Security Experts:

Detecting APTs By Analyzing Network Traffic

A new report from Trend Micro highlights how network traffic can be used to detect advanced persistent threats (APTs) through the correlation of threat intelligence.

The paper, 'Detecting APT Activity with Network Traffic Analysis', outlines techniques that can be used to identify command-and-control (C&C) communications related to targeted attacks, explained Nart Villeneuve, senior threat researcher at Trend Micro, who authored the report along with Trend Micro Threat Research Engineer James Bennett.

Analyzing Network Traffic"Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities," he blogged. "Though there are a variety of tools available to attackers, they tend to prefer specific ones. While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent."

As examples, the paper cites a number of well-publicized attacks such as Nitro and GhostNet, as well as ongoing campaigns such as Enfal. Also known as "Lurid downloader", Enfal has been used in targeted attacks going back as far as 2006, according to Trend Micro. Several versions of the malware exist, but the communication between compromised hosts and a command and control server remains consistent.

"Enfal makes requests for files that contain any command that the attackers want the compromised computers to execute," according to the report. "These requests can be detected because they follow a specific format that includes two directories, followed by the hostname and MAC address of the compromised computer. This consistent pattern is still detected despite modifications made to Enfal."

In another example, the authors took aim at the Sykipot campaign. While older versions of the Sykipot malware communicated with a C&C via HTTP, newer versions have been spotted using HTTPS, and by 2008, the encryption had made the malware impossible to detect based on URL path. However, the malware remained detectable at the network level because of the use of consistent elements within the secure sockets layer (SSL) certificate, the authors contend. Even when new versions of the malware were detected this year, the SSL certificate on the server remained detectable using an already publicly published SNORT rule.

"[Trend Micro] Deep Discovery specifically detects the SSL certificate Sykipot malware uses," the report notes. "In addition, generically detecting suspicious SSL certificates has proven quite useful at proactively detecting zero-day malware, including the recently discovered Gauss malware. Looking for default, random, or empty values in SSL certificate fields and restricting such detections to only certificates supplied by hosts outside an organization’s monitored network provides a great balance of proactive detection with manageable false positives."

"The ability to detect APT activity at the network level is heavily dependent on leveraging threat intelligence," the report states. "A variety of very successful ongoing campaigns can be detected at the network level because their communications remain consistent over time."

According to the paper, attackers have already begun to adapt. In the case of the Sykipot Trojan for example, which was linked earlier this year to attacks against the aerospace industry, users have switched from utilizing HTTP to encrypted HTTPS communications. This means that pattern matching based on the consistent URL path Sykipot uses can be evaded, the authors note, adding that newer versions of Sykipot have also been seen using different URL paths.

"Modifications made to malware’s network communications can, however, disrupt the ability to detect them," the report concludes. "As such, the ongoing development of threat intelligence based on increased visibility and information sharing is critical to developing indicators used to detect such activity at the network level."

The full report is available here in PDF format.

Related: Why IT Needs New Expertise To Combat Today's Cyberattacks

Subscribe to the SecurityWeek Email Briefing
view counter