Security Experts:

Black Hat: Remediating Attacks in the Age of APTs

Black Hat 2012 News

Roughly two months ago, the now-notorious Flame malware burst into the public consciousness, marking another example of a sophisticated threat launched out of the arsenal of nation-states or those working on their behalf. From espionage to data theft by cyber-gangs, there is no shortage of attackers looking to stay under the radar while they pilfer data or cause disruption for the long haul.

Investigating and remediating these types of targeted attacks, argues Jim Aldridge of Mandiant, requires a different kind of approach than when facing more opportunistic hackers. At the upcoming Black Hat conference in Las Vegas, Aldridge plans to take a look at what organizations should be doing in the aftermath of a targeted breach, and how some forethought and planning could make a difference.

"The essence of the talk is really that when you are dealing with a targeted, persistent adversary…remediating that type of an intrusion [requires] a different approach than what most organizations are used to in terms of remediating a quote unquote security incident," he said.

One of the keys for organizations is understanding the attack lifecycle – the phases of an advanced persistent threat (APTs) campaign as they tend to unfold.  There are several stages, ranging from reconnaissance to the initial compromise to moving laterally across the network to compromise systems and steal data. Understanding the lifecycle of APTs allows companies to plan their response more effectively while they are under attack and offers a guide for those not under attack to plan security initiatives ahead of time, he said.

Enterprises need to focus on making their environment "investigation ready," he said.

"Think about if I were to have an intrusion right now, how would I be able to respond to that, and then start filling in the gaps in visibility," he explained.

There are a number of logs organizations should pay attention to so they are ready to assist or conduct an investigation into a breach. Two key examples are DHCP logs and DNS logs, which he said could be critical. 

"Do you have the DHCP logs so that if your investigation team identifies communication related to a particular IP address that happened maybe five days ago, do you know what host that equates to on the network? Are you going to be able to figure that out? If not, it can really hamper the investigation," he said.

DNS logs can likewise help with tracing the steps of an attack.

"(For example,) law enforcement contacts you and tells you that they observed three of your IP addresses communicate with a particular domain that is associated with known state-sponsored attacker activity," he said. "This occurred six months ago. If you had DNS logs, you could quickly go determine which systems resolved that domain name and use that as a starting point for an investigation. These may be more useful than firewall logs, as the IP address to which the domain name points may have changed. Without DNS logs, you can’t quickly identify the infected systems. If the attacker has changed malware since then, and is using new command-and-control domains, you may never see resolution of the old ones."

Aldridge added that organizations should also pay attention to logs related to authentication, and take preventive measures such as removing local administrator rights from users who do not need them. The idea is for organizations to look for ways to inhibit attackers as much as possible and detect them when they have found their way inside.

 "I call it inhibit not prevent, because in the end if the adversary has the will and the means they are going to eventually get through some of the defenses," he said.