Hi everybody, Ed Amoroso here. And in this video, I want to dig into and highlight the way an advanced persistent threat or APT works in the context of the perimeter model that we've shown you that has all these breaks in it because we've got so many different types of services that a typical enterprise needs to support to operate. So let's put a little diagram here that shows the different steps or stages of an APT and really the mistakes that are made at each stage. So the first thing is that most companies accept email and it can kind of come from wherever. Let me give you a little example. Embedded in your email is something called a from line, so you can see who sent you the email, where did it come from, and it's usually something that is at the application level, you put the information there about who this thing is coming from. The problem is that that's not typically connected to the underlying infrastructure, meaning if I say I'm sending email to you from biggiantcompany.com and it comes across and the problem is that the mail server for biggiantcompany.com is 192.1.2.3 but the email is actually being sent from some other crazy IP address, you wouldn't know it in the email protocol because you don't check. The email protocol does not look for that kind of thing. Now it turns out there is an interesting standard called DMARK that does sort of connect the two things together. It's kind of an interesting protocol, probably worth maybe as a separate study if you want to go and dig a little bit deeper if you can. It's not really all that fundamental to the discussion here. But the point is, that kind of sloppy handling of email, maybe not filtering email for malicious attachments, not doing DMARK which would connect the IP address of a sending email server to the from information. It's cool that DMARK would actually check to make sure, hey, here's the IP address it should be coming from, and everybody has to keep track of that. So that's mistake one, that sloppy email handling. Mistake two, somebody clicks on the email. Why did they click? Because you're probably being spear phished. They sent you something that's intended to make you click. They want you to just get you interested in what's coming through. You see some enticing content, something that you're interested in. How in the world would they figure out what you're interested in? Well, welcome to social media, right? It's not that difficult to do a little research on somebody who works in the marketing department of a company, see that they're interested in water skiing or something, and then I send you an email saying, "Hey, look at all those interesting water skiing equipment. Click on these links for free coupons." And you click and the malware comes in. That's phishing. So second mistake is somebody clicks without really knowing what it is that they're doing and doing it in an unsafe environment. The third mistake is that we set up an environment where we've got trust across an enterprise, meaning if I connect to this computer, well then I can probably see all these others. I just trust everything on the enterprise. Think about where you may work or the school you're in. The systems that are embedded in your network, your enterprise probably all in line and don't have firewalls between them, and if you connect onto the same network, you can probably see other students or other workers or whatever. So that's the next mistake, a very easy lateral traversal. So if somebody's clicked on something, gets malware, the malware is probably a remote access tool that lets a third party, a malicious intruder, log on to that system. Now, they've got control of that system belonging to the person in marketing who clicked. Now, from there, they can laterally traverse. Again, it's this idea of a big perimeter and everybody can go wherever they want to go. They go wherever they want to go and they connect say to some records management tool. That's a third mistake. The fourth is that outbound internet access is very controversial in a lot of companies. Most people want to be able to click on any URL that they'd like to. Now, within reason, a typical company is going to have acceptable use policies, they don't want you going to gambling or inappropriate sites unless maybe you are a news organization and you really need to be going there. But for the most part, there'll be a thin swath of sites that a company would consider inappropriate and then everything else would be allowed. And the problem with that is that if there are malware drop sites or there are sites where I'm going to exfiltrate out to as the bad guy, and you're not really caring when some system in your network wants to connect to a place on the internet you've never heard of and don't know anything about, then that's the next mistake, the fourth mistake. We call that web egress being allowed essentially to something we call an uncategorized website. Now, a lot of tools exist that will sit on an outbound proxy, okay? So it will probably be a forward proxy protecting all the clients in the enterprise. And before those clients can go out to internet services, it's going to hit the proxy and the proxy might keep track of a list of so-called categorized sites, meaning your vendor is keeping track and it's a site that we're pretty comfortable with, you go to it. If it's an uncategorized site, you'd probably get blocked and interrogated and then be questioned, like, what are you doing? And that's where most information gets exfiltrated. It gets exfiltrated to some dynamic site on the internet that's probably uncategorized. Now I say probably because it could be the case that a known categorized website has been compromised and the malware is going to exfiltrate to that. So it's not perfect, but it'd be a big mistake I think not to be doing some sort of outbound or egress filtering on web connectivity. So, if you put all these mistakes together, it's no big surprise that so many companies are experiencing advanced persistent threats. It shouldn't be a surprise to you, certainly not a surprise to me. Now that you have some understanding, we in the cyber security community really need to do some things about it, and that's the essence or the challenge that we have in modern cyber. Hope this has been useful for you, talk to you in the next one.
