APT: Strategic Attacks Require Strategic Tests
Given the growing threat scenario, companies are increasingly expanding their IT security using specialized defense mechanisms to fend off strategic and targeted attacks. As a parallel trend, advanced defensive strategies are being developed. But just how good is the defensive performance of new products in the area of endpoint protection and endpoint detection & response against APT attacks? The AV-TEST Institute provides insights into new test procedures for the professional assessment of these types of solutions.
Heightened threat scenario for companies and government institutions
For corporate users and government organizations, merely defending against mass malware is only half the battle. Because unlike consumer users, they are faced not only with a constantly growing flood of mass malware but also the increasing danger of tactical cyberattacks. These seek to sabotage ongoing manufacturing operations or, within the scope of digital espionage, to siphon off decisive market expertise and thus lucrative research and development work. As evidenced by attacks against seven research institutions and manufacturers of COVID-19 vaccines by alleged Russian and Korean threats over the past few months. An additional target of the attackers are customer data, along with other vital business information. Without corresponding defense strategies, companies endanger not only their business operations and their competitiveness, but also their reputation in case of a successful attack.
How much attention companies pay to IT security and acknowledge the seriousness of the situation is underscored by the current Allianz Risk Barometer 2020: In the 9th edition of the annual study, Allianz Global Corporate & Specialty (AGCS) surveyed more than 2,700 risk experts at corporations from over one hundred countries in terms of what they considered were the most important business risks. In the ranking of the top threats, experts identified cyberattacks on their companies as the greatest threat at 39 percent, clearly ahead of their concerns about trade wars, rising customs tariffs, natural catastrophes or climate change.
APT – strategic-tactical attacks beyond mass malware
Unlike the shotgun approach pursued by attacks via mass malware, tactical attacks on companies and government organizations deploy highly-developed malware programs and long-term strategies. It involves advanced persistent threats, or APT for short, which require precise information when it comes to the technical infrastructure of the attacked party. The aim of such tactical cyberattacks is to remain undetected as long as possible, maneuvering deep in the compromised network to sustain the maximum degree of damage.
If we look at the APT attacks that have been uncovered and analyzed thus far, it is easy to recognize their dangerousness, along with the necessity of advanced defense measures. APT attacks are carried out in a targeted manner, not seldom after months or years of planning, and are characterized by a large commitment of financial and technical resources, as well as the involvement of highly-specialized teams. These prerequisites at least limit the range of possible intruders: often it has to do with expert teams working on behalf of third countries or military organizations. An impressive overview of identified attacks and their alleged masterminds is provided by the list of "Significant Cyber Incidents" from the Center for Strategic & International Studies (CSIS). Moreover, analyses of known attacks reveal the typical modus operandi and tactics that in turn usually demonstrate a combination of several attack techniques. The MITRE ATT&CK Matrix represents the recognized standard of the respective tactics and techniques of APT attacks.
Targeted combination of attack techniques
In particular, the lack of typical attack patterns and the constantly new combination of different modes of attack and vectors make APT attacks unpredictable and extremely difficult to detect. What these attacks have in common, however, is the use of combined attack methods, using a wide variety of attack modes, which generally follow a certain sequence, i.e. a sort of APT life cycle.
In the first phase of APT attacks, there is usually a scouting out of the victims via social engineering attacks, as well as through technical analysis of the IT infrastructure to be attacked (reconnaissance). This is followed by selection of relevant attack tools and techniques (weaponization) and bringing selected attack tools into position in the target network (delivery). Upon successful intrusion (exploit), the next steps involve the installation and the establishment of a firm foothold of the attack tools in the hijacked system, as well as proliferation throughout the network. Once the tools are properly placed, set up and capable of being administered remotely (command & control), the attackers have achieved their goal and can unleash the desired attack effect (action).
For the various attack techniques, in the reconnaissance phase, the perpetrators often resort to social engineering attacks with which they mount a targeted assault on the victims using spear-phishing. In addition to standard tools, which are constantly modified and adapted to the attack scenario, this is followed by the deployment of high-end malware. Frequently, this uses expensive zero-day vulnerabilities in applications that have not yet been patched and consequently are difficult to detect. Detecting APT attacks, or ideally thwarting them, requires comprehensive detection and defense tools, along with elaborate strategies and training. Because only then can suspicious activities of intruders be uncovered in the massive background noise of log files.
