Organizations recognize that cyber security is a
concern and resources need to be allocated to protect an organization.
There are many different types of threats from worms/viruses, hacktivists to
the APT. Many organizations understand how to defend against many of
the traditional threats and treat the current advanced threats in the same
manner they have always dealt with security. The problem is this approach does
not work. The APT is a completely different problem and until
an organization understands the problem, they will not be able to fix
it. While traditional threats are still a concern and cannot be ignored,
organizations now have a new challenge dealing with the Advanced
Persistent Threat known as the APT.
The APT is well funded, organized groups
that are systematically compromising government and commercial entities.
The term originally was developed as a code name for Chinese-related intrusions
against US military organizations. The term has evolved to
refer to advanced adversaries that are focused on critical data with
the goal of exploiting information in a covert manner. APTs are highly
sophisticated and bypass virtually all “best practice” cyber security programs
to try and establish a long-term network presence. The APT is attacks that
are stealthy, targeted, and data focused which is quite different than
traditional worms or viruses. The APT are very well-organized entities
(typically foreign adversaries) that are targeting an organization to gather a
specific piece of information today and ultimately maintain long-term access so
information can be extracted at will in the future. APT breaks all of the rules
of attackers by typically adapting their techniques on the file, targeting
users as the entry point, and hiding their tracks very carefully; therefore
many traditional security measures are not effective at dealing with this
threat.
The APT is a cyber-adversary displaying
advanced logistical and operational capability for long-term intrusion
campaigns. Its current goal is to maintain access to victim networks and
exfiltrate intellectual property data as well as information that is
economically and politically advantageous. The APT is not a bot-net.
It is not malware. It is the DNA of an adversarial group.
Most people think that when an organization is
compromised, it is because they made a blatant error or had invested no money
in security. If you look at most APT attacks, the items that all companies
had in place at the time of the breach include:
•Security policies.
•Security budget.
•Security team.
•Firewalls.
•Application filtering.
•Intrusion detection.
•End-point security.
•Anti-virus protection.
The advanced persistent threat is cyber cancer
which means traditional detective and reactive measures will not work. At
point of compromise there is nothing visible and by the time there are visible
signs of attack, the damage has already occurred. We have
to assume that even though everything looks fine on the surface,
underneath the surface the network might be compromised. Organizations need to
look for problems even though there is no visible sign of an attacker
on the network. One of the key rules of cyber security is plan for the
worst and hope for the best.
Based on the stealthy nature of the APT a
critical rule is prevention is ideal but detection is a must. In a perfect
world it would be great if we could prevent all attacks. However that is not
realistic. In this day and age you must accept that you are going to be
compromised. In case where attacks cannot be stopped, the earlier
we can catch an attack, the less overall damage.
The key words with the APT are stealthy,
targeted, adaptive, and data focused. While the APT is not new, the large
scale nature in which it is attacking systems and the fact that more organizations
are realizing that their current way of defending against traditional attackers
has to change is new. The important shift with APT is that we are
now dealing with well-funded, organized professionals, not hackers from the
1990s.
The APT is going to gather as
much information about your organization so they can
customize the attack to be successful. They are going to determine the
weak points within your organization and target those individuals as the point
of entry for the compromise.
Characteristics of the APT
- APT focuses on any organization, both government and non-government entities. Some people make the mistake of thinking that the APT is only focused on Department of Defense (DoD). When it comes to the Internet the lines between government and commercial are blurring and anything that could cause harm to a country or give an adversary an advantage will be targeted.
- While the threat is advanced once it gets into a network, the entry point with many attacks is focusing on convincing a user to open an attachment or click on a link. However, once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly, and utilizing encryption to avoid detection.
- In the past, attackers would periodically attack an organization. Today attacks are nonstop. The attackers are persistent, and if an organization lets their guard down for any period of time, the chance of a compromise is very high.
- Attackers want to take advantage of economy of scales and break into as many sites as possible, as quickly as possible. Therefore the tool of choice of an attacker is automation. Automation is not only what causes the persistent nature of the threat, but it is also what allows attackers to break into sites very quickly.
- Old school attacks were about giving the victim some visible indication of a compromise. Today it is all about not getting caught. Stealth and being covert are the main goals of today’s attacks. APTs goal is to look as close (if not identical) to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them.
- The driver of APT is to provide some significant benefit to the attacker, the benefit being either economic or financial gain. Therefore the focus will be all about the data. Anything that has value to an organization means it will have value to an attacker. Since data has become so portable, and with cloud computing increasing in popularity, data is now available from the Internet, via many sources.
- Attackers do not just want to get in and leave, they want long-term access. If someone is going to spend effort breaking into a site, they will make sure they can keep that access for a long period of time. Stealing data once has value, but stealing data for 9 months gives the attacker even more value.
- The APT targets an individual user and compromises their system. They are targeted because they are an easy target and have a high chance of being compromised. In addition, while the critical information is not on their system, they might have access to that information or at least have visibility to a server that contains the information. Therefore if an attacker can gain a pivot point on the system, they can use that as an entry point into the system to ultimately gain access to the information they want. Many users have more access than what they need to do their job. If this access was minimized, the attacker’s job would be more difficult.
- APT is constantly changing its behavior and therefore the behavior that it uses to compromise a site is not always 100% bad. Therefore one of the reasons organizations are compromised is because they are relying on technology that can only block 100% and most of the advanced attack methods do not fall into this category.
How APT works
The approach of the APT is different from
the traditional threat in three areas: the goal, the structure of the attacker,
and the methods. The ultimate goal of APT is to maintain a long-term beachhead
on your network. The attacker wants long-term access to all of your
resources so that they can constantly at will extract and capture any
information that they want.
The APT is not an individual or a small
hacker cell that was used with traditional threats. Today they are very well
organized, well-structured organizations. The steps of the attack are broken
down into clear division of labor and each person on the team is well trained in
their respective skill.
Many of the attack methods are under strict
change management and are constantly updated to increase the success rate and
decrease the chance of being caught. The traditional threat was reactive. A
patch was released and a worm was written to take advantage of the
vulnerability that was not present on a system. The adversary was reactive and
would wait for the vendors to release information on vulnerabilities and react
to those announcements. The APT is constantly tracking how organizations
implement security, determining what their next move is going to be, and create
offensive measures that will defeat an organization’s security, giving the
adversary access to the information they want. In some cases, by the time an
organization deploys a new measure of protection, the advanced adversary has
already figured out a way around it.
The methods used by APT also take advantage of
advanced technology. Most malware that is used is customized for maximum
success against a specific client. In cases where malware might be re-used, the
code would be changed and recompiled so that traditional security measures like
signature detection are no longer effective. Essentially many of the attacks
are built for one-time use. Therefore any analysis that the defender performs
has minimal impact because the next attack is going to be different and unique.
One of the scariest features of the APT is they turn our biggest strengths
into our biggest weakness. APT is using encryption to slip under the radar and
bypass most of the security devices that are deployed on networks
today. Most security devices are not capable of reading encrypted packets
and the ones that can, cannot do it very efficiently. The number one trick of
attackers is after they break into a system, they set up an encrypted out-bound
tunnel to an attackers system. Since the data is encrypted it goes
virtually undetected on the network. This is a prime example of using great
technology for evil.
General Phases of an APT attack
Since every APT attack is unique and different
there are many variations, but these are the general steps that are often
followed:-
Phase 1: Reconnaissance—
gathering of information about the target, looking for specific areas that can
be focused on to achieve long-term compromise with the minimal amount of energy
or effort. This usually involves finding an individual that can be
targeted to be used in phase 2.
Phase 2: Initial Intrusion—
determining and finding some way into the organization to establish a foothold.
This usually does not require exploitation and is most commonly achieved by
convincing a user to open an attachment or click on a link they are not
supposed to open.
Phase 3: Establish Backdoor—
ultimately the APT wants to be able to communicate with the network they are
targeted. After initial intrusion has been accomplished a remote way in is
established so the attacker can continue to move around the compromised
network. After compromise they typically would create an
encrypted outbound session that looks like legitimate
traffic, slipping under the radar and making it easier to steal
information.
