The oil and gas industries have been targeted by APT groups for some time now. But until recently, the groups that targeted these companies were mostly independent from those that target the Department of Defense and other elements of the defense industrial base. This is no longer the case.

At least one APT group that, in the past, focused almost exclusively on the Department of Defense has now added several new targets in the oil and gas industry. The implication is that the goals for attacking defense and oil and gas are related. 

 Consider that while  the military industrial complex is a comparatively more difficult target to successfully attack, our national critical infrastructure presents a much softer target. Penetrating the weaker defenses of our infrastructure puts these APT groups in a better position to strike military targets.  In addition, attacking resources supporting the military base could be less risky and ultimately as effective as attacking the base head-on. I expect to see more crossover of targets in the future as these APT groups seek more efficient ways of meeting their exploit goals.

--Scott Pease

Discussions around APT tend to focus on its impact to the manufacturing and defense contractors which comprise the U.S. Defense Industrial Base.  HBGary currently monitors about 18 APT groups, and trends in our data suggest that APT is not just a U.S.-centric problem. Late last year HBGary discovered that at least one APT group we track is now attacking Military Industrial Complex targets in the U.K. and New Zealand whose profiles are similar to its U.S. targets. This APT group is one of the more prolific we track and has a long history of intrusions into U.S. defense contractors.

 Until recently, this APT group has focused only on U.S. targets; all told, the group currently has more than 40 government and defense victims. They have brought online new command and control channels, allowing them to attack many new U.S. targets, as well as at least one government facility in the UK and a defense-related corporation operating in New Zealand. This may indicate an expansion in their mission objectives to include Defense Industrial Base targets within all of the “Five Eyes” nations (Australia, New Zealand, Canada, United Kingdom, and United States). As we see global companies acquire the interests of other global companies, this globalization of the APT threat will only accelerate.  

A few years ago, the way companies dealt with malware threats was reactive. Once malware was discovered, they would simply re-image the infected machine. These days that approach is not effective. Once the attacker is able to escalate his privilege, he no longer needs the malware he used to gain access to the network. Wiping the machine just provides a false sense of security.

A more proactive approach is to have several point solutions for network security – an intrusion prevention system protecting the network and an anti-virus solution protecting your servers and end-nodes. A drawback of all these point products is that incident responders are forced to view the intelligence they gather within the context of each individual product – there is no consolidated view. This is where Security Information and Event Management (SIEM) systems are useful.

At their most basic, SIEMs present a summary view of events from various hardware and applications throughout the enterprise. The newest incarnations not only collect log events, but also perform analysis on the data, allow for reporting, and track compliance with government regulations. The advantage of the SIEM solution to the CISO is that if their security applications have created a connector to the SIEM, his team can see summary events and logs from multiple security products. This means that it takes less time to collect the threat intelligence they need. In addition, they can correlate events from multiple sources and see connections that may have been impossible to spot with separate logs.

HBGary recently integrated its flagship product, Active Defense™, with HP Enterprise Security’s ArcSight Security Information and Event Management (SIEM) solutions. Active Defense monitors physical memory for compromise by malware on hosts throughout the enterprise. It analyzes the memory image using HBGary’s Digital DNA™ and assigns each running binary a score based on the sequence of behavioral traits the binary exhibits. For example, a trait could be the ability of the binary to survive reboot, or examine details of another running process. Each of these traits on their own may be legitimate behaviors, but taken together, they could be a security threat. Active Defense™ is able to send all of its system- and user-events to ArcSight.

Active Defense™ logs every action a user takes on the server, such as scheduling a new scan job. It also logs system events such as scan kick-off and completion. For example, a system event might show that a particular Digital DNA™ scan ran against a set of monitored nodes and the highest scoring machine was “JDOE_Laptop,” with a score of 55.0. An ArcSight user can take the threat intelligence gathered by Active Defense™ and couple it with additional information. For example, extracted command-and-control information can be cross-referenced against DNS logs or the intrusion detection systems. From this, they can potentially determine when the suspicious binary was added to the system and where it came from. This ability to connect third-party products through easy-to-implement connectors clearly benefits the SIEM’s end-user.

There are a lot of vendors in the market with deep experience in small segments of the security space. Being able to bring that varied threat intelligence together in one central view has the potential to vastly speed up the process of kicking the attackers out of the network and at the same time provides an improved ROI for all the products in your arsenal.

For more information on how HP Enterprise Security and HBGary can help your organization detect the latest advanced persistent threats (APT), check out our recent announcement regarding our partnership at http://bit.ly/mUPz8p.