Published on June 18th, 2015 | by admin
The Why, Where and How of an Advanced Persistent Threat
Advanced Persistent Threat or APT has seemingly been the domain of the well-funded hacker, often attributed to government funded and highly organized teams of hackers designed to go after foreign targets. But, just like all technology that starts off only accessible by the wealthy, it seems APTs are filtering down to a more general hacker community, and they will become more prevalent across enterprise verticals. To be prepared for this, we need to look at how we recognize the signs of an APT threat.
Admittedly, the people behind APTs are professionals. They more often than not use the same techniques as legitimate software development companies. They’ll have a requirements list, architectural plans, design specifications and test cases. The creation of an APT is done by experienced and professional coders and when I explain what APTs do and how they impact an organization, you’ll understand why this type of malware is not something knocked up by a kid in his basement, and that it needs to be controlled by much smarter mechanisms.
The Why of an APT
A hacker group will create an APT so they can exfiltrate data. The whole point of an APT is to get information out of your organization and to continue to steal that data for as long as possible.
APTs are not generally about causing damage. (This is one of the reasons that the Stuxnet virus, built to cause damage to Iranian’s nuclear plants, is arguably not an APT.) One of the defining aspects of an Advanced Persistent Threat is that it acts as a Computer Network Exploitation (or CNE) and removes data from a network – an APT by definition doesn’t cause damage to that network.
It does, however, persist.
The Where of an APT
Where do these rather special pieces of malware originate and more importantly, where are they going?
If you look at the history of APT attacks they originated within the government sector. The first use of the term Advanced Persistent Threat has been attributed to the United States Air Force in a meeting in 2006. Various attacks have happened since, many in the government sector, both in the U.S. and other state governments. In 2008, there was a series of APT attacks against the oil industry. In 2011, an APT attack was targeted at the security firm RSA. Most recently, one of the most sophisticated APT attacks to date, nicknamed Carbanak, hit financial institutions and ultimately bagged around $1 billion. This APT displays a move away from stealing data to also stealing money.
Looking at the history of something can often give you an insight into future progression. In the case of an APT we have seen the attacks migrate from government institutions to a more commercial focus. The Google attack of 2010, known as Operation Aurora, allegedly originated in China and purportedly stole intellectual property from Google. The attack was likely politically motivated, as Google had threated to stop censoring the Chinese version of its search engine. The attack, however, resulted in many other American companies being infected and in recent years has extended to the likes of Disney, Johnson & Johnson, and Morgan Stanley.
As we can see from the Carbanak and Google attacks, APTs are becoming mainstream.
The How of an APT
An APT is a highly specialized piece of malware, which uses the perfect storm of spear phishing and zero day vulnerabilities to do its job. There is an enormous amount of research that goes into choosing the target and understanding their IT infrastructure – this is not the cyber attack of an amateur. Understanding the networks of the target is an important part of the process in making the APT attack successful because once inside that network, the information gleaned will be used to make the APT even more persistent.
Zero-day vulnerabilities are a key to the APTs effectiveness and are something the hacking community loves. They are used to exploit holes in software and insert malware. But zero-day vulnerabilities can be costly. For example, iOS vulnerabilities can go for between $100,000 to $250,000. That’s a lot of money, so the link to government being the force behind an APT is fairly obvious. In fact, the security specialist and occasional vulnerability seller GrugQ, has openly stated that he sells vulnerabilities to Western governments.
The vector of choice of an APT attack is a spear phishing email and, in general, this type of threat is on the rise. The Anti-Phishing Working Group or APWG, in their Global Phishing Survey: Trends and Domain Name Use 1H 2014 found that in the first half of 2014, there were almost 124,000 unique phishing attacks across the world. Spear phishing attacks are also becoming quite aggressive, with hackers even following up phishing emails with phone calls to the targeted individuals. An example is the Francophoned attack, where the caller impersonated a high-ranking employee and insisted the phishing email recipient open the attachment immediately – thus infecting the computer.
As far as an APT is concerned, a spear phishing email is the perfect hook into a system. In a spear phishing attack, you are much more likely to get insider information as the person you are targeting will be an individual chosen because they have administrator status or even domain level access privileges. Relying on social engineering as a way of manipulating user behavior has become the method of choice for the APT developer as, let’s face it, humans are fairly easily manipulated.
Once the APT malware is on your network, it does something that other malware does not: it creates backdoors. These backdoors then let the hackers both exfiltrate data out and insert updated versions of the malware in.
One of the other key features of APT malware is that is uses stealth tactics to hide itself. An example is the Etumbot APT backdoor, which in addition to using HTTP transactions which blend with the normal traffic and aren’t obviously malicious, also uses a technique called ‘byte strings’ or ‘string stacking,’ which is a type of obfuscation that allows a programmer to essentially hide software code. This is one of the reasons APT malware is very difficult to detect by normal methods such as anti-malware software.
Bringing an APT into Vision
APT attacks have been the domain of governments and wealthy organizations. But as hacking communities become more collaborative, we should expect to see this type of highly successful attack become more ubiquitous.
As stealth is the key to APT success, we need to make sure we are vigilant to secondary clues that give away APT malware action. We may not be able to locate the malware easily, but there are steps we can take to mitigate its effectiveness.
Firstly, we need to educate our staff about phishing and, in particular, spear phishing emails. Because APT hackers rely on natural human behavior to implant their malware, education about this vector is a vital first step in protecting your organization.
But we should always assume that malware can and will get past the human barrier. Once in situ, the stealth mode of the APT makes it very difficult to detect using traditional security tools. We need to use a more modern approach to security to head off these sorts of sophisticated intrusions, and part of that is having a plan in place to rapidly remediate post-detection.
Comprehensive monitoring coupled with a deep knowledge of company data assets needs to be brought together to spot the APT attack. Visibility through visual analytics is a powerful way to spot unusual behavior within your system. Because APTs work on exfiltration of data, spotting unusual data patterns is one way to determine if you are indeed being targeted by an APT. This determination may not be instant – although alert based systems are a great part of your arsenal – but being able to forensically analyze network communications can let you see the culprit in context. More importantly still, this analysis should be intelligent enough to inform you if the data communication is valid and allowed, or malicious in intent.
APTs may be fast becoming part of the general malware landscape, but intelligent monitoring, coupled with informative communications insight will allow you to play the APT hacker at their own game.