Deny the #HellsingAPT by default<\/p>Tweet<\/a><\/blockquote>\n APT attacks based on a thorough preliminary study of targeted systems and real-time operator co-ordination pose a very special level of danger. Governmental agencies handling highly sensitive information (often including huge volumes of citizens\u2019 personal data) are targets of choice for cybercriminals. \u00a0Yet according to Global IT Corporate Security Risks Survey, 73% of organizations do not think they are being specifically targeted by cybercriminals[i]<\/a><\/sup>. It\u2019s a dangerous delusion; regulatory compliance is an obvious requirement, but it\u2019s also important to pay particular attention to protecting IT infrastructures against this type of attack, preferably by deploying additional proactive defenses.<\/p>\n A well thought-out deployment of Default Deny scenario is vital for a truly comprehensive counter-APT strategy. According to Kaspersky Lab\u2019s vision, such strategy includes both network-based and endpoint-based elements, with allowlist-based technologies playing key roles. Over-cautious as this may seem, the reality is that there are still attack scenarios where typical Anti-APTs are powerless.<\/p>\n Therefore extra endpoint-based multiple security layers are to be considered, which would be efficient against previously unknown malware components.<\/p>\n Art of Default Denying an APT<\/b><\/p>\n During the analysis of \u201cHellsing\u201d,<\/a> we highlight common characteristics that are present in the APT scenario.<\/p>\n Hellsing APT attack scenario<\/p><\/div>\n At the stage of \u201cinfection\u201d attackers use various techniques for delivering malicious code to the victim\u2019s operating system: sending emails containing the exploit; delivery of malicious code through social engineering, etc. The ultimate goal of these attacks: to deliver the backdoor to the victim\u2019s operating system and run it. \u201cPayload\u201d is an executable (.exe) file or library (.dll), containing malicious code. In Hellsing\u2019s case, the attacker uses social engineering to dupe the user into launching an exe-file from RAR-archive. The exe-file extension was replaced with an innocuous one and the victim did not notice the suspicious file.<\/p>\n A\u201dDefault Deny\u201d scenario provides highly effective, proactive protection, even in instances where the cybercriminal somehow (e.g. using social engineering and duping the user into disabling her anti-virus) managed to deliver the malicious payload to their victim\u2019s system.<\/p>\n The concept of \u201cdefault deny\u201d is not new, but it\u2019s still effective against advanced threats with custom-made components \u2013 often the case with APTs. For example, if malicious exe-files or dll-libraries are successfully delivered to the victim, Default Deny would not allow their execution in the operating system environment because such files are not contained in a list of authorized, safe applications. Default Deny excludes all options to start executable code.<\/p>\n The next phase of the attack involves collecting information from the operating system, which may result in an escalation of privileges, the installation of a backdoor or additional modules. As a rule in such instances, executable files and dynamic libraries are being used. But if they are not a part of the trusted environment, Default Deny will not allow them to run.<\/p>\n Powerful yet cost-effective<\/b><\/p>\n Besides additional benefits including greater IT network stability, and lower maintenance time, consider this: deployment of an allowlist-based solution is considered one of the TOP4 strategies that can mitigate 85% of existing APT-related risks. The Default Deny scenario is the safest known variant of such an approach.<\/p>\n Compared with many standalone solutions for Default Deny implementation, even greater cost and operative efficiency can be achieved through the deployment of a truly integrated endpoint protection system that includes Default Deny capability.<\/p>\n Efficiency Default Deny on the initialization stage of Hellsing lifecycle<\/p><\/div>\n It\u2019s worth the effort<\/b><\/p>\n While the implementation of a Default Deny scenario is often considered too complicated for an \u00a0average business, for government institutions dealing with extremely sensitive data, the effort is likely to reap rewards \u2013 not least because of the already \u00a0highly regulated nature of government work processes. Kaspersky Lab\u2019s convenient implementation tools (including pre-implementation test mode for compiled policies and our dynamic allowlists system), mean the process doesn\u2019t have to be too taxing.<\/p>\n Default Deny mode and dynamic allowlists are parts of Application Control technologies, which are available in Kaspersky Endpoint Security for Business<\/a> (\u201cSelect<\/a>\u201d and \u201cAdvanced<\/a>\u201d tiers), Kaspersky Total Security for Business<\/a> and Kaspersky Security for Virtualization<\/a>.<\/p>\n The organization and maintenance of a trusted environment in which the executable components of an APT would have no chance, is invaluable. In most cases, it would prevent attackers from achieving their goals.<\/p>\n Currently all components of \u201cHellsing\u201d APT are blocked by all Kaspersky Lab solutions<\/a>. To check your system for malicious software components we recommend start full scan of your systems. You can also use our free solution \u2013 Kaspersky Virus Removal Tool<\/a>.<\/p>\n![\"Hellsing](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/04\/06020313\/hellsing1-1.png\")
<\/a>![\"Efficiency](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/04\/06020312\/hellsing2-1.png\")
<\/a>