Advanced Persistent Threats (APT) are much talked about and used in a lot of marketing but what exactly are they? Many commentators indicate that they are more persistent than advanced and many solutions are brought out to tackle the threat but can they be effective? The US National Institute of Standards and Technology (NIST) gives the following definition: “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information,undermining or impeding critical aspects of a mission,program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii)adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” (http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf). The three differences between an APT and more “traditional” attacks is that APTs are persistent, repeatedly trying different approaches over a long period, they are stealthy as ideally they do not want to be noticed and they want to stay in residence as long as possible and that they adapt or are resilient – the hacker recognises that they may be discovered and will either morph to avoid detection or have installed multiple solutions to maintain their presence when one or more of these solutions are discovered. The purpose of these attacks is normally for the extraction of information such as manufacturing processes, results of private research, sensitive commercial documents like business plans and pricing along with emails and contact lists. This is why APTs are frequently associated with inter-governmental attacks where one state is keen to learn about or in some cases, impede the activities of another state. A typical example of impeding activities is the Stuxnet virus, carefully aimed at impeding Iran’s nuclear programme and assumed to be the work of another government. However, it is not just governmental organisations that have suffered an attack. RSA, Google and NASA have all experienced breaches due to APTs. It is a form of attack that is showing considerable success and that will result in it being increasingly used. Traditional attacks tend to focus on a particular vulnerability, they do not care about the target, they care about the technology. If a system is not vulnerable to a particular exploit then the attack moves on looking for someone that is. The purpose of this attack is more flexible, if the target is not valuable in itself, then just making it part of a botnet gives the hack a value. In APTs, the focus is the target. Some considerable research must be done to investigate the target, what information is there about key players in the organisation, what is its focus? The actual attacks may not be that original, spear phishing is showing remarkable success given the proliferation of social networking sites where it is possible to find what people do, what their interests are and who they do business with. Armed with this information, it is possible to write extremely plausible phishing attacks that enable the attacker to persuade a victim to open an attachment or click on a link. This may well ead to relevant data of interest to the victim but also to a Trojan exploiting a zero day vulnerability. The Trojan is not noisy in any way; it installs quietly and does not interrupt the day to day operation of the end point, the user or the network. Through it, more software can be downloaded and depending on the victim, this compromise might be used to launch new attacks to infect individuals higher up the chain. There are multiple ways this infestation can be carried out, for example, an interesting article left on a community drive results in others reading it as it is perceived as ‘trusted’ but leads to the reader’s system being infected. Quiet brute force attacks on servers looking for weak passwords as the servers under attack were never considered at risk as previously they could not be accessed by external agents. This sometimes results in passwords being reused or being sent by internal email. Simply uploading the password hashes from the victim’s system allows the attacker to crack the passwords or it might just be possible in some cases to pass the hash and be authenticated on a system. Either way, the attacker can escalate their ‘privilege’ to allow them greater access to an organisation’s information. The attacker is not in any rush, the Trojan might well stay dormant for a number of weeks or months before taking action. The methods of infection will be low level as the important activity is to infect more endpoints and to install different backdoors. The next consideration is how to control this Trojan and associated backdoors. A number of solutions have been used over the years but having the malware communicate with websites over HTTP is a common way of reducing visibility. Others have developed protocols based around MSN, Jabber or even using online calendars. The intention is that security teams will see this as legitimate traffic and not investigate any further. Other methods are to embed the commands in SSL encrypted streams with the obvious barriers this has for inspecting the content. It is difficult to defend against APTs, the method is intended to be relentless. A layered defence seems to be the best solution. A gateway solution with two or more anti-virus engines to try and prevent the initial ploy arriving at its intended victim. Good anti-spam to try and use alternative techniques to prevent these phishing attacks from getting through. Good end point protection, ideally with access to list of both good and bad software which then allows for a third and important category: unknown. Unknown software needs to be run in a sandbox to try and see what it is going to do, good heuristics will catch out the cruder attacks. It is important to realise that APTs are associated with vulnerabilities that are usually unknown, they have been designed to by-pass existing signature and heuristic detection. So any solution must deal with this possibility. Assuming that an unknown bit of software passes all the tests above, when it is run it should be monitored and any changes it makes should be journalled. If it is subsequently identified as malware, the changes can be rolled back, removing the infection. However, during this period data may have been uploaded and this is where data leak prevention (DLP) can help. Should a document be allowed out? Even DLP may not be able to help when the mechanism for uploading information is encrypted and in the end good monitoring of log files from all relevant sources is essential. Frequently correlating different events can allow the security team to identify malicious behaviour and catch it early. This is a hard job to do manually but organisations need to be considering how they best address this problem as it is a growing threat. It is becoming the case of not whether a company is infected, but rather a case of how quickly a company can detect that they are infected.
19 December 2013