2 cissp ® Official Study Guide Eighth Edition

Understanding Access Control Attacks 
639
supports the motto of “Secure by Design, Secure by Default, Secure in Deployment and 
Communication” (also known as SD3+C). Microsoft has two primary goals in mind with 
this process:
■
To reduce the number of security-related design and coding defects
■
To reduce the severity of any remaining defects
A threat modeling process focused on access controls would attempt to identify any 
potential threats that could bypass access controls and gain unauthorized access to a 
system. The common threat to access controls are attackers, and the “Common Access 
Control Attacks” section later in this chapter identifies many common types of attacks.
Advanced Persistent Threats
Any threat model should consider the existence of known threats, and this includes 
advanced persistent threats (APTs)
. An APT is a group of attackers who are working 
together and are highly motivated, skilled, and patient. They have advanced knowledge and 
a wide variety of skills to detect and exploit vulnerabilities. They are persistent and focus 
on exploiting one or more specific targets rather than just any target of opportunity. State 
nations (or governments) typically fund APTs. However, some groups of organized crimi-
nals also fund and run APTs.
If an organization identifies an attacker as a potential threat (as opposed to a natural 
threat), threat modeling attempts to identify the attacker’s goals. Some attackers may want 
to disable a system, while other attackers may want to steal data, and each goal represents 
a separate threat. Once an organization identifies these threats, it categorizes them based 
on the priority of the underlying assets.
It used to be that to keep your network safe, you only needed to be more secure than 
other networks. The attackers would go after the easy targets and avoid the secure net-
works. You might remember the old line “How fast do you need to run when you’re being 
chased by a grizzly bear?” Answer: “Only a little faster than the slowest person in your 
group.”
However, if you’re carrying a jar of honey that the bear wants, he may ignore the oth-
ers and go after only you. This is what an APT does. It goes after specific targets based 
on what it wants to exploit from those targets. If you want some more examples, use your 
favorite search with these terms: “cozy bear attacks” and “fancy bear attacks.”
Fancy Bear and Cozy Bear
The U.S. Department of Homeland Security and the Federal Bureau of Investigation 
released a joint analysis report (JAR-16-20296A) in December 2016 outlining the actions 
of two APTs, named APT 28 (Fancy Bear) and APT 29 (Cozy Bear). The JAR attributes the 
malicious activity of these APTs to the Russian civilian and military intelligence services 
(RIS) and refers to it as GRIZZLY STEPPE.

640
Chapter 14 
■
Controlling and Monitoring Access
Their pattern of attack was to gain a foothold, often with a 
spear phishing
campaign 
using shortened URLs. Sometimes they exploited known vulnerabilities. For example, 
investigators may discover one of the APTs exploited the Apache Struts web application 
vulnerability that caused the Equifax data breach. Once they got in, they installed remote 
access tools (RATs) that provided the attackers with access to the internal network. They 
then escalated their privileges, installed additional malware, and exfiltrated email and 
other data through encrypted connections.
While the JAR focuses on the APTs activities against a specific U.S. target, it also states 
that these same APTs have “targeted government organizations, think tanks, universities, 
and corporations around the world.” Experts think that APT 28 likely formed as early as 
2004, and APT 29 likely formed in 2008. Several reports indicate that they continue to be 
active in many countries around the world.

Download 19,3 Mb.

Do'stlaringiz bilan baham: