As persistent as their name suggests, Advanced Persistent Threats (APTs) demand a new level of vigilance. They can hide dormant for months, transform to avoid detection, move stealthily around networks and then inflict untold damage. IT managers need to impose multiple layers of security – not just to try to prevent infection but to detect it when it happens.
The US National Institute of Standards and Technology (NIST) gives the following definition of APTs:
“An adversary that possesses sophisticated levels of expertise and significant resources, which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future.
The advanced persistent threat:
- Pursues its objectives repeatedly over an extended period of time;
- Adapts to defenders’ efforts to resist it; and
- Is determined to maintain the level of interaction needed to execute its objectives.”
There are three differences between an APT and more “traditional” attacks. Firstly, APTs are persistent, repeatedly trying different approaches over a long period. Secondly, they are stealthy, as ideally they do not want to be noticed and they want to stay in residence as long as possible. Finally, they adapt or are resilient – the hacker recognises that his attacks may be discovered and will either morph to avoid detection or install multiple executables to maintain his presence when one or more of these compromises are discovered.
The purpose of these attacks is normally for the extraction of information such as manufacturing processes, results of private research, sensitive commercial documents like business plans and pricing along with emails and contact lists. This is why APTs are frequently associated with inter-governmental attacks where one state is keen to learn about or, in some cases, impede the activities of another state. A typical example of impeding activities is the Stuxnet virus, carefully aimed at impeding Iran’s nuclear programme and assumed to be the work of another government.
However, it is not just governmental organisations that have suffered an attack. RSA, Google and NASA have all experienced breaches due to APTs. It is a form of attack that is showing considerable success, and that, regrettably, means that it will be increasingly used.
Traditional attacks tend to focus on a particular vulnerability. They do not care about the target; they care about the technology. If a system is not vulnerable to a particular exploit, then the attack moves on looking for one that is. The purpose of this attack is more flexible, so if the target is not valuable in itself, then just making it part of a botnet gives the hack a value.
In APTs, the focus is the target. Some considerable research must be done to investigate the target; what information is there about key players in the organisation; and what is its focus? The actual attacks may not be that original. Spear phishing is showing remarkable success given the proliferation of social networking sites where it is possible to find what people do, what their interests are and who they do business with.
Armed with this information, it is possible to write extremely plausible phishing attacks that enable the attacker to persuade a victim to open an attachment or click on a link. This may well lead to relevant data of interest to the victim, but also to a Trojan exploiting a zero day vulnerability.
The Trojan is not noisy in any way; it installs quietly and does not interrupt the day to day operation of the end point, the user or the network. Through it, more software can be downloaded and depending on the victim, this compromise might be used to launch new attacks to infect individuals higher up the chain. There are multiple ways this infestation can be carried out, for example, an interesting article left on a community drive results in others reading it as it is perceived as ‘trusted’ but leads to the reader’s system being infected.
Equally, quiet brute force attacks on servers can seek out weak passwords, as the servers under attack were never considered at risk because, previously, they could not be accessed by external agents. This sometimes results in passwords being reused or being sent by internal email. Simply uploading the password hashes from the victim’s system allows the attacker to crack the passwords or it might just be possible in some cases to pass the hash and be authenticated on a system. Either way, the attacker can escalate his ‘privilege’ to allow him greater access to an organisation’s information.
The attacker is not in any rush, the Trojan might well stay dormant for a number of days or weeks before taking action. The methods of infection may well be low level at this stage as it is important to infect more endpoints and to install different backdoors, to establish a resilient presence in the network.
The next consideration for hackers is how to control this Trojan and associated backdoors. A number of approaches have been used over the years, but having the malware communicate with websites over HTTP is a common way of reducing visibility. Other hackers have developed protocols based around MSN, Jabber or even online calendars. The intention is that security teams will see this as legitimate traffic and not investigate any further. Other methods are to embed the commands in SSL encrypted streams with the obvious barriers this has for inspecting the content.
While it is undeniably difficult to defend against APTs, the best solution is a layered defence comprising:
- A gateway solution with two or more anti-virus engines, to try and prevent the initial ploy arriving at its intended victim
- Good anti-spam, to employ alternative techniques and prevent phishing attacks from getting through
- Effective end point protection, ideally with access to a list of both good and bad software, which then allows for a third and important category: unknown.
Unknown software needs to be run in a sandbox to try and see what it is going to do; good heuristics will catch out the cruder attacks. It is important to realise that APTs are associated with vulnerabilities that are usually unknown, they have been designed to by-pass existing signature and heuristic detection, so any solution must deal with this possibility.
Assuming that an unknown software programme passes all the tests above, when it is run it should be monitored and any changes it makes should be noted. If it is subsequently identified as malware, the changes can be rolled back, removing the infection. However, during this period data may have been uploaded and this is where data leak prevention (DLP) can play a role. Unfortunately, however, even DLP may not be able to help when the mechanism for uploading information is encrypted and, in the end, good monitoring of log files and traffic from all relevant sources is essential.
As always, vigilance is essential. Frequently correlating different events can help security teams to identify malicious behaviour and catch it early. This is a hard job to do manually but organisations need to consider how they best address this problem as it is a growing threat. Increasingly, the challenge is not whether a company is infected, but rather how quickly it can detect that it is infected.