Tests and training sessions: red team versus blue team
Tests and training sessions of security solutions against APT attacks are optimally carried out in two opposing teams, divided up into "red" and "blue". The "red team" utilizes tactics and techniques as also used by attackers. This presupposes the availability of relevant tools, however, such as zero-day malware, along with in-depth knowledge about how to handle it and corresponding attack tactics.
The "blue team" in turn tries to detect, analyze, and in an ideal scenario, fend off or prevent such an APT attack. The weapons of the blue team normally consist of a combination of endpoint protection platforms (EPP) and endpoint detection & response (EDR) platforms. In these test scenarios, it is up to the protection solutions deployed, their configuration, and not least the administrators, along with the security architectures of a company under attack, to show their true mettle.
What are the capabilities of EPPs and EDRs?
The use of endpoint protection platforms is intended to detect and fend off the intrusion of malware and other attack tools deployed in APT attacks. Ideally, such platforms manage and control all the endpoint devices active in the network, supplying them with an array of available security technologies, including virus scanners, firewalls, intrusion prevention systems (IPS) and data loss prevention (DLP) systems. The extent to which EPPs are capable of protecting against zero-day malware and sophisticated APT attacks also depends on the detection procedures used. Depending upon the supplier, EPPs rely on static and dynamic analysis techniques and the use of artificial intelligence.
In particular, the detection of attack tools that are already in the system often poses an unsolvable problem for EPPs. That is why they are ideally also supported by endpoint detection & response platforms in their detection of APT attacks. The task of such systems is in the detection of activities of all endpoint devices active in the network and in the analysis of the events triggered by them. These may be user log-ins, data retrievals, registry and memory calls, network connections used, along with a wide array of other activities, for example. EDRs match up these activities against procedures already known due to APT attacks already analyzed. In the process, they use comprehensive and constantly updated databases, in which known vulnerabilities and existing attack patters are stored and combined, also pin-pointing abnormalities and potential attacks within the scope of a behavioral pattern analysis. On the basis of this data, corporate security officers are in a better position and more able to initiate countermeasures in case of a detected attack.
Advanced EPP & EDR tests by AV-TEST are able to detect the performance of your APT defense
The AV-TEST Institute simulates realistic attacks according to the model of various APT groups or based on current scenarios, e.g. by means of targeted ransomware attacks, and in doing so, utilizes the tactics and technologies as described in the MITRE ATT&CK Matrix. With such realistic red team tests, the security experts at the AV-TEST Institute can determine the strengths and weaknesses of the solutions deployed as a defense in your company. By means of combined attacks according to the MITRE ATT&CK Matrix, the tests – which are constantly modified and adapted to the current threat scenario – not only safeguard the best possible evaluation of the defensive performance, but also offer the opportunity to optimize EPP and EDR systems. In this, the test structures developed by AV-TEST are always traceable and reproducible.
Within the scope of the tests, you receive detailed information on the defensive and detection performance of EPP and EDR solutions with a precise breakdown of the durability against APT attacks according to the MITRE ATT&CK Matrix. When the respective tests are successfully completed, the AV-TEST Institute awards the A2EPP certificate (APPROVED ADVANCED ENDPOINT PROTECTION) and also the A2EDR certificate (APPROVED ADVANCED ENDPOINT DETECTION AND RESPONSE) together with a corresponding test report for successfully tested solutions. Certified security products thus receive verification of their durability against advanced and targeted attacks that harness tactics and techniques within the possible range of current APT attacks. The A2EPP and A2EDR certificates from AV-TEST guarantee manufacturers of EPP and EDR solutions a verification of the effectiveness of their products, thus providing them with a decisive competitive advantage.
There are currently several endpoint protection platforms und endpoint detection & response solutions undergoing the first advanced test being carried out by the AV-TEST Institute. This test simulates targeted ransomware attacks on a corporate network secured by the EPP and EDR systems being evaluated, and specifically after successful intrusion with the help of currently applied APT techniques and tactics. Additional information on the test currently running will be published soon by AV-TEST.