The term APT is gaining increasing press coverage, and yet the definition of this growing threat remains unclear to most of the people that I have spoken with in IT and Information Security. I blogged about it earlier, but the description is too short to clarify APT. https://kohi10.wordpress.com/2010/05/16/what-is-this-apt-thing-anyway/
Wikipedia leads with the classic military definition, as APT has a history centered on clandestine infiltration of an enemy’s national, regional or local infrastructure, intelligence gathering, and espionage. They also attempt to describe the Information Security perspective, however the assumption of nation state involvement remains pivotal to the description. This is no longer completely accurate.
APT agents are not the massively distributed, noisy and clumsy malware agents that pervade the Internet. Most malware has been built to subvert as many systems in as short a time span as possible in order to maximize target acquisition and short-term profit. Successful APT attacks take the opposite approach, requiring that the attacker be patient, discrete, and make an effort to fly below the radar of the target organization. Since the resources expended and the time involved in researching, developing and distributing malware to such a minute audience are both costly and high value, the attacker will be expecting high value returns at some point in the exercise.
So, what makes APT malware any different than BotNet malware? They both grab data, they both try to get the data outside, and they both operate on financial and password information while attempting to remain installed and/or hidden. The devil is in the details. Break down the individual components of the term Advanced Persistent Threat:
- Advanced – The criminals behind the threat make use of the full spectrum of intrusion technologies and techniques. They will combine multiple attack methodologies and tools in order to reach and breach their intended target, including social engineering, hardware and software distribution, as well as mixing malware capabilities to create “designer code”.
- Persistent – The criminals will often give priority to specific tasks and targets, rather than seeking immediate financial gain. The real danger of the attack is that it is conducted through long-term monitoring and interaction in order to achieve its defined objectives.
- Threat – The attack is often well-planned, carefully targeted, and professionally orchestrated rather than executed as an automated propagation script. The criminals involved have a specific objective, are experienced, skilled, motivated, organized and well funded.
Some APT Malware Agent Characteristics:
- Small initial executable size.
- Means for hiding its code and active presence.
- Code for lying dormant and triggering activation.
- Mechanism to alert attacker of successful deployment/penetration.
- Mechanism for communicating collected intelligence.
- Update mechanism to receive code changes and add-ons.
- Some may offer backdoor access, vulnerability scanning, and propagation capabilities.
- Activities and communication tend to be low and slow, trying to make as little noise as possible, and appearing like normal or background network communications.
Any attacker can adopt the APT methodology, as long as the drive is present to reach the objectives of the attacker, and the resources to realize the attack are present. There generally must be enough value involved at some point in the operation to tie up some fairly valuable resources during the prolonged lifecycle of the attack.
These resources typically include:
- An exploit that has not been previously published, or has no patch available.
- Defined deliverables.
- Intellectual Property.
- Passwords and Account Names.
- Business Partner Intelligence.
- Tax, Financial or Personnel records.
- News-worthy evidence of wrong-doing, illegal, or unethical activity.
- Further access, possibly to a trusting business/organization/agency.
- Intelligence regarding the target organization.
- A list of internal targets (the shorter the list, the better).
- Intelligence regarding the intended targets (organizational up/down links, habits, interests…)
- Infection mechanism for intended targets
- Spear-Phishing emailed links to distribution websites.
- Spear-Phishing emailed attachments.
- Infected removable media (memory card, CD, DVD, floppy, etc.)
- “Lost” or shared USB keys, PDA’s, cellphones, or even laptops.
- Weaponized file sharing program downloads.
- Pirated software and Key-Generators.
- DNS poisoning or route misdirection.
- Drive-by web downloads.
- Insider, contractor, or ex-insider infection, collusion, or extortion.
- Physical break-in or funded staff placement.
- Other incidents as cover. (Malware, hacking, partner penetration, WiFi, etc.)
- A specially developed malware agent that has no detection signature and has not been deployed publicly.
APT attackers are typically focused on intelligence gathering, and are interested in remaining installed and operational within the target business for as long as possible, often foregoing the immediate gains offered by the initial target in order to remain a threat for on-going campaigns and much larger fruit. Since insiders of every shade may be part of an APT attack, and the attack is intelligence heavy, expect that the attacker knows something about the environment, the protections and controls in place, and what is and is not “normal” activity. If the organization uses IDS to detect communications, the attacker will know the make, model, capabilities and potentially, deployed signatures on the IDS. That way they can maximize the potential for undetected execution and know how much traffic they can generate without causing concern.
Most APT infections are detected as botnet infections because they have enabled remote control from the outside. This type of activity tends to be somewhat noisy, and have specific characteristics that show up in IDS or other network logs. APT agents surreptitiously installed, monitoring passively and collecting intelligence that is emailed out using the company email server, or mixing in with everyday HTTP traffic, would remain harder to detect, and most likely remain afield longer. The downside is that it would also provide results more slowly in order to draw less attention.
Identifying and stopping communication with Command & Control servers or data repositories are key to containing and eradicating the immediate threat posed by this malware type. If it cannot exfiltrate its target intelligence, its immediate threat is reduced. This could of course trigger secondary damaging capabilities built-in or added on, such as self-destruction, data scrambling, or total environment disruption/destruction.
Hopefully, this clarifies what an Advanced Persistent Threat is, how they operate, and that this is the most likely future of malware as malware distributors gain experience, cunning and skill. Personally, I hope that this drives the Anti-Virus vendors to step up and develop products that rely less on signatures, and more on detecting the presence of important data and the behaviors exhibited by these malicious programs. I’ve been preaching that line since before I worked at Symantec…