All too often, the media reaction to data breaches is to tout the incredible sophistication of responsible parties, as if it is a shock that technological developments have made these events increasingly easier. There are some very key areas in which we need to stop underestimating the average attacker's abilities if we are going to slow down the growth of massive breaches and detect intruders more effectively.
The term 'APT' distracts organizations from rational concerns
When people first started describing "Advanced Persistent Threats" nearly ten years ago, it was to describe a previously unseen level of sophistication in cyber attackers. This classification was used almost exclusively to describe nation state-sponsored groups with unlimited resources and an endgame that supported their country's national interests, be they intellectual property theft or long-term monitoring of communications. The point of using this description was to explain that your traditional defenses were insufficient because this grade of attacker is highly-skilled and will continue to target your organization for as long as it takes to succeed. The excellent analysis of the APT1 group from Mandiant (now FireEye) revealed a shining example of an APT in early 2013. This group likely has only a handful of equals for both capabilities and total resources among those willing to ignore moral code and laws, like the behind-the-keyboard equivalents of Thomas Crown [but likely not as charming].
The problem is that this term is now dropped into conversations to describe any threat that was not detected. Zero-day exploits can be purchased rather easily and anyone on the internet can obtain some hacker tools or converted IT-management applications, but whenever a previously unseen version of malware is used or an attacker steals credentials and moves through a network undetected, the breach is labeled as the work of an APT group. Many people take this as an opportunity to say "there's nothing they could have done", which is the frightening part. No matter the result or intent, we need to recognize that there are thousands of malicious parties with internet access and the legitimate ability to compromise a poorly protected organization. These are not the techniques available only to the groups like APT1 or Thomas Crown; most pen-testers learn these tools when they are still practicing on their home networks.
Attackers use the latest technology and understand yours
One advantage attackers have is not needing to justify the use of new technologies. They quickly adopted cloud services and used them for everything from phishing attacks and hosting malware to exfiltrating large files to a Mega account. Although cyber criminals are performing cost-benefit analyses with their tools, they can adjust very rapidly when they find cheaper or more effective options. They aren't all the highly skilled super-thief who orchestrates and performs the entire job because they don't have to be. These attackers more closely resemble Danny Ocean who has always "got a guy" for each task. Increasingly affordable computing power and worldwide connectivity have provided them access to pre-built toolkits complete with user guides and video walkthroughs. The ability to hire specialists allows them to adjust their plan based on the defenses of their chosen target organization.
Another way malicious parties continue to succeed is by studying the security solutions on the market and identifying gaps they can use to their advantage. I am not even speaking to the level of sophistication necessary to develop an EMET-bypass, but rather the many stealthy activities like limited network scans and reusing local credentials once they have gotten through the perimeter because of the low risk this will be spotted in the noisy network traffic. Similarly, they spend the majority of their time on endpoints because so many companies have a blindspot for detecting anything other than malware on their most frequently used systems, such as the stealing credentials, manually running DLLs, or dumping information from memory. When these groups have "got a guy", you can be sure that the specialist knows that a high percentage of companies are only monitoring the perimeter.
We can no longer underestimate their creativity
One thing we have seen from the ongoing battle between malware developers and anti-malware solutions is that the developers are very good at finding low-effort ways to get around our defenses. Your anti-virus spots known malicious processes? The process they launch at startup creates a randomly named process each time. Your detection is successfully spotting bad signatures? They will tweak and re-compile the code before using it the next time. You are putting too much trust in your sandbox detection? They create sandbox evasion techniques to remain docile while in the sandbox. These are very simplistic examples, but they show the ingenuity and adaptive nature of attackers.
If you look beyond malware, as most organizations fail to do, you find more evidence of this creativity in some of the largest breaches. Both Target and Home Depot were initially compromised when attackers stole credentials from trusted third parties like HVAC maintenance firms. This has led companies to look a lot closer at the risk posed by the external organizations accessing their network, as it should, but if we focus too much attention on this potential weakness, we will once again be surprised when the attackers pivot their approach and get a different "guy" with a new edge case.
At Rapid7, we focus on never underestimating the attackers, and all of the user behavior analytics detection the InsightIDR team builds is aimed at learning from the legitimate behavior of your user population to distinguish concerning changes and common attacker behaviors. No one indicator is going to detect the attackers in every attempted compromise, so we continually develop new detection across the many different layers from your perimeter through your endpoints, servers, and cloud services.
To learn more about InsightIDR and Rapid7's other solutions for detecting compromised credentials, check out our compromised credentials resource page and make sure to download our complimentary information toolkit. You'll see how our approach is to never underestimate the attacker.