and unpredictable results when trapped is extremely necessary.
No matter how high the personnel’s wariness is and how expensive the technology is, the security of the organization or business will still exist a certain weakness, the concern here is “when attack happens”, not “happened or not.” Therefore, according to Mr. Duc, preparing a monitoring solution and the deep analyze traffic is the most effective method to deal with this type of APT attack.
The APT attack is a multi-stage attack, hackers often have to study the target (both human and IT system) and then build suitable attack tools and techniques. Hackers are in the dark, so the preparation steps will be difficult to detect. But also because the life cycle of the APT attack is quite long, just one step in the chain of attack operations is detected and stopped, the whole attack is considered to be a failure.
If enterprises and organizations cannot ensure about their target’s information is safe or about existing vulnerabilities (operating system errors, application errors, errors caused by the software of the third party), the simplest way is to monitor data and abnormal network traffic in order to detect sophisticated attacks, malware, spyware in the system early.
CyRadar’s representative said this is also the way leading APT attack solutions in the world to solve and is also the mode of operation of CyRadar Advanced Threat Detection – the first APT attack prevention solution of Vietnam
Updated database from Cloud system based on Malware Graph – an algorithm to evaluate existing and potential threats to monitor all campaigns and network resources worldwide, score and extract data for the entire CyRadar product ecosystem, thereby providing a platform to collect open security intelligence to effectively control APT attacks.
APT attacks are inherently a “customer-made” product, so the plans to deal with them also need to be flexible and adaptable to the source of the spread of hazards, the spreading environment and the scale of the IT system. However, the above are orientational suggestions to help the organization’s computer systems to be safe from persistent and purposeful APT attacks.
Source: CyRadarRelated posts: