Published on August 25th, 2016 | by Akshay Nayak
Sophistication Redefined: How Breach Detection Techniques Can Stop Even the Stealthiest of APTs
Two weeks ago, Kaspersky Lab and Symantec independently released reports describing an APT group called Project Sauron, providing concrete support to my theory that most hackers are die-hard Lord of the Rings fans.
The group used highly advanced techniques to infiltrate the network and remain undetected. Kaspersky and Symantec released Indicators of Compromise (IOCs), but these are about as useful as a mudguard on a tortoise. According to the reports, Sauron tailored its attacks for different organizations to avoid ending up on blacklists or any reputation-based threat feeds in the event it was detected.
Like Stuxnet, Sauron had the ability to infect air-gapped networks via flash drives. It used Lua scripts with a custom-built interpreter for system reconnaissance and lateral movement. Multiple Lua modules were used and care was taken to use built-in modules and plugins whenever possible. This is actually a commonly observed phenomenon for the next generation of adversaries, who prefer using benign tools or utilities bundled with the operating system as opposed to relying on automated malware scripts to do their dirty work. Doing so enables them to escape detection by Anti-Virus software.
Sauron adopted the best features from the playbooks of other highly advanced groups such as Duqu, Equation, Flame, and Regin, and even developed innovative ways to mitigate detection. Some of the techniques it used were:
- Encryption algorithms unique to each victim
- Different tools, IPs, domains and ISPs for each victim
- Covert channels used for data exfiltration
But the part I found the most intriguing was how this group exfiltrated data. They used two covert channels – DNS and email. While their exfiltration via email was definitely interesting, in this post I’ll discuss how they used DNS channels.
The aforementioned malware used TXT records. One reason for this is that packets with TXT records can carry large amounts of data. The same holds true for some experimental records such as NULL. Such oversized packets really stand out in DNS traffic and can easily be detected. There are some popular DNS tunneling utilities out there like Iodine and DNSCAT2 that can be configured to leverage commonly used record types to appear as normal traffic. But these utilities were designed with the sole purpose of delivering the best data throughput. Their primary use case was to browse the web by bypassing password-protected public WiFi hotspots.
Sauron, on the other hand, used a combination of two custom-built utilities dubbed DEXT (DNS EXfiltration Tool) and NSLU (Name Server Look Up) to exfiltrate data via DNS. This is by far the most complex DNS data exfiltration suite I have come across.
DEXT formatted the data for efficient exfiltration. It had the following features:
- Length of DNS payload – Most threat detection tools that look at oversized queries/responses or payload, can be bypassed
- Randomization of payload length – There was an option to randomize the payload length between l/2 and l, where l is the chosen length of the payload. This was done to blend in with normal traffic
- Encoding – Base64 was the default but Base32 could also be used for encoding data to make it harder for DLP solutions to detect anomalies based on Regex matching
NSLU support multiple record types with A and PTR as defaults. Since a good part of most organizations’ DNS traffic consists of A and CNAME records, any inspection by network security devices for strange record types can easily be bypassed.
So, even with its efficient exfiltration technique, is it possible Sauron could have been detected? Using Passive DNS to capture, store and analyze DNS traffic would have been a possible solution. One pattern to look for could be DNS queries to strange, previously unseen domain names. However, having a gazillion sized DNS logs is useless, unless they are monitored on a regular basis. This is further complicated by the size of these logs and it can be a challenge for security analysts and incident responders to sift through massive amounts of data; not to mention the large storage requirements (and this happens to be one of the many hundred protocols traversing the network each day)!
Breach detection software like SS8’s BreachDetect uses advanced behavioral analysis to detect data exfiltration via DNS among other protocols. BreachDetect’s capabilities as a Time Machine proves to be extremely useful at detecting DNS based exfiltration both in real time for past traffic.
BreachDetect solves this two-fold problem of data storage and analysis by not storing packet payloads. Instead, only relevant packet and flow metadata such as TTL values and volume of queries is captured and stored using a novel approach of IPDRs (IP Data Records) and HDRs (High Definition Records). Advanced behavioral checks and heuristics are then applied to this data to detect data exfiltration across covert channels such as DNS.
Akshay Nayak is a Threat Researcher at SS8. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.