Recently, SecureState was asked to attend a panel on "Advanced Persistent Threat" by SecureWorld Expo.
One of the things made abundantly clear during the conference was that there is a lack of knowledge as to what actually is an Advanced Persistent Threat (APT).
There are many factual websites, blogs, and articles out there that give a nice explanation; however, I wanted to take a chance to go over a few of the questions that were asked.
What is an APT?
Think of an APT as a group or nation with the intent and capability to effectively target and breach a specific entity. An APT can be thought of, in a sense, as a terrorist cell. Terrorist cells work together, but do not have a complete picture of what is going on; they all play a specific part in a larger picture. In this case, that picture involves breaching a high valued target. These groups tend to be extremely well funded and incredibly talented.
A true APT has close to, if not exactly, a 100% penetration rate into the largest corporations and governments in the world. It should be noted that the difficulty of attacks can range from simple social engineering to a zero-day. These attackers will tend to use any attack method they can to penetrate an organization, and once they are in, they will make every effort to blend in with traffic and avoid detection. The goal of a true APT is not to bring down a business, but to siphon information at a slower pace and stay embedded within an organization.
Another way to think of it is this: a corporation can never match the budget of these groups. There is a lot of money in cyber crime and espionage, and as long as that remains the case, we are fighting a losing battle. In fact, digital forensics and incident response is, by nature, a sign that we have already lost the battle. How do you stop criminals that are better funded and as talented, if not more talented, than the good guys?
True APTs in nature make most white hats look like script kiddies. While most penetration testers are focused on using public exploits that have been around for ages, or simply using vulnerability scanners, these groups are out there breaking into companies at an alarming rate, and coming out with new attack vectors.
What can organizations do immediately to put them in a better position to investigate an APT breach?
Given enough time and resources, a skilled attacker will always find a way in. So how do companies deal with this? Companies need to have an Incident Response Program (IRP) in place. A successful IRP is required to bring the needed resources together in an organized manner to detect and deal with an adverse event related to the safety and security of personnel, systems, and data. An IRP should also be tested thoroughly to evaluate an organization’s response to incidents that occur in their environment.
How has the APT evolved over the years?
Advanced Persistent Threats have evolved in the sense that more money is being put behind these criminals. When it comes to national level espionage, these groups have virtually an unlimited budget and some of the best hacking minds in the world working together to compromise the target.
Which APT technique is the hardest to investigate?
This was an actual question posed. Sarcastically, I would say the hardest ones to detect are the ones that are currently undetected by our government. However, once an APT breaks into a network, they burrow down and blend in with normal traffic. It is, in a sense, extremely difficult to detect an APT; also, there is not one technique that is used.
For one target, a social engineering technique could be used; another target could require an exploit that hasn’t been seen in the wild. This question is hard to answer, in a sense, that an APT is a constant threat using a multitude of techniques, but there is no one person behind it, nor is there one method that can be used to detect them. There are a lot of vendors that advertise “Our product prevents an APT”. I immediately question this; how can you offer APT protection when by making a statement like that you clearly have no idea what an APT actually is?.
A company that is worried about an APT threat should perform a proper data classification and implement a Data Loss Prevention solution that monitors this data. Proper egress restrictions should also be put in place, and on top of this, a company should practice readiness and response.
How do you effectively share indicators of APT compromise? Should these be classified?
It depends; if proper policies and procedures are in place after Data classification, Risk, Impact, and Prioritization (DRIP) has been completed, then those policies and procedures will dictate whether information is shared, or whether it should be classified or not. This is a business decision that should ultimately be made ahead of time.
What are the most common attack vectors?
APTs have a 100% penetration rate for a reason; they are extremely good at what they do and if they want your information, they will most likely obtain it. Very few companies follow strict guidelines and have the proper controls in place to limit the information loss during a breach. But what are the most common attack vectors?
As stated before, there is no one attack; an APT could use social engineering, SQL injection, missing patches, or any vulnerable sector within your company to obtain a compromise. Once the initial foothold is gained, it is game over. Ultimately, the environment determines which type of attack is used; an attacker is going to take the easiest, most efficient path of least resistance to break into a network.
Why isn’t traditional AV effective against APTs?
Antivirus has inherent flaws, most of which revolve around being entirely signature based. SecureState released a program called syringe, which will bypass a majority of all antivirus products on the market, and this was developed within less than a week by one programmer.
Now, imagine what a group of programmers could do with an unlimited budget/time frame. The major flaw with AV is that it is signature based, so if a new attack comes out or new malware, it is undetected until a new signature is added. Once a piece of malware is detected by AV, the creator can simply alter the program, until it is no longer detected. For instance, during one assessment, SecureState used a python script called “reverse.py” to test a popular AV solution.
This script was immediately picked off; however, after splitting the file up and scanning each portion, SecureState was eventually able to find that the signature was detecting the file based on a string of text in the comment section of the script. By simply removing this string, the script was able to execute successfully. There are other types of antivirus, such as heuristic based, which tend to be more efficient at detecting malware.
What are the best defenses against APTs?
TESTING! Always test your environment and your policies. An APT is never going to be effectively stopped, but the damage can be limited. In an ideal world, every company would have everything baselined, and any changes that are made to an environment could easily be detected. On top of this, proper egress filtering is in place, so only traffic that needs to get out is allowed.
Along with using the least privilege philosophy, a company can dramatically reduce their risk. However, if all these controls are in place, does that mean you are safe? Nope. So, what is another great defense against APTs? EDUCATION. Constantly educate your employees on the dangers of clicking a suspicious link, or telling your password to someone who seems legitimate over the phone.
Education and Testing are the two most important things a company can do to reduce the risk of being compromised by an Advanced Persistent Threat.
SecureState has conducted various APT scenarios and simulations for our clients. For example, SecureState has created custom coded malware, tailored to the client’s environment and business that is undetectable through anti-virus and other detection methods.
SecureState has used phishing and other social engineering techniques to deploy this code, which allows us to gain access to critical systems and corporate data, all through a remote connection.
Cross-posted from SecureState. Chris Kimmel is a consultant on the Forensics Team.