Aligning security systems with intelligence gathered on groups of elite hackers working for nation states is a key defense for targeted organizations, experts say.
The importance of such a strategy was highlighted this week in a report that found a particular band of Chinese hackers capable of switching targets quickly as geopolitical events changed.
The cyberespionage group, dubbed Deep Panda, shifted focus from U.S. policy experts on Southeast Asia to those following insurgents in Iraq once the rebels began threatening China's investment in the country's oil industry, security vendor CrowdStrike reported.
Defending against such flexible attackers requires a steady stream of intelligence on such groups, so rules can be updated in firewalls and intrusion detection systems (IDS) and indicators refreshed in security information and event management (SIEM) products.
These constant intelligence-based adjustments are an effective way to at least stay even with the attackers.
"You can't take your IDS out of the box, plug it in and expect that to make a difference," Adam Meyers, vice president of threat intelligence for CrowdStrike, said.
Instead, the systems have to be continuously updated based on the changing tactics, techniques and procedures of the hackers, Meyers said.
"Understanding the threat actor, understanding what their motivation is and understanding how they operate is really what CIOs should be taking away from this report," he said.
In the case of Deep Panda, CrowdStrike found that the group breached their victim's networks using Windows PowerShell scripts. PowerShell is a task automation and configuration framework from Microsoft.
The attackers also downloaded and executed from memory a .Net executable called "Wafer," which would download and run a remote access tool (RAT) called MadHatter, one of Deep Panda's favorites, CrowdStrike said.
Running everything in memory keeps malicious files off the hard drive, making them more difficult to detect.
"This is typical for Deep Panda," CrowdStrike said in its blog. "Stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time."
This is the kind of information that can be used in readjusting security technology. At the same time, organizations should use a set of technologies considered the defensive baseline, Paul Henry, senior instructor at the SANS Institute said.
The technologies include:
--Ingress filtering that allow into the network data packets only from those regions of the world where a company does business.
--Using technology that produces hash values for accessing critical data.
--Anti-virus software to block known threats and whitelisting technology to block unknown programs and scripts from executing.
--Egress filtering that prevents sensitive data from leaving an organization's network.
This story, "Defensive tactics against sophisticated cyberspies" was originally published by CSO.