Research reveals that some “advanced” threats are actually simple to execute

Imperva Inc. has released its April Hacker Intelligence Initiative report, "The Non-Advanced Persistent Threat." The report presents an in-depth view of how some techniques attributed to so-called Advanced Persistent Threats (APTs) require only basic technical skills. The report exposes simple ways that attackers are obtaining access privileges and accessing protected data by targeting weaknesses of the Microsoft NTLM protocol using nothing more than knowledge of common Windows protocols, basic social engineering, and readily available software.

  • Wednesday, 7th May 2014 Posted 10 years ago in by Phil Alsop

"As our research team reveals in our Hacker Intelligence Initiative Report, some APTs are relatively simple to execute,” said Amichai Shulman, CTO of Imperva. “There needs to be a fundamental shift in how we view APTs and how we protect against them. These types of attacks are difficult to prevent and our report shows that they can be conducted relatively easily. In order to mitigate damage, security teams need to understand how to protect critical data assets once intruders have already gained access.”


The report focuses on the phases of escalating privileges and collecting information, showing how attackers achieve their goals without resorting to zero-day vulnerabilities or sophisticated exploits. This research examines how attacks target commonly known weaknesses in the Windows NTLM protocol, a standard Microsoft authentication protocol. This protocol, while considered weak, is still widely used in corporate environments. The research then shows how attackers can exploit these vulnerabilities to expand their reach within a target organization and access critical data assets. Finally, the report details how organizations can protect themselves and their most sensitive data against the outcomes of such attacks.


Key findings from the report:
· Data breaches commonly associated with APT can be achieved by relatively simple (and commonly available) means, using basic technical skills.
· Built-in Windows functionality, combined with seemingly “innocent” file shares and SharePoint sites, can provide attackers with an entry-point to accessing an organization’s most critical data.
· A mitigation strategy should be implemented that focuses on monitoring the authentication process itself and data access patterns, in addition to tailoring authorization mechanisms for increased security.