Advance Persistent Threat

 

Organizations recognize that cyber security is a concern and resources need to be allocated to protect an organization.  There are many different types of threats from worms/viruses, hacktivists to the APT.  Many organizations understand how to defend against many of the traditional threats and treat the current advanced threats in the same manner they have always dealt with security. The problem is this approach does not work.   The APT is a completely different problem and until an organization understands the problem, they will not be able to fix it. While traditional threats are still a concern and cannot be ignored, organizations now have a new challenge dealing with the Advanced Persistent Threat known as the APT.

The APT is well funded, organized groups that are systematically compromising government and commercial entities.  The term originally was developed as a code name for Chinese-related intrusions against US military organizations.  The term has evolved to refer to advanced adversaries that are focused on critical data with the goal of exploiting information in a covert manner. APTs are highly sophisticated and bypass virtually all “best practice” cyber security programs to try and establish a long-term network presence. The APT is attacks that are stealthy, targeted, and data focused which is quite different than traditional worms or viruses. The APT are very well-organized entities (typically foreign adversaries) that are targeting an organization to gather a specific piece of information today and ultimately maintain long-term access so information can be extracted at will in the future. APT breaks all of the rules of attackers by typically adapting their techniques on the file, targeting users as the entry point, and hiding their tracks very carefully; therefore many traditional security measures are not effective at dealing with this threat.

The APT is a cyber-adversary displaying advanced logistical and operational capability for long-term intrusion campaigns. Its current goal is to maintain access to victim networks and exfiltrate intellectual property data as well as information that is economically and politically advantageous. The APT is not a bot-net. It is not malware. It is the DNA of an adversarial group.

Most people think that when an organization is compromised, it is because they made a blatant error or had invested no money in security. If you look at most APT attacks, the items that all companies had in place at the time of the breach include:

•Security policies.

•Security budget.

•Security team.

•Firewalls.

•Application filtering.

•Intrusion detection.

•End-point security.

•Anti-virus protection.

The advanced persistent threat is cyber cancer which means traditional detective and reactive measures will not work.  At point of compromise there is nothing visible and by the time there are visible signs of attack, the damage has already occurred.  We have to assume that even though everything looks fine on the surface, underneath the surface the network might be compromised. Organizations need to look for problems even though there is no visible sign of an attacker on the network. One of the key rules of cyber security is plan for the worst and hope for the best.

Based on the stealthy nature of the APT a critical rule is prevention is ideal but detection is a must. In a perfect world it would be great if we could prevent all attacks. However that is not realistic. In this day and age you must accept that you are going to be compromised. In case where attacks cannot be stopped, the earlier we can catch an attack, the less overall damage.

The key words with the APT are stealthy, targeted, adaptive, and data focused.  While the APT is not new, the large scale nature in which it is attacking systems and the fact that more organizations are realizing that their current way of defending against traditional attackers has to change is new.  The important shift with APT is that we are now dealing with well-funded, organized professionals, not hackers from the 1990s.

The APT is going to gather as much information about your organization so they can customize the attack to be successful. They are going to determine the weak points within your organization and target those individuals as the point of entry for the compromise.

Characteristics of the APT

• APT focuses on any organization, both government and non-government entities. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD).  When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country or give an adversary an advantage will be targeted.
• While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to open an attachment or click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it.  Advanced attacks are always changing, recompiling on the fly, and utilizing encryption to avoid detection.
• In the past, attackers would periodically attack an organization.  Today attacks are nonstop. The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.
• Attackers want to take advantage of economy of scales and break into as many sites as possible, as quickly as possible.  Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.
• Old school attacks were about giving the victim some visible indication of a compromise.  Today it is all about not getting caught. Stealth and being covert are the main goals of today’s attacks.  APTs goal is to look as close (if not identical) to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.
• The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore the focus will be all about the data.  Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.
• Attackers do not just want to get in and leave, they want long-term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more value.
• The APT targets an individual user and compromises their system. They are targeted because they are an easy target and have a high chance of being compromised. In addition, while the critical information is not on their system, they might have access to that information or at least have visibility to a server that contains the information. Therefore if an attacker can gain a pivot point on the system, they can use that as an entry point into the system to ultimately gain access to the information they want. Many users have more access than what they need to do their job. If this access was minimized, the attacker’s job would be more difficult.
• APT is constantly changing its behavior and therefore the behavior that it uses to compromise a site is not always 100% bad. Therefore one of the reasons organizations are compromised is because they are relying on technology that can only block 100% and most of the advanced attack methods do not fall into this category.

