Advanced Persistent Security

In this excerpt from chapter seven of Advanced Persistent Security, authors Araceli Treu Gomes and Ira Winkler discuss the different threats facing organizations.

Advanced Persistent Security

The following is an excerpt from Advanced Persistent Security by authors Araceli Treu Gomes and Ira Winkler, and published by Syngress. This section from chapter seven explores the different threats organizations face, starting with botnets.

Botnets are essentially a set of Internet-based computers under a common controller. Although the term can include legitimate networks of computers, the overwhelming use of the term is for computers that have been hacked and under the control of criminal hackers.

The hacker can then use these computers to send out spams or launch DDOS attacks, where the bots of the botnet are commanded to direct large volumes of communication requests to a targeted system. The hacker may also use these bots for data collection, as they can install spyware on the computer to monitor keystrokes, to constantly collect data, to use the system to monitor its network, or as a launch point for other attacks, including the collection of other bots.

Botnets are typically formed through a variety of illicit means. A bot herder may have systems randomly scanning the Internet for systems with unpatched vulnerabilities that allow for remote hacking. If a vulnerable system is found, it is hacked and the botnet software installed. Phishing messages can also lure naïve users into downloading malicious software that adds the system to a botnet.

Legitimate websites can be hacked, and visitors to such websites might unknowingly download the malicious software as well. This is a type of "watering hole" attack. In one case, a website operator was contacted by a criminal and offered a commission for every instance of botnet software installed on a computer, after visiting the site. The criminal did not blatantly state that the software installed was illicit, but luckily the website owner was smart enough to realize the real intent and informed the appropriate authorities. In some cases, hackers might set up fake websites just to attract visitors to be duped into downloading the malicious software.

Advanced Persistent Security

Author: Araceli Treu Gomes & Ira Winkler

Learn more about Advanced Persistent Security from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

In another demonstration of the criminal infrastructure, a bot herder will pay commission for bots herded into their botnet. This incentivizes random hackers to hack systems throughout the Internet to install the botnet software and claim their commission.

Given the pervasiveness of botnets, it can be expected that almost all companies, universities, and other organizations will have some of their systems herded into a botnet. If an organization does not monitor its systems and networks properly, it could be an unknowing complicit in attacking other organizations.

There are reportedly botnets with more than 1,000,000 bots. Although some bot herders might use the bots for their own malicious purposes, such as the North Korean and Iranian intelligence services, many bot herders will lease their botnet through the dark web. Criminals can lease botnets by the thousands for a fee. Criminals do not have to create their own botnet, as they can lease as much botnets as they need. Botnets are extremely versatile and can be used for a variety of illicit purposes.


Ransomware is a growing form of computer crime that is hitting all types of organizations, including law enforcement. Ransomware is malicious software that once loaded on a victim system encrypts the hard drive and issues a warning that unless a ransom is paid within 24e48 hours, all the data will become unrecoverable. The software then tells the victim to typically send between $250 and $1,000 to the criminal within the allotted period, usually via bitcoin. When the ransom is paid, the criminal will send the victim an alphanumeric sequence to unlock the malware.

The victims typically infect themselves by clicking on a phishing message or downloading the ransomware from an infected or malicious website. The relatively short period allowed to pay the ransom is to discourage the victims from finding alternative methods of decrypting the system. Many victims find that they need more time to figure out how to use bitcoin. In some cases, victims have negotiated with the criminals for lower fees.

Ransomware programs are occasionally hacked by legitimate security experts, and people make a master code to decrypt the systems available, but more frequently, it is impossible to find a solution without paying the ransom. In October 2015, an FBI agent actually stated that victims should just pay the ransom by default, if their systems were locked by ransomware. In April 2015, it was reported that many police departments were forced to pay ransom to computer criminals.

Generally, the criminals do not specifically target a victim. They send out random phishing messages and infect as many sites on the Internet as possible. It is also possible that they pay a commission to any hacker who spreads their software. Ransomware is a growing problem as people tend to leave their systems insecure and behave insecurely on the Internet. As long as people allow untrusted software to be installed on their system and do not maintain a proper antimalware software, ransomware will continue to be a problem.

Security researchers

We have discussed security researchers in Chapter 5, but we want to specify that there are security researchers who are also part of the adversary/criminal infrastructure. These people will find zero-day exploits and sell them on the dark web. They might also perform criminal consulting on an as-needed basis.

As previously defined in the discussion of APTs, it is possible that APTs may hire some freelance security researchers on a project-by-project basis. This serves to hide their activities and reserves their exploits for critical occasions.

The exploits created by the security researchers would have different values depending on the technologies being exploited. Clearly there is the potential to make a great deal of money. For the purpose of this book, it is just important to note that this level of skill is available to anyone with enough money to buy it.

