The anatomy and physiology of APT attacks
by Adam Rice
The cyberthreat landscape has changed. We used to deal
with hackers in the classic sense, from explorers of systems to script kiddies
who used newly automated exploit tools, developed by taking hackers' technical
knowledge and packaging it. In the background lurked the underground and
criminal types who move into any vacuum, given enough time, if there is
something to steal.
The modus operandi for these early criminals wasn't that
different from what many enterprises encounter today. It involved phishing campaigns to try to trick people into logging onto their
online bank accounts and, in doing so, giving up their credentials. Attackers
developed viruses and bots that delivered remote access and administrative
tools to the victim's computers, allowing the bot masters to harvest all the
data. National intelligence services began to employ many of the tools and
techniques those early criminals developed to use the Internet as a conduit for
advancing their intelligence-gathering capabilities.
Nothing in our past has happened so quickly or with as
far-reaching implications and dependencies. Critical networks, utilities and
other infrastructures are all intertwined with the networks of companies and
governments. Almost everything that's built, designed and manufactured is on
the Internet. If the Internet stopped working, the global economy would
collapse. With that dependency comes issues of national security. Governments
have recognized the strategic and tactical advantage of having both defensive
and offensive capabilities in the electromagnetic arena.
This paradigm shift has created the groundwork for
advanced cyberthreats. Building on what cybercriminals began, security services
from many countries have developed the capability to protect, attack and steal
for their national interest. As these organizations responded to requests for
intelligence from their governments, a whole new type of "threat"
appeared on the cyber landscape.
The term advanced
persistent threat or APT --
coined by U.S. Air Force Col. Greg Rattray in 2006 -- describes the new
powerful cyber adversary noticed on government networks since the late 1990s
and early 2000s. For the U.S. government, the APT is the Chinese; for the Chinese, the APT is the United States. It is always a question of perspective.
Intelligence
gathering methods
How do APT attacks happen and why? To understand the
anatomy and physiology of APT attacks, it helps to recognize intelligence-gathering
methods used by security organizations around the world. All these agencies --
including the CIA, MI6 and the Federal Security Service (FSB) of the Russian
Federation -- have administrative processes for receiving requests for
intelligence products and information. They prioritize those requests and pass
them out to the various departments, or organizations, that are then tasked
with acquiring the information or products.
Understanding how an APT actor operates can help an
organization build active defenses against it.
Where might a request come from? Say a delegation from country A attends the Paris Air Show, a key event in which hundreds of aerospace and defense companies show off their products and innovations. The delegation, which can include intelligence personnel, has a "shopping list" and spends a lot of time looking for specific technologies and systems. They notice a new and innovative radar system for sale from a defense contractor in a "banned" country. It would be illegal for the manufacturer to sell the technology to the delegation, so they cannot simply buy the technology and reverse engineer it. The delegation takes photographs of the sales display and picks up any other information it can. When the delegation returns home, a formal request for intelligence or collection on the radar technologies is submitted to their country's intelligence services. The intelligence request is prioritized, and when it is acted on, it will be assigned to a cyber-intelligence unit whose specialty is to gain access to other people's networks with the sole purpose of taking something very specific.
The APT is in the collection part of the classic
intelligence cycle described on
the CIA's website:
·
Planning and
Direction
·
Collection
·
Processing
·
Analysis and
Production
·
Dissemination
An APT "campaign" against the target begins. In
this case, it is based on an intelligence request from country A's military to
their intelligence services to find everything they can about a radar
manufactured in country B.
The intelligence services, or their contractors, will
begin by doing a comprehensive search of the target organization. This research
will include basic information about the company such as the physical locations
of facilities; corporate and supply chain relationships; contracts, products
and services; leadership and board of directors; filings and financial reports;
and whether it is publicly traded.
The organization will also look at the company's Internet
foot print:
·
Domain names,
DNS records, MX mail records
·
Registered IP
ranges and scans of that information
·
Email naming
convention (first name.last name@company.com)
·
Telco
relationships and colocation usage
·
Cloud usage
·
Publicly facing
services or websites
·
Use of
two-factor authentication
They will build an understanding of employees who work
within specific divisions or programs or within leadership or corporate shared
services. This information is gathered with help from LinkedIn and Facebook
searches, academic papers, public websites, speaking engagement histories, and
industry associations and forums. Once this data is compiled, a plan of action
will be formulated to penetrate the network and steal the data on the target.
The offensive part of an APT campaign begins with the
perpetrators executing their plans. In this example, it starts with social
engineering. Having identified the physical location of the facilities that
manufacture the target data, the APT will cast a net on social media to
"link" to individuals associated with the program, or near the
program, based on their LinkedIn profiles. The attackers will create false
personas, using LinkedIn, Facebook pages and other social media. They will then
try to "friend" individuals to discover email addresses -- both work
and personal -- other friends or associations, addresses, skills they possess
and other programs they've worked on.
From this social media information the APT will create a
target list of named individuals directly or indirectly associated with the
target programs, or in a position to get to the projects indirectly, or provide
the next hop to the target. This social engineering generates the targets for a
spear-phishing
campaign. Almost all
APT attacks include some form of spear phishing, or targeting of malicious
messages, with the intention of compromising victims' computers.
APT toolbox
For the APT to launch these campaigns, there has to be
infrastructure and tools at their disposal. The big APT actors have deep
funding from national governments for R&D into activities such as creating
exploits or testing code against most commercial security tools. The APT
toolbox typically includes the following:
Pro+Extensive command-and-control (C2) hosts of computers that have been leased at cloud
providers, or hosts that have been compromised for the purpose of being a C2
host. These hosts tend to communicate home indirectly. It is not smart to have
a C2 host owned by the government of country A, or a C2 host that communicates
directly back to country A. Instead, they communicate through a layer of hosts
and proxies to obscure the destination of the traffic. It is through those
networks of C2 hosts that the malware deposited by spear phishing communicates
back to establish channels, back to the compromised hosts and then to download
rootkits and remote administration tools (RATs)
·
Websites with
waterholes or drive-by exploits (the place the URL on the email goes to) to
infect a host.