How APT works

The approach of the APT is different from the traditional threat in three areas: the goal, the structure of the attacker, and the methods. The ultimate goal of APT is to maintain a long-term beachhead on your network.  The attacker wants long-term access to all of your resources so that they can constantly at will extract and capture any information that they want.

The APT is not an individual or a small hacker cell that was used with traditional threats. Today they are very well organized, well-structured organizations. The steps of the attack are broken down into clear division of labor and each person on the team is well trained in their respective skill.

Many of the attack methods are under strict change management and are constantly updated to increase the success rate and decrease the chance of being caught. The traditional threat was reactive. A patch was released and a worm was written to take advantage of the vulnerability that was not present on a system. The adversary was reactive and would wait for the vendors to release information on vulnerabilities and react to those announcements. The APT is constantly tracking how organizations implement security, determining what their next move is going to be, and create offensive measures that will defeat an organization’s security, giving the adversary access to the information they want. In some cases, by the time an organization deploys a new measure of protection, the advanced adversary has already figured out a way around it.

The methods used by APT also take advantage of advanced technology. Most malware that is used is customized for maximum success against a specific client. In cases where malware might be re-used, the code would be changed and recompiled so that traditional security measures like signature detection are no longer effective. Essentially many of the attacks are built for one-time use. Therefore any analysis that the defender performs has minimal impact because the next attack is going to be different and unique. One of the scariest features of the APT is they turn our biggest strengths into our biggest weakness. APT is using encryption to slip under the radar and bypass most of the security devices that are deployed on networks today. Most security devices are not capable of reading encrypted packets and the ones that can, cannot do it very efficiently. The number one trick of attackers is after they break into a system, they set up an encrypted out-bound tunnel to an attackers system. Since the data is encrypted it goes virtually undetected on the network. This is a prime example of using great technology for evil.

General Phases of an APT attack

Since every APT attack is unique and different there are many variations, but these are the general steps that are often followed:-

Phase 1: Reconnaissance— gathering of information about the target, looking for specific areas that can be focused on to achieve long-term compromise with the minimal amount of energy or effort.  This usually involves finding an individual that can be targeted to be used in phase 2.

Phase 2: Initial Intrusion— determining and finding some way into the organization to establish a foothold.  This usually does not require exploitation and is most commonly achieved by convincing a user to open an attachment or click on a link they are not supposed to open.

Phase 3: Establish Backdoor— ultimately the APT wants to be able to communicate with the network they are targeted. After initial intrusion has been accomplished a remote way in is established so the attacker can continue to move around the compromised network. After compromise they typically would create an encrypted outbound session that looks like legitimate traffic, slipping under the radar and making it easier to steal information.

Phase 4: Obtain Credentials— an attacker wants to own the entire network and maintain long-term access for both current and future use. This usually requires obtaining, cracking or hijacking admin, and privileged credentials.

Phase 5: Install Utilities— at this point the attacker wants to establish persistence and total control of the network. This is usually done by installing customized tools to create a complete command and control communication with the compromised network.

Phase 6: Data Exfiltration— the final step is to steal and extract the critical information off of the network in a stealthy way.  This is usually done with encryption and masking the data to look like legitimate traffic.

Detecting APT

Since the attack has changed, we must make sure that our defensive measures scale against this threat. From a quick checklist perspective let’s examine what is required for a solution to scale and detect the APT:

Automated— the current threat is persistent and nonstop. As depressing as it sounds, we have to accept the fact that for the foreseeable future, your organization is going to be attacked and compromised. Not only do attackers want information today, they also want to gain a foothold so they can have access in the future.  Therefore more and more of our security needs to be automated to keep up with the changing threat.  While some manual method is required from an analytical perspective, more and more decisions need to be automated.

Adaptive— since the attacker is persistent and continuously trying to get in, if something fails they are going to try something new. If the attacker is always performing different attacks to get in, our security also needs to be adaptive. What will work today will not work in the future. This is what we often refer to as attacker leap frog. The attackers will figure out a way into the system. The defenders will deploy a defense mechanism to prevent it. The attackers will re-evaluate the situation and find a new way in. The defenders will identify the vulnerable and fix it. This sequence of events will continue. If we only focus on stopping an attack once we will have short-term victory but long-term defeat.

Proactive—the philosophy of traditional security was to only spend money if you are absolutely sure there is a problem. This lead to reactive security. Wait for the attacker to perform some damage, detect it and fix it before there is significant damage. This approach makes two assumptions that are not true today. First, there will be something visible early on to detect. Second, the damage will be minimal and slowly increase so if it is detected early it can be stopped. Today, neither of those statements is true. Therefore security must be proactive and fix a problem as soon as it is discovered, not after it is compromised. Proactive emphasizes the stance that we cannot let the attackers make the first move.