Leased or purchased malware

Zero-day exploits are an example of malware, but there are more examples of attack programs that criminals can purchase to better automate their attacks. The website, TheRealDeal, claims to specialize in the brokering of zero-day exploits in the dark web. Again, criminals do not have to be computer geniuses to execute complex attacks. They can purchase or lease software tools that automate the most complicated attacks possible.

Brokerage or escrow of data

Once criminals commit a data theft, they need to be able to profit from it. This requires fencing whatever was stolen. For example, when Target was hacked in 2012, the perpetrator needed a way to profit from the theft. He/she had to fence the credit card numbers. The credit card numbers were apparently distributed via a variety of carder sites that allowed people to specify the criteria for card numbers available for purchase. Criminals were then able to search for the cards that were locally sourced, so that they were less likely to be flagged for fraudulent use.

For example, a criminal in the Chicago region could purchase credit cards that were issued to victims in the Chicago region. This way it was less likely to be considered fraudulent than perhaps a card issued to someone in Arizona being used in Chicago.

Read an excerpt

Download the PDF of chapter 7 in full to learn more!

Many of these sites claim to provide excellent customer service and guarantees. For example, if you purchase credit cards from some sites, they will substitute any credit cards that are not valid. They even rate the sellers of stolen data. Some of the more notable criminal marketplaces include ShadowCrew, Russian Business Network (RBN), Carders Market, and Silk Road.

There is a very robust marketplace to fence virtual goods. Although credit cards are clearly a major focus of online distribution, there are other sorts of information that can be of value; for example, bank account information can be useful, personally identifiable information (PII) can be sold for identity theft purposes, and corporate information can be sold to competitors. Healthcare information contains the same information as traditional financial information, but also facilitates medical insurance fraud. Accordingly, attacks against healthcare organization are on the rise.

Some people may ask why would criminals not exploit the stolen information themselves. The answer is twofold. First, a successful crime, such as the Target credit card theft, results in more data stolen than a single criminal can exploit. It is to the criminal's advantage to sell most of the cards, as he/she would never get to take advantage of all the cards. More importantly, it is not the criminal's specialty. The criminal infrastructure allowed the Target hackers to make sufficient money from the criminal aspects that they specialize in.

Hackers for hire

Criminals without sufficient technical skill to accomplish their intended acts can hire the talent they need on the dark web. There are many online forums that allow people to scout for the required talent. Clearly it is difficult to ensure that you are dealing with a truly talented individual, as many hackers exaggerate their skills and accomplishments. There is also the risk that some people soliciting hackers may actually be undercover law enforcement agents.

Regarding the potential skill level of would-be hires, some hackers have a reputation. Some sites have a rating system. It is also common for criminal enterprises who recruit hackers to test their skills. If they can pass the tests, they will make formal offers.

Again, this is another example of criminals being able to make use of world-class talent without having the skills organically.

Encrypted apps

In the November 2015 Paris attacks by ISIS, a great deal of reporting was devoted to the terrorists' use of mobile apps, such as Telegram, to help plan the attacks. Telegram and WhatsApp, among other communications apps, offer encryption and other capabilities to allow for sharing of data that cannot be easily compromised by law enforcement.

Although ISIS is one concern, the reality is that your employees, both good and bad, are going to use mobile apps to your detriment. Adversaries will be able to coordinate their activities against you through easily available applications.

Although our goal is not to make you think that all technologies are against you, it is important to understand that there are some technologies that are apt to be used by your adversaries. You have to understand what they are, so that you can design your security programs most effectively.


Although this chapter can make adversaries appear to have unlimited resources, and can make you think that all technologies will be used against you, the goal is to help you optimize your risk. You can only do so when you understand the true nature of the resources that may be put against you.

The reality for most readers is that you will only face a small portion of the resources identified here. When you understand the threats you are most likely to face, you can determine which resources your adversary is most likely to use against you. Then you can figure out what countermeasures are most appropriate to implement given your risk.


About the authors:

Araceli Treu Gomes is an Intelligence and Investigations Subject Matter Expert for Dell SecureWorks. She holds certifications in privacy and computer forensics, and serves on several cybersecurity industry boards. Araceli writes for Computerworld and CSO Magazine, and is an active speaker at conferences around the world.

Ira Winkler, CISSP is President of the Internet Security Advisors Group. He is considered one of the world's most influential security professionals, and has been named a "Modern Day James Bond" by the media. He obtained this status by identifying common trends in the way information and computer systems are compromised. He did this by performing penetration tests, where he physically and technically "broke into" some of the largest companies in the World and investigating crimes against them, and telling them how to cost effectively protect their information and computer infrastructure. He continues to perform these penetration tests, as well as assisting organizations in developing cost effective security programs. Ira also won the Hall of Fame award from the Information Systems Security Association.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing