An illustration picture shows a projection of binary code on a man holding a laptop computer

Attackers can obtain access privileges and access protected data by using nothing more than knowledge of common Windows protocols, basic social engineering and readily-available software.

Research by Imperva has found that data breaches which are commonly called Advanced Persistent Threats (APTs) are often achieved by relatively simple (and commonly available) means, requiring very basic technical skills.

Talking to IT Security Guru, Amichai Shulman, CTO of Imperva, said that many people consider APTs to be technical and "magic", and this report wanted to show how APTs are used to take hold of a single foothold in an organisation before spreading.

Shulman also claimed that there is often a feeling that they cannot be mitigated or are not real, but what Imperva wanted to show was how these were quite simple.

Very simple, not sophisticated

The new research paper - called The Non-Advanced Persistent Threat - claims that APTs require only basic technical skills, it also found that built-in Windows functionality, combined with seemingly "innocent" file shares and SharePoint sites can provide attackers with an entry-point to accessing an organisation's most critical data.

"We are showing that these techniques are actually very simple and not sophisticated, and do not resort to zero-day vulnerabilities, or complex scripts and hacking tactics. The importance of that is once you understand how these techniques work you can put mitigation in place to find them," he said.

"Attackers are using zero-days to get the first foothold into the organisation, and there are more of them every week, but with exploits going out every week it makes it easier, with phishing or drive-by download, so how do they take advantage of it? There are inherent issues with the Windows environment and authentication protocol that allows them to do it in a very simple way, and in order to grab the privileges of every user in the organisation, you need to force the victim to login with a compromised machine."

Poison the well

Shulman said that this is enabled with a folder with public access and no sensitive data in it, that everyone can access and put stuff in to "poison the well" by adding a file to the folder, changing an icon to reference a compromised machine.

"Once you have done that, everyone browsing that public folder will try to authenticate to the compromised machine. Then you relay the privileges from the internet, which is simple to do without any great hacking skill and grab privileges from everyone in the organisation."

Asked what businesses can do to protect themselves, Shulman said it is more about collecting privileges than hacking, so businesses should recognise the abuse pattern and what are users doing in the organisation, such as a lot of users working from one machine or a lot of out of working time on one machine.

"They are relatively easy to detect if you have the right security solution in place. Monitor the activity from your database to your file server and it leaves you with the ability to manage access control with a very small set of critical files," he said.

Dan Raywood is editor of IT Security Guru.

IT Security Guru