Predictive—in order for proactive security to be effective, we must also anticipate what the attacker is going to do. While the threat is very advanced and persistent, there is also some predictive nature to how they behave. By studying and understanding many types of attacks, we can begin to understand what vectors the threat is going to target and focus most of our defensive measures in those areas.

Data Focused—many traditional approaches to security focused in on signatures and ways an attacker might break into a system. Today since we have to recognize that systems are going to be compromised and attacks are stealthy, the traditional approach is futile at best. Once again if we do not know what to look for, how can we stop it? Upon further analysis we do not want to look at just the signatures of attack, we want to look at what the attacker is ultimately after. New approaches to security have to focus on the data and ways it might be compromised.

Defending against the APT

The key theme of dealing with APT is “Know thy system/network.” The more an organization can understand about network traffic and services, the better they can spot/identify anomalies, which is the better way to defend against the APT.

1.  Control the user and raise awareness—the general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into opening an attachment or clicking a link that they shouldn’t. Limiting the actions a user is allowed to do with proper awareness, sessions can go a long way to reduce the overall exposure.

2.  Perform reputation ranking on behavior—traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, you need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3.  Focus on outbound traffic— inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the  APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization.

4.  Understand the changing threat—it is hard to defend against something you do not know about. Therefore, the only way to be good at the defense is to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5.  Manage the endpoint— while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.

6. Security product - organization buys a lot of products does not mean they will be secure. First, there is no such thing as a silver bullet or 100% security. No matter what you do, an organization will have vulnerabilities. There is no single product that an organization can implement that will make them secure. Therefore products will help manage an organization’s risk but regardless of what products are purchased; continuous monitoring must be performed to detect attacks that traditional security measures might have missed. Second, security products must be implemented correctly in order for them to be effective. Many organizations will purchase a security product, plug it into their network or install it on a server, and assume they are secure. Most security products have to be configured and  properly managed in order for them to work. Many organizations have a false sense of security because they have a firewall, IDS, IPS, and DLP installed and therefore feel they are secure. When in reality those products are not stopping the advanced attacks because they are not configured correctly. Third, security products must map against critical risks to an organization. Are the security products that are being implemented actually solving the problem that is needed for  an organization to be secure? They get so caught up in implementing products, they forget to ask the most fundamental question of whether it made them more secure or not. Before you spend a dollar of your budget or an hour of your time on security, you should always be able to answer three questions: 1.  What is the risk? 2.  Is it the highest priority risk? 3.  Is it the most cost effective way of reducing the risk?

7. Behavioral analysis - An effective measure for dealing with the APT is to move from signature analysis and packet detection to behavioral analysis. To deal with APT focuses in on constantly analyzing behavior and as someone exhibits good behavior we increase their access and as they exhibit bad behavior we reduce their access. 

8. Tools - Application aware, next-generation firewalls, and DLP (data loss prevention) products are focusing in on making a more granular distinction, allowing better protection against  APT.

9. Correlation of data - Set up a system on your network and slowly send out sanitized information and see if anyone notices. It is easy to claim that an organization is secure but the best way to validate it is to actually test your security. Looking at a single system would not give you enough details. In  addition, since many attackers hide on a system using a variety of techniques to include kernel level rootkits, you could be given false information if you only examine the system. Rootkits are installed by attackers to hide and cover their tracks by manipulating the system to give back false information. Knowing that the information the system provides might be false information, it is important to use data from other sources. If you correlate all of the logs from all devices, systems, and applications, you can now get a clearer picture of what is happening.

Summary

Those that do not learn from the past are forced to repeat it. It is critical to understand why organizations are compromised and try to avoid these behaviors as much as possible. While the adversary is very advanced and capable of doing whatever it takes to break into your organization they are also opportunistic and efficient. Why would they use an advanced attack if a simple one will work and is easier to perform? Attackers prefer to use automation and repeat methods that have successfully worked in other organizations. It is quicker and easier for them. Only in cases where it is very difficult will they perform more advanced, adaptive manual attack methods. While the attacker is very persistent, you want to force them to work very hard to compromise your organization. Automated methods are very hard to defend against and happen very quickly. Advanced manual methods take longer and are easier (relatively speaking) to detect. Therefore the more you can understand how attackers have broken into systems in the best, the more effective your defensive measures can be.

References

• Advanced Persistent Threat by Dr. Eric Cole 
•  http://ieeexplore.ieee.org 
• Symantec
• Sophos