Advanced Persistent Threats – Attack and Defense
Advanced Persistent Threats (APT) was originally coined while nations were involved in cyber-espionage. These techniques are used by cyber-criminals to steal data for monetary gains. Unlike other threats, these threats are advanced, often targeted, persistent in nature, and evasive too. APTs target particular organizations unlike other usually found malwares, which sweep down random millions of boxes. The sole intention here is to gain monetary benefit by causing damage to cyber infrastructure. This story would focus on nature of APTs; the methodology involved in performing APT based attacks and covers the possible defenses against the threats.
Business ranging from small to corporates face this growing problem. To come up with a fence to the organization constant vigilance, employee awareness, and security policies aligned with the nature of APTs is necessary. Even if the defense is breached after putting in best efforts, a remediation plan needs to be kept handy to address the situation. The attacks need high level of skill sets and expertise to execute, which just wait for the right opportunity to trigger. These are new, customized in order to breach the best of security fencing. Hardening the perimeters and servers will reduce the spread of evil code. Maintaining and scrutinizing the logs will allow early detection of threat and gives that extra time needed to address the situation.
The APT Life cycle covers 6 phases as enumerated below. (As reported by Michael Cobb)
- Phase 1: Reconnaissance
- Phase 2: Spear phishing attacks
- Phase 3: Establish Presence
- Phase 4: Exploration and Pivoting
- Phase 5: Data Extraction
- Phase 6: Maintaining Persistence
The whole motive behind the attack is to gain access to the target system and be persistent in nature i.e. maintain access for prolonged periods. Since these attacks are mostly based on custom exploits and advanced in nature. An APT attack can take several months to develop and much longed to execute. Famous attacks classified under Advanced Persistent Threats are:
- RSA SecureID attacks
Conficker attack did not have any specific single target, and Anonymous attacks didn’t prolong a particular attack. These attacks don’t classify as APTs. Growing number of detection of unique malware samples by engines are statistical examples of APTs under development and being deployed successfully. The nature of APTs follows a particular characteristic.
- Most of the attacks have involvement of National/International Government bodies directly or indirectly. For example, Stuxnet – deployed to disrupt Iran’s nuclear development.
- APTs have involved upcoming government negotiations and acquisitions.
To face this advanced set of attacks we need to understand the underlying nature of the attacks and also asses our systems and network to find gaps in our system. For this, we shall look in to different phases of APTs as listed above.
Phase 1: Reconnaissance:
It’s a well-known saying that organizations strength is only as strong as its weakest link. But, how do criminals find the weakest link? Welcome reconnaissance! This can include active methods and passive methods. Typically, attackers deploy social engineering techniques to deploy this phase. Phishing is commonly used to introduce malware into an organizations network. Instead of trying to break the best of the defensive systems, it’s easier/smarter for an attacker to attack the human employees. Social networking has caught up with Facebook booming the market. This has been a vital source for gaining useful information about the target. The main target for gaining information is the senior management, because they hold the most sensitive and confidential data of any organization. These sections of employees are researched through Facebook, Google, and LinkedIn etc. In this smart technology era – GPS based systems are also used to monitor the movements of the target. As mentioned earlier, these attacks are tailor made for the target, hence to get every detail correct, huge amount of time is invested in getting the minute details in order. An attack is then designed based on the information gained through this phase.
Every employee of an organization must be made aware of over publishing themselves in their social media profiles on the Internet. Often social engineered mails have reference to colleagues, or some personal detail, which was leaked over the Internet without the awareness of the employee. These make the mails more convincing. Interceptions of telephone lines and mishandling of government records can provide vital information too.
Phase 2: Spear-Phishing Attacks:
As the name indicates, this attack throws spear at a particular target. Even security aware employees many a times have been tricked to open mails and do as directed in the mails. Identifying the mail as a part of APT is very tricky. The attacker can include noise to divert attention from guessing the real purpose of the mail. Employee awareness training constantly, is the only way to prevent the severity of these emails. Advanced phishing techniques, and other necessary details must be made clear to employees frequently. All the perimeter protection system like IPS, Email Filter, and IDS etc. needs to stay up to date with latest offering from the vendor. To quote a real instance of APT, RSA SecureID attack involved a customized tool embedded in Microsoft Office Document – The tool is none other than the famous Poison Ivy. Usually, the attack may arise from a secondary target. For example, RSA SecureID was targeted to steal data from Lockheed Martin. Organizations not only should take care of their own defense but also, every other partner they do business with. It should be a coalition effort to safeguard each other using the best policies from each other.
