As Advanced and Targeted Attacks Continue, The Key is to Watch What is Leaving Your Organization.
When security managers think of the boogie man, they should be thinking of the Advanced Persistent Threat (APT). While many may think the term is over used, APTs are probably the most dangerous category of network-based threat to an organization. Low, slow, and stealthy, they cut with a scalpel, rather than smash with a club. The APT can infiltrate a network, rob it blind, and leave no trace. It is estimated that a vast majority of large corporations in the United States have an APT problem whether they know it or not. Although APTs are often attributed to government sponsored groups or organizations that can leverage the resources that come with those affiliations, it seems that what works with government groups can work with criminal groups. The motive is the same. Steal data and corporate secrets.
Ok, so what is an APT? It might help to say what it is not. In its simplest form, an APT is a means to fraud and theft. It is an effort by someone to steal something from your network using techniques that fit the situation. Traditionally, people who engage in cyber theft and fraud fall into a few broad categories. Some try to do bank fraud by trying to steal your online banking credentials (by Phishing), auction fraud on eBay and such, pharma fraud with fake drugs, or even a lost prince in Africa who needs a few hundred bucks from you to send the millions he has out of the country.
Most of us have seen these fraud attempts, which can be clumsy, and obvious, but those criminals work with the law of averages– they will buy an email list or rent a botnet, and send out hundreds of thousands of messages. Most will be caught by spam filters or the attachments caught as a virus, but some will get through, and although most will be disregarded, a few will find a poor soul who will click on the attachment or the link. If a few hundred click the link the margins still work out.
An APT, sometimes referred to as “Spear Phishing” or targeted Phishing, uses the same foundation as many online frauds –the conduit for the attack vector is typically the same: malicious messaging, also known as an infected email. The difference is that the emails sent to APT victims are crafted and targeted with the help of a deliberate intelligence gathering effort and cutting edge viruses and Trojans, often delivering Remote Administrator Tool (RAT) programs into the victim’s networks.
When a company is targeted by an APT, attackers are likely looking for something specific. They will do their research and find out about the individuals within the company. Who is who, who might be close to what they are looking for. They will check Facebook pages, find out who their target’s friends are, see what groups or affiliations the target(s) are close to, who their contacts are on LinkedIn. They want to send an email that will be opened. The emails will seem to be from a real friend of the target, or from a business relationship that is legitimate. The emails will be sent to a select few, and in many cases will be opened as well as the attachment.
So what happens when you click on that link or attachment? The vector is an infected attachment within the e-mail. The attachment is loaded with malware (virus, or Trojan) that will exploit a vulnerability on the victim’s computer, which in turn will allow the malware to place a program on the computer which hides itself well, and does something. That something is typically a RAT or “backdoor” program which is designed hide itself and help a hacker steal your stuff. Here is an example.
Email with an excel attachment is received from a business relationship → attachment is opened → excel runs the program → the opened excel sheet has an imbedded, but virtually invisible, flash file → in the back ground, the flash player launches the embedded flash file → flash file has an exploit to overflow the flash player’s memory buffer → once the memory is overflowed, a malicious program, lets say a variation of Poison Ivy RAT program, is installed on the victims computer with admin privilege, which provides a backdoor to “drive” the computer remotely.
To the end user, nothing is amiss. This is something typical fraudsters and APTs use, so what is the difference? Malicious messengers are in an arms race with the antivirus and security companies. The package around the malicious message (a virus or Trojan) can be picked up by layers of defenses a network should have, from the gateway, to a UTM, to the mail server, to the endpoint antivirus, and security patches for the OS and applications. APTs typically uses a zero day, or near zero day exploit to plant the RAT program on a computer This means that the antivirus companies have not seen it before, so they don’t have a signature to guard against. Precision aimed attacks, along with zero day, or near zero day exploits are hallmarks of an APT. People or organizations that design and perpetrate these kinds of attacks are looking to benefit from their efforts because they are willing to spend valuable resources to do so. The time to reconnoiter their targets, understand the environments, and lastly, but most valuable, burn a zero day exploit. Zero day exploits are precious. Once they are used, discovered, and analyzed, they are forever known, and then the antivirus and OS vendors will follow with patches and signatures, reducing their effectiveness. As zero day exploits are worth money, and sometimes lots of money, APT attacks are spending real resources, so the business model suggests that attackers are getting something more valuable from risking the discovery of the zero day exploit.
