Monday, September 16, 2013

APT - Advanced Persistent Threat


APT - Highlights 

Advanced persistent threat (APT) refers to a planned and assembled activity of an entity (usually an organized group) with both the capability and the intent to determinedly and effectively attack a specific target. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Typically, the intention of an APT attack is to steal data rather than to cause damage to the network or to the organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry. In an APT attack, the goal is to achieve ongoing access, therefor it is characterized as a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period. In order to maintain access without discovery, the intruder must imitate a normal user’s behavior and thus continuously rewrite code and employ sophisticated evasion techniques. Advanced Persistent Threat (APT) actors follow a staged approach, as articulated in the “APT-life Cycle” diagram , to target, penetrate and exploit the organization. APTs present a greater threat based on their intense attention to preparations and their desire to expand access across the organization’s networks.

Although APT attacks are difficult to identify, the intruder can never be completely invisible. Detecting anomalies in outbound data is perhaps the best way for an administrator to discover that his network has been the target of an APT attack.

There’s a lot we know about advanced persistent threats, but there’s a lot we don’t know. This is due, in large part, to the complexity of the attacks and the stealth of the attackers. Our knowledge about APTs is growing, but, unfortunately, that’s because the attacks themselves are growing in frequency. Criminals using APTs want data, so the more valuable an organization’s data, the more likely it is to be targeted. Government agencies and organizations in industries such as finance, energy, IT, aerospace, and chemical and pharmaceuticals are the most likely to be the victims of APT infections, as are those involved in international trade. Users and organizations with access through business relationships to organizations holding valuable data, such as smaller defense contractors, are also beginning to be targeted in order to be used along time as entry gate into their valuable partners’ networks.

Any organization linked to the Internet is at risk. 
To protect your organization against APTs, it’s important to know what an APT is !!!


Understand the Threat

APTs target specific organizations with the purpose of stealing specific data or causing specific damage. This stands in direct contrast to most historical malware, which wreaks havoc on any randomly infected system. The Aurora/Google attack targeted source code (with possible political motives).The Sony attack targeted personally identifiable information (PII).The RSA attack targeted intellectual property. These were not opportunistic attacks vic
timizing just any organization with vulnerability to a given exploit. These were focused campaigns by perpetrators willing to invest time and money to achieve specific objectives. There are two conclusions here.

First, any organization, large or small, with valuable data is subject to APT threat. 
Second, the more valuable your data, the more likely you are to be targeted. The cybercrime economy is well organized and funded, with attackers investing more to achieve bigger paybacks.


Advanced Persistent Threat (APT) actors follow a staged approach, as articulated in the diagram, to target, penetrate and exploit your organization.



What are the Tactics, Techniques and Procedures (TTP) that Advanced Persistent Threat actor’s use?


APT attack patterns 

For better understanding the nature of the Advanced Persistent Threat (APT) attack, we need to look deeply in to the main stages of the attack behavior. 
1. Initial Compromise
The attackers first compromise a system or systems. These systems are often ‘non-critical’ desktops which are frequently ignored by the information security assets. The initial compromise is often achieved through a simple spear phishing attack. An employee clicks on a link in an email and introduces a malicious software payload into the network. These payloads are typically backdoor Trojans which provide the attackers control of the compromised system. 

Foothold is established once the attacker has secured communication between the compromised system and the APT command and control system (C2) outside of the target’s network. The backdoor application installed in stage #1 above will initiate communication to the C2 system. The initiation comes from inside the network to circumvent inbound controls employed on firewalls. Many companies block all inbound traffic but blocking it outbound is much more difficult.
3. Escalation of Privileges
In this phase the attackers begin to increase their privileges on the network by compromising usernames, passwords and other authentication credentials. This may be accomplished using proprietary as well as publically-available tools such as cachedump or pwdump to collect passwords.
4. Lateral Movement throughout the Network
Once the attacker has obtained elevated privileges they will begin to move laterally throughout the network using connected shared resources. As the goal of the APT attack is to compromise data, the attackers will continue to move through the network. This movement will often masquerade as legitimate traffic, making it difficult to identify the APT traffic from normal network traffic.