Phase 4: Obtain Credentials— an
attacker wants to own the entire network and maintain long-term access for both
current and future use. This usually requires obtaining, cracking or hijacking
admin, and privileged credentials.
Phase 5: Install Utilities— at
this point the attacker wants to establish persistence and total control of the
network. This is usually done by installing customized tools to create a
complete command and control communication with the compromised network.
Phase 6: Data Exfiltration— the
final step is to steal and extract the critical information off of the network
in a stealthy way. This is usually done with encryption and masking the
data to look like legitimate traffic.
Detecting APT
Since the attack has changed, we must make sure that our defensive measures scale against this threat. From a quick checklist perspective let’s examine what is required for a solution to scale and detect the APT:
Automated— the current threat is
persistent and nonstop. As depressing as it sounds, we have to accept the fact
that for the foreseeable future, your organization is going to be attacked and
compromised. Not only do attackers want information today, they also want to
gain a foothold so they can have access in the future. Therefore more and
more of our security needs to be automated to keep up with the changing
threat. While some manual method is required from an analytical perspective,
more and more decisions need to be automated.
Adaptive— since the attacker is
persistent and continuously trying to get in, if something fails they are going
to try something new. If the attacker is always performing different attacks to
get in, our security also needs to be adaptive. What will work today will not
work in the future. This is what we often refer to as attacker leap frog. The
attackers will figure out a way into the system. The defenders will deploy a
defense mechanism to prevent it. The attackers will re-evaluate the situation
and find a new way in. The defenders will identify the vulnerable and fix it. This
sequence of events will continue. If we only focus on stopping an attack once
we will have short-term victory but long-term defeat.
Proactive—the philosophy of traditional
security was to only spend money if you are absolutely sure there is a problem. This
lead to reactive security. Wait for the attacker to perform some
damage, detect it and fix it before there is significant damage. This
approach makes two assumptions that are not true today. First, there will be
something visible early on to detect. Second, the damage will be minimal and
slowly increase so if it is detected early it can be stopped. Today,
neither of those statements is true. Therefore security must be
proactive and fix a problem as soon as it is discovered, not after it is
compromised. Proactive emphasizes the stance that we cannot let the
attackers make the first move.
Predictive—in order for proactive
security to be effective, we must also anticipate what the attacker is
going to do. While the threat is very advanced and persistent, there is also some
predictive nature to how they behave. By studying and understanding many types
of attacks, we can begin to understand what vectors the threat is going to
target and focus most of our defensive measures in those areas.
Data Focused—many traditional approaches to
security focused in on signatures and ways an attacker might break into a
system. Today since we have to recognize that systems are going to be
compromised and attacks are stealthy, the traditional approach is futile
at best. Once again if we do not know what to look for, how can we stop it?
Upon further analysis we do not want to look at just the signatures of attack,
we want to look at what the attacker is ultimately after. New approaches to
security have to focus on the data and ways it might be compromised.
Defending against the APT
The key theme of dealing with APT is
“Know thy system/network.” The more an organization can understand about network traffic and
services, the better they can spot/identify anomalies, which is the better way
to defend against the APT.
1. Control the user and raise awareness—the
general rule is you cannot stop stupid, but you can control stupid. Many
threats enter a network by tricking the user into opening an
attachment or clicking a link that they shouldn’t. Limiting
the actions a user is allowed to do with proper awareness, sessions can go a
long way to reduce the overall exposure.
2. Perform reputation ranking on
behavior—traditional security tries to go in and classify something either as
good or bad, allow or block. However with advanced attacks, this classification
does not scale. Many attackers start off looking like legitimate traffic, which
means they would be allowed into the network, and then once they are in they
turn bad. Therefore, since the goal of attackers is to blend in, you need to
track what the behavior is and rank the confidence level of whether it is looking
more like a legitimate user or more like evil.
3. Focus on outbound traffic— inbound
traffic is often what is used to prevent and stop attackers from entering a
network. While it will catch some attacks and is still important to do, with
the APT it is the outbound traffic that is more damaging. If the intent
is to stop exfiltration of data and information, looking at the outbound
traffic is how you detect anomalous behavior, which is tied to damage to an
organization.