Once infected, a company will usually not even notice that there is a problem until it is way too late. Given the surgical precision of APT attacks, the attackers are usually after something specific, and along with targeted malicious messaging, and zero day exploits, it is safe to assume they have a good idea where to look for the “stuff” they came for. In the case of the RSA breach, the attackers entered the network via a HR employee’s computer, where a back door was installed. This gave the attackers a RAT on a computer behind the company’s firewalls and allowed them to infect more and more machines until they found the RSA family jewels. The rest is history.
Cleaning up after a mess like this is hard to do—it’s like looking for a needle in a haystack. There are thousands of .dll, .bat, exe, and other files on a PC that could be the malicious program. The infected computer is a liar because it is programed never to revel itself. Smart RATs will disable anti virus, change logging, and make the computer output false information when queried about information such as processes and programs in the kernel. Once “owned”, one of the few ways to be sure if the machine is owned is to see what it is saying on the network. Malicious programs typically need to ‘phone home’, or beacon to a command and control (C&C) server to work, and of course it needs to move the precious data off the network as well.
APTs usually go unnoticed in the storm of diverse traffic that egresses from a network, and most companies do not focus their security on what is leaving, but rather what is trying to get in. Many times the communications conduit back to the perpetrators is stuffed in an https channel (TCP/ 443), so it is encrypted, and looks like a typical SSL connection to a web site, which is almost always allowed through a firewall, and since the traffic is encrypted at the infected host, it is impossible for an IDS/ IPS to pick up. People usually discover that they have a problem when others tell them – or they see when analyzing logs on applications or databases that the data has been transferred. If a host is suspected of being compromised, which can be a long and tiresome process, the best thing to do is reformat the box, and start again fresh.
Responding to an APT Attack
So what to do? If you are a defense contractor, a government site, or a technology company, it would be safe to assume you might already have a problem. Law Enforcement and Intelligence Agencies are very concern with the state sponsorship of these activities and might be able to help you identify if there is some activity they are monitoring from know command and control nodes that might be talking to your IP space.
While the following list is by no means exhaustive, here are a few suggestions to begin with:
1. Identify the family jewels – what information is precious. Source code, blue prints to the next stealth fighter, what ever it might be and the associated infrastructure and segment your network by building a VLAN, and monitor traffic very closely.
2. Use technologies to proxy all connections outside the VLAN to include all SSL or encrypted connections, so all traffic must be unencrypted on the VLAN so it can be monitored with DLP and IDP technologies
3. Use very specific egress firewall rules to limit who and how the precious information can be communicated. An example would be that a dBase server should have no reason to open a SSL connection to a web server in China – not that the threats are so obvious, but you get the gist. This is better managed by carving off VLANs that have certain egress access, and other do not.
4. Make sure the internal networks within the infrastructure are segmented into security zones. Plugging into a network drop at an office should not allow access to the precious VLANs. It would not help if you can bypass suggestion number three by the bad guys transferring the data to an administrative PC, and then off to China. The use of virtual desktops has some application here. Make people use them for critical functions and watch the VM desktops like a hawk.
5. Have a strong patch management and configuration management program on high-risk infrastructure to make sure the bad guys can’t pick the low hanging fruit.
6. Establish a logging solution to send access logs to a Security Event Management tool that can keep an eye out for suspicious behavior– like copying the entire database and sending it to China.
7. Consider bringing in companies that specialize in APT problems. They have host-based agents that can alarm when they see changes to the computer’s registry or program files that match known signatures.
The key is to watch what is leaving. I think it has been demonstrated that regardless of how much security awareness training you provide and how closely you patch your machines and update your signatures, in the case of APT, if they target you they will get in. The key is to sop them from getting out so that the problem is more manageable. Guard the exit.