5. Maintain Network Presence
It is common for the attacker to place malware on many, if not all, of the systems they compromise as they move through the network. In this way, even if one compromised system is identified and addressed, There are still number of additional compromised systems that can communicate with the C2. 
6. Extract data
 It should be noted that this phase can occur at any time after a foothold is achieved. At this stage, attackers have taken control of one or more hosts within the target network, may establish access credentials to expand their reach, and have identified target data (assuming data was the goal).The only thing left to do is send the data out of the network to either the command-and-control server or any other storage device . Ultimately, the goal is to compromise data of value, so the attackers can stay in the network until they have achieved all their objectives. This is the ‘persistent’ part of the attack which makes it so dangerous.
Eventually the attack will stop, either because the attacker has achieved their goal or because the victim notices and cuts off the attack. Then the APT attackers will often clean the environment by deleting files and other evidence of their presence. This makes it very difficult for companies to know that they have been compromised and to understand the level of damage.

Tools of threats 

Advanced Persistent Threat actors may use social engineering, a common tactic, to gain information from your employees that may be useful for exploit efforts. Phishing and spear-phishing are particularly effective ways to “deliver” malicious programs. APT actors may use a number of tools throughout the lifecycle process shown above. This includes rootkits, exploit kits, downloader kits, drive by downloads, DNS and routing modifications, use of rogue Wi-Fi devices and just about any method that may prove useful. Some APT actors may also have resources to develop custom hacking tools and prepare zero-day exploits for use.

APT - Players & Strategy 

Who is behind Advanced Persistent Threat

  • Advanced Persistent Threat actors may be:
  • Nation-state actors
  • Organized criminal actors
  • Corporate espionage actors
  • Terrorists

What separates APT actors from other Advanced Threat actors is the level of their sophistication, organization and resources. Advanced Persistent Threat actors will target a specific organization or entity and perpetrate a sustained campaign until they achieve their goals. The actors’ persistence, adaptability and variability also differentiate APT actors from less organized and opportunistic advanced threat actors.
APT actors may act independently or more likely, as part of a larger team or effort. In the case of teams, activities may be fully compartmentalized much like how a business separates roles, functions and organizations internally.
Advanced Persistent Threat actors manage their efforts with the end in mind. Though the term “advanced” suggests Advanced Threat actors use very sophisticated software and zero-day malware to gain access to your networks, this is not actually the case. The reference to "advanced" is much more apt to the programmatic and resourceful approach APT actors use to target, research, attack and exploit your organization.

What motivates Advanced Persistent Threat (APT) actors?

The motives driving Advanced Persistent Threat actors vary greatly. While organized criminal elements may be after information and access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain intelligence, or gain competitive advantage for industry.
Motives include:
  • Gain financial advantage
  • Intelligence gathering
  • Gain competitive advantage for industry
  • Obtain a control foothold for later exploitation
  • Embarrass an organization, damage its reputation, and/or take down its systems
  • Obtain indirect access to a targeted affiliate
  • Other might be:
    1. Ransom - The attacker threatens to publicly disclose the theft if the victim does not agree to pay a ransom.
    2. Share or sell attack methods - Methodologies are shared with or sold to other attackers
    3. Sell information -  The attacker may sell that information to other criminals

What are common targets for Advanced Persistent Threats (APT)?

Advanced Persistent Threat actors target specific industries more than others. Generally, APT actors target industries where there is a preponderance of valuable information and assets. Industries, deemed particularly attractive by attackers, include Financial Institutions, Defense and Aerospace, Entertainment and Media, Healthcare, Manufacturing, Technology.
However, Advanced Persistent Threat actors may target any organization that could yield financial gain, competitive advantage, intelligence or other illicit reward.