4. Understand the changing threat—it is
hard to defend against something you do not know about. Therefore,
the only way to be good at the defense is to understand and know how the
offense operates. If organizations do not continue to understand the new
techniques and tactics of the attackers, they will not be able to effectively
tune their defensive measures to work correctly.
5. Manage the endpoint— while
attackers might break into a network as the entry point, they ultimately want
to steal information that exists on endpoints. If you want to limit the damage,
controlling and locking down the endpoint will go a long way to protect an
organization.
6. Security product - organization buys a lot of products does not mean they will be secure.
First, there is no such thing as a silver bullet or 100% security. No matter
what you do, an organization will have vulnerabilities. There
is no single product that an organization can implement that will make them
secure. Therefore products will help manage an organization’s risk but
regardless of what products are purchased; continuous monitoring must be
performed to detect attacks that traditional security measures might have
missed. Second, security products must be implemented correctly in order for them to be
effective. Many organizations will purchase a security product, plug it into
their network or install it on a server, and assume they are secure. Most
security products have to be configured and properly managed
in order for them to work. Many organizations have a false sense of security because
they have a firewall, IDS, IPS, and DLP installed and therefore feel they are
secure. When in reality those products are not stopping the advanced
attacks because they are not configured correctly. Third,
security products must map against critical risks to an organization. Are
the security products that are being implemented actually solving the problem
that is needed for an organization to be secure? They get
so caught up in implementing products, they forget to ask the most fundamental
question of whether it made them more secure or not. Before
you spend a dollar of your budget or an hour of your time on security,
you
should always be able to answer three questions: 1. What is the risk?
2. Is it the highest priority risk? 3. Is it the most cost
effective way of reducing the risk?
7. Behavioral analysis - An effective measure for dealing with the APT is to move from
signature analysis and packet detection to behavioral analysis. To deal
with APT focuses in on constantly analyzing behavior and as someone
exhibits good behavior we increase their access and as they exhibit bad
behavior we reduce their access.
8. Tools - Application aware, next-generation firewalls, and DLP (data loss
prevention) products are focusing in on making a more granular distinction,
allowing better protection against APT.
9. Correlation of data - Set up a system on your network and slowly send out sanitized
information and see if anyone notices. It is easy to claim that an organization
is secure but the best way to validate it is to actually test your security. Looking
at a single system would not give you enough details. In
addition, since many attackers hide on a
system using a variety of techniques to include kernel level
rootkits, you could be given false information if you only
examine the system. Rootkits are installed by attackers to hide and cover
their tracks by manipulating the system to give back false information. Knowing
that the information the system provides might be false information, it is
important to use data from other sources. If you correlate all of the logs from
all devices, systems, and applications, you can now get a clearer picture of
what is happening.
Summary
Those that do not learn from the past are forced to repeat it. It is critical to understand why organizations are compromised and try to avoid these behaviors as much as possible. While the adversary is very advanced and capable of doing whatever it takes to break into your organization they are also opportunistic and efficient. Why would they use an advanced attack if a simple one will work and is easier to perform? Attackers prefer to use automation and repeat methods that have successfully worked in other organizations. It is quicker and easier for them. Only in cases where it is very difficult will they perform more advanced, adaptive manual attack methods. While the attacker is very persistent, you want to force them to work very hard to compromise your organization. Automated methods are very hard to defend against and happen very quickly. Advanced manual methods take longer and are easier (relatively speaking) to detect. Therefore the more you can understand how attackers have broken into systems in the best, the more effective your defensive measures can be.References
- Advanced Persistent Threat by Dr. Eric Cole
- http://ieeexplore.ieee.org
- Symantec
- Sophos
1 Comments
WynnBET : Situs Slot Online | Casino Online Gambling
ReplyDeleteWynnBET - Situs Slot Online WynnBet - Situs Slot Online WynnBet - Situs Slot Online WynnBet 도레미시디 출장샵 - Situs Slot Online 바카라사이트 WynnBet - Situs Slot communitykhabar Online 토토사이트 herzamanindir.com/ WynnBet - Situs Slot Online