·
Internet file
shares to drop the exfiltrated data. These file shares can include Google Docs
accounts or Dropbox accounts.
·
Extensive
malware library to get a toehold onto a network to download RATs and rootkits.
The malware will try to exploit near-zero-day, or zero-day
vulnerabilities. Zero-days are
typically used with higher value targets because once they are in the wild,
patches and signatures can be developed.
·
Windows
administrators with extensive skills in domain and host configurations. These
technicians will drive infected hosts to continue to gain hosts on the
exploited network, find the data and exfiltrate it.
Based on the initial reconnaissance of the target, a
template for the campaign will be selected to get the data from the target.
These templates, or the modi operandi, are based on the technologies the target
company has deployed, the network security of the target and the value of the
target.
Once the template is selected and approved, and resources
are lined up, the spear phishing emails are sent to the targets. Mail is
delivered and disappears behind the target's firewalls. Success is noted if a
piece of malware beacons out to a C2 host, whose address is in the exploit
code.
A few years ago, most companies were helpless against
this type of threat and compromise was easy. The modi operandi from those early
campaigns have persisted, with some modification as defenses have improved. As
awareness of the APT has grown, so have the active defenses against it, meaning
that the APT actors have to adjust their MOs to defeat the emerging defenses
companies put up.
Active defenses
Understanding how an APT actor operates can help an
organization build active defenses against it. Traditional signature-based
firewalls and IDSs are ineffective against APT attacks. The APT actors have
copies of all commercial security devices and software and build their
templates to easily defeat systems such as antivirus and antimalware tools.
Here are some other ways to prevent APT attacks:
Use threat intelligence. This includes current information on APT actors; threat intelligence harvested from analyzing malware; known C2 sites; known bad domain names, emails addresses, malicious email attachments, email subject lines; and malicious links and websites. Threat intelligence is for sale commercially and is shared by industry cybersecurity groups. Care must be taken to make sure the intelligence is relevant and timely. Threat intelligence is used to establish "trip wires" to alert you to activity on the network.
Create strong egress rules. Stop all outbound traffic from the enterprise except Web traffic, which must be proxied, with all data sharing, malicious sites and uncategorized sites blocked. No SSH, FTP, Telnet, or other ports and protocols should be allowed out of the network. This will break the communications channels from the malware to the C2 hosts and stop the unauthorized exfiltration of data off the networks.
Collect strong log analytics. Verbose logging from critical networks and hosts should be collected and analyzed for unusual behavior. Logs should be retained for a period of time to allow for investigations. Alerts on matches with threat intelligence should be established.
Hire security analysts. The role of security analysts is to tie the threat intelligence, log analytics and alerting to an active defense against APT. Experience is key in this role.
Use threat intelligence. This includes current information on APT actors; threat intelligence harvested from analyzing malware; known C2 sites; known bad domain names, emails addresses, malicious email attachments, email subject lines; and malicious links and websites. Threat intelligence is for sale commercially and is shared by industry cybersecurity groups. Care must be taken to make sure the intelligence is relevant and timely. Threat intelligence is used to establish "trip wires" to alert you to activity on the network.
Create strong egress rules. Stop all outbound traffic from the enterprise except Web traffic, which must be proxied, with all data sharing, malicious sites and uncategorized sites blocked. No SSH, FTP, Telnet, or other ports and protocols should be allowed out of the network. This will break the communications channels from the malware to the C2 hosts and stop the unauthorized exfiltration of data off the networks.
Collect strong log analytics. Verbose logging from critical networks and hosts should be collected and analyzed for unusual behavior. Logs should be retained for a period of time to allow for investigations. Alerts on matches with threat intelligence should be established.
Hire security analysts. The role of security analysts is to tie the threat intelligence, log analytics and alerting to an active defense against APT. Experience is key in this role.
Are you in an industry with the APT threat? Does your company
have something an APT actor would be willing to spend time and money, trying to
steal?
Enterprises can ask the FBI if they are in an industry
targeted by APT threats. If the answer is no, then spending the money on
active defenses against the APT might not be a good investment. But
organizations that might become potential "targets" must consider it.
==============================================
**Important note** - contact our sister company for very powerful solutions for APT solutions:
www.tabularosa.net
==============================================
**Important note** - contact our sister company for very powerful solutions for APT solutions:
www.tabularosa.net
In
addition to this blog, Netiquette IQ
has a website with great assets which are being added to on a regular basis. I
have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive
Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re
Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!”
will be published soon follow by a trilogy of books on Netiquette for young
people. You can view my profile, reviews of the book and content excerpts at:
If
you would like to listen to experts in all aspects of Netiquette and
communication, try my radio show on BlogtalkRadio Additionally,
I provide content for an online newsletter via paper.li. I
have also established Netiquette discussion groups with Linkedin and Yahoo. I am
also a member of the International Business Etiquette and Protocol Group and
Minding Manners among others. Further, I regularly consult for the Gerson
Lehrman Group, a worldwide network of subject matter experts and have been a contributor
to numerous blogs and publications.
Lastly,
I am the founder and president of Tabula Rosa
Systems, a company that provides “best of breed” products for network,
security and system management and services. Tabula Rosa has a new blog and Twitter site which offers great IT product
information for virtually anyone.
==============================================
No comments:
Post a Comment