Countermeasures for APT38
APT38 has hit the news wires on several different feeds, they outline what this group has done and how it was able to accomplish several multi million dollar heists, and continue to pose a threat moving forward. But what is at the core of this APT? And how do we defend against this group and others?
APT38 is described as a North Korean backed group that has made its name by targeting and infiltrating financial firms around the world. It seems that they are using a standard playbook for bad actors. Targeting SWIFT organizations, they started with intelligence gathering, targeted attacks to gain access (such as Struts or watering hole exploits and likely Phishing campaigns as well), Internal reconnaissance, pivot to SWIFT servers, transfer funds, and then covering their tracks equals standard playbook.
To break this down a little further, let’s key in on areas that would make sense for organizations to focus on, and other areas that we can’t control.
First, let’s identify a few items that we can’t control and get them out of the way:
- Bad actors
- Intelligence gathering from the outside (There is no such thing as anonymity for businesses on the Internet)
- Exploits (As long as there are humans and computers, there will always be a way to exploit them)
Next, things that we CAN control:
- How your organization values your “Crown Jewels”, in this ‘use case’ the SWIFT environment.
- How your organization manages vulnerabilities – and I am not just talking about patching.
- How your organization continually test for or simulate APTs.
Addressing each of these areas that are within your control can be a daunting task. If you are in the Information Security community, you’re probably saying “No kidding…you’re not telling me anything I don’t already know or haven’t said to my management team!”. I know, because I have lived it too. But there is hope!
By this time, I am sure that you have read through a few of the articles on APT38 and have referenced the US-CERT Alerts (TA-18-276A & TA-18-276B). I am sure that you have many of the security controls in place for the US-CERT Alerts, and possibly even have tools to test those security controls. But, are you testing to see if (when) and how an APT has access to your network and how it can move laterally and go undetected all the way through to your crown jewels? If the answer is no (or even yes), I would highly recommend taking a look into an emerging field of technology called BAS (Breach and Attach Simulation).
BAS tackles the daunting task of testing your security controls in a simulated or “what if” scenario. Your network is an ephemeral environment, and you can’t be everywhere at once, you have lean on tools and automation to help you understand the potential for threat actors on your network. You can’t hope that your security controls will pick up on APTs, you have to know that APTs will be stopped before gaining access to your crown jewels.