Phase 3: Establishing Presence:
In the phase, the attacker tries to deploy full range of attack tools and also starts mapping the network and understand the intricacies of the target network deployment. The perimeter defenses generally are inbound in nature, thus they fail to detect such behavior as these actions are taken using valid credentials with valid rights. The ports used are also generic in nature with port 80 and 443 being used extensively in majority of the attacks, giving no chance of suspicion. A basic step organization needs for the employees is to monitor the outbound connections as well. This is because; the attack tools generally make outbound traffic at some point of time. Another important thing to keep in mind is that, most of the APTs are custom developed which use code snippets from previously written malwares, and play with similar registry values. Even though current tools are sophisticated in nature, these minute things should always be remembered by a security analyst.
Phase 4: Exploration and Pivoting:
This phase include vulnerability research of all the services running in the organizations network. We know that Drupal was hacked recently! This was not Drupal’s fault, but a vulnerability in a third party software installed in their environment. Typically, on a Windows environment, the commonly examined things are registry, ports and their services and processes. Other possible things include dumping of hashes, screen grabbing, and key stroke sniffing. In more corner cases there will be tapping of audio and video communications. This process continues as long as the attack is live, and entry points are discovered to keep the attack prolonged. Various analyses by SANS shows that multiple tools are generally used by attackers in parallel and these tools are generally mutable to avoid detection. Pivoting is a process where the criminal compromises one system and uses that system to explore other networks on the same network – eventually infecting them and bypassing all perimeter security is called as Pivoting. With pivoting, an attacker may have more power than an administrator over the system. Various ways to mitigate this phase of APT attack is to be vigilant on the logs and monitoring every small anomalous behavior with suspicion. Critical resources need to be maintained in different set of servers. Classifying critical resources to keep in different servers would make life difficult for an attacker. Policies must be listed to list the basic well-known behavior of the system.
Some of the typical use case scenarios to be handled with caution are – internal port scans, which can be a symptom of suspicious behavior. Some of the SQL statements used particularly longer than usual routines. These can be tracked down if the organization clearly defines what the normal behavior policies are. Every log needs to be frequently monitored. Centralizing log monitoring offers an easy way to implement SIEM (Security Information Event Management). Leaving centralized log monitoring facility unsecured will call for trouble. Securing the centralized monitors to the top class security levels needs to be deployed to combat such threats.
Phase 5: Extraction of Data:
The most challenging part of Advanced Persistent Threat Attacks is to exfiltrate the collected data because; this has to be transported out of the network in to the attacker’s server. Some of the popular methods used by cyber-criminals are steganography, encryption, onion routing etc. DLP (Data Loss Prevention) Technologies can make the life difficult for an attacker. The policies and rules in a DLP application needs to be carefully set and re-checked based on file-type, content type, Encoding type etc. Auditors find it difficult to catch outbound traffic to attackers because of the nature of the names used and IP based access control lists. Exfiltration can also be detected through DNS logs. These processes are non-contiguous in nature. Thus, centralized SIEM would help find the correlation and disparity in the data being exfiltrated.
Phase 6: Maintaining Persistence:
An APT attack doesn’t happen overnight, instead it spans a period of time. The attacker’s code goes through a rigorous round of testing such that it is not detectable and the presence of the attacker is not tapped by the organization. Such an attacker would require enormous amount of patience to get the fruits of his efforts. Regular audits and monitoring to find out correlated burst of actions can help organization detect the APT Threats and mitigate them on time before any data breach.
Now that, we are aware of every phase of Advanced Persistent Threats – It’s important from the perspective of an organization that mitigation policies and levels are set according to the phases described above. This makes the life harder for an attacker to succeed in his APT attack. It’s never as simple as investing on top class AV suite and forgetting the rest of the perimeter security. These attacks are advanced and thus needs lot of effort from the security team of an organization to detect and stay up to date with the criminal’s mentality. The security team must be able to predict the next move of the attacker and have a backup plan ready. Sufficient resource must be allocated to Emergency Response Team (ERT) such that when a breach is detected, the response would happen in time! The personnel need to be trained as to how the infrastructure works when it’s under normal functioning. Awareness of normal function of the network enables the ERT to detect the abnormal behavior.
Every organization could be a potential target to APTs. The nature of the APTs is very severe that it might even spread to the partner organizations. These attacks have already been deployed in various IT landscapes and the organization must be open enough to share the nature of APT they faced. By doing this, it would allow other organizations to come up with an escape plan if they have none already.