Types of targeted information and asset

Intellectual Property including inventions, trade secrets, trademarks and patents, industrial designs, research and information on manufacturing processes
  • Classified information
  • Cash and cash equivalents
  • Access credentials
  • Personal customer and employee information
  • Financial information
  • Strategic and product roadmap information
  • Infrastructure access to launch a related exploit or attack
  • Control systems access 
  • Network information
  • Sensitive information including communications that could be embarrassing if disclosed
  • Information on affiliates

The graphic illustrates the relationship between Motivation and Target to the types of Advanced Persistent Threat Actors.

APT Examples 

Probably one of the most widely publicized APTs was a highly sophisticated piece of malware called Stuxnet that was first discovered in June 2010 and has been intensely scrutinized by security researchers worldwide ever since. Stuxnet exploited four zero-day vulnerabilities and spread via USB devices. Its intention was to search for industrial control systems and siphon off source code and project data over time. With the majority of Stuxnet activity coming from Iran, it is believed that one of Iran’s nuclear power plants was the main target.
Other examples of APTs include:

 Operation Aurora in 2010 where a zero-day vulnerability in IE 6.0 was used in an attempt to steal intellectual property and gain access to user accounts in Google, Adobe, Symantec and many other high profile organizations.

An attack on RSA in 2011 where the APT started from a spear phishing email that was sent to a small group of employees at the well-respected security firm. The email contained an Excel file with an attachment that installed a backdoor via an Adobe Flash vulnerability (which Adobe has since patched).

In all of these cases, it is clear that the attackers had substantial financial backing, did a fair amount of reconnaissance and had specific targets in mind.


How to Defend Against APT ?

Prevention is ideal, but detection is a must. Most organizations focus solely on preventive measures but the problem with the APT is that it enters a network and looks just like legitimate traffic and users. Therefore, there is little to prevent. Only after the packets are in the network do they start doing harm and breaking in.


Based on the new threat vectors of the APT, the following are key things organizations and computer security specialists can do against the threat:

1. Control the user and raise awareness–the general rule is you cannot stop stupid, but you can control stupid. Many threats enter a network by tricking the user into clicking a link that they shouldn't. Limiting the actions users are allowed to do with proper awareness sessions can go a long way to reduce the overall exposure.

2. Perform reputation ranking on behavior – traditional security tries to go in and classify something either as good or bad, allow or block. However with advanced attacks, this classification does not scale. Many attackers start off looking like legitimate traffic, which means they would be allowed into the network, and then once they are in they turn bad. Therefore, since the goal of attackers is to blend in, computer security specialists need to track what the behavior is and rank the confidence level of whether it is looking more like a legitimate user or more like evil.

3. Focus on outbound traffic – Inbound traffic is often what is used to prevent and stop attackers from entering a network. While it will catch some attacks and is still important to do, with the APT it is the outbound traffic that is more damaging. If the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect anomalous behavior, which is tied to damage to an organization.


4. Understand the changing threat – it is hard to defend against something you do not know about. Therefore, the computer security specialists need to understand and know how the offense operates. If organizations do not continue to understand the new techniques and tactics of the attackers, they will not be able to effectively tune their defensive measures to work correctly.

5. Manage the endpoint - while attackers might break into a network as the entry point, they ultimately want to steal information that exists on endpoints. If you want to limit the damage, controlling and locking down the endpoint will go a long way to protect an organization.


Summary

APT is only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The key theme of dealing with APT is "Know thy system/network." The more an organization and their computer security specialist can understand about network traffic and services, the better they can spot/identify anomalies through clipping levels, which is the better way to defend against the APT. The ultimate way to make sure an organization is properly protected is to run simulated attacks (i.e. penetration testing, red teaming, ethical hacking) and see how vulnerable an organization is, and most importantly how quickly you detected it.


References

1 comment:

  1. Internet is source of unlimited information that we are all granted access to. But do you know that by connecting yourself to the web your personal information can be exposed to advanced persistent threats? https://www.cybertraining365.com/cybertraining will teach you how to detect such threats and deal with them efficiently so all of your data can be well protected.

    ReplyDelete