Advanced Persistent Threats: Advanced? Really?

Wednesday, September 15, 2010

Pascal Longpre


When we think about an Advanced Persistent Threat (APT), we imagine a sponsored attack, organized by highly skilled hackers having access to zero-day exploits and writing undetectable super stealth code. In some cases, this is actually true and numerous real life examples demonstrate a high level of sophistication.  

But APTs can also take a very simple form and stay undetected for several months before being discovered. Imagine a simple program that copies itself in the user's startup folder and, after the user has logged in, performs a scan of the local disk and network shares.

It zips newly created documents and sends them to a remote server through FTP, HTTP, SSL or any other protocol available. Once this is done, the program unloads and waits for the next time the user will login. 

A high school kid can code this in a few hours. No special knowledge or privilege escalation exploit is required. Metasploit can provide multiple delivery methods through regular email or web browsing.

Signature based antivirus won't see a thing since the program is not widespread. Even if the program was to be analyzed, its behavior is no different from a typical cloud backup program and would hardly raise suspicion. 

How many users check the programs in their startup folder or "Run" key? How many would dare to delete one program if it was properly named ? Probably not many, if any. It could stay there for months or years and cost a few thousand times more in damage to the enterprise than what it cost to develop. 

If you are running or are in charge of a large computer network, do you know what is running on your desktop computers? A single executable or driver can be the gateway to your network and you might never notice unless proper detection systems are put in place. 

Locating programs like this on a large network requires a completely different approach to security than what we are used to. To address this, we must not rely on a single approach but throw everything we have at the problem.

By combining advanced rootkit detection, live memory analysis, application whitelisting, process tracking, antivirus, heuristics detection and environment correlation in a comprehensive solution, we can effectively catch these threats as soon as they hit the network. 

Historically developed for large government organizations, solutions to these threats are now being made available to corporations. Those responsible for security must face the problem and get a deep understanding of what is running on their workstations.

We're way past the point where a firewall and IDS were enough to protect us effectively. 

Cross posted from Silicium Security 

Possibly Related Articles:
Viruses & Malware
Information Security
malware Advanced Persistent Threats
Post Rating I Like this!
Diagonal Consulting Agreed - internal fraud or 'white collar' crime is also a big threat to IT security now.
Good blogs discussing this -
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.