APT (advanced persistent threat) attacks have been in the press since 2006, but are only now gaining real media attention due to recent high-profile attacks, and IT teams must prepare to deal with these threats before they become commonplace. Some security practitioners consider APT an “overblown marketing term” and others will argue that it only affects the military or government agencies. In the military, the term APT has been used to describe a process of maintaining intelligence operations and conducting information warfare against an enemy. In information security terms, hundreds of companies around the world have been completely and utterly compromised by information security APTs, which allow hackers to mine and exfiltrate sensitive corporate data under the security radar, over an extended period of time.
In information security, these are targeted attacks launched using malware vectors, and as their name implies, they are employing zero-day unreported vulnerabilities, advanced coding practices, and automated behaviors to increase the effectiveness of their penetration capability, covert operation, and continued existence. They are persistent at attacking their target, and remaining in operation, often for years. Once inside the organization, APTs are not easily detected, contained and removed. Victimized companies will often continue on with their daily business unaware of the problem, and when they are eventually detected, they are often misdiagnosed as other less impressive malware and given an incorrect or incomplete treatment. If the malware agent is unable to communicate with its Command & Control (C&C) center, it will often attempt to reach another one, or use another communication channel or method to quietly squawk away your secrets.
Not every malware infection indicates an APT attack. Consultants are tempted to identify every bot-agent or Trojan found as an APT and dream up long-term, radical incident handling and remediation engagements from unseen and unknown attackers. I’ve had to disagree more than once with consultants and responders on whether APT was part of an active security event. The first step in handling an APT attack is understanding what separates it from a targeted hacker or a classic malware agent. Once it is properly defined and understood, detecting and eliminating these kinds of attack tools can become easier.
APT attacks started to be reported by the mainstream press in January 2010 with Google’s announcement of a major APT incident, and continue with the more recent RSA compromise involving theft of information concerning SecurID technology. That particular breach has been followed by serious reaction and concerns from users of the technology. The impact and aftermath of that incident are still unfolding. The hacking group Anonymous’ HBGary email leaks show that Dupont, Disney, Johnson & Johnson, Sony, and GE have been affected, along with several law firms and insurance companies. Global financial companies and banks have also been impacted by the APT threat. McAfee recently revealed that the world’s biggest oil and energy companies have also become victims.
Finding, containing and eliminating an APT attack requires careful advance planning and stealthy implementation to avoid alerting the attackers to your defensive maneuvers. The Canadian government had to isolate its largest financial departments, blocking access to and from the Internet in order to contain an APT threat and repair the damage that it caused. In every single case that I am aware of, the targeted organizations had actually been under attack for months or even years, undetected.
The attackers are selecting their targets very carefully. Where other malware vectors tend to be arbitrary, finding targets of opportunity, APT attacks are aimed precisely at targets of choice. The attackers spend a fair amount of time researching and learning about the organization that they are about to attack, its personnel, its market, its interests, its hierarchy, its policies and culture. They will custom build the installation routines and the malware agent to virtually eliminate the potential for anti-virus and other detections. There will be no signatures for the malware, and they will rarely use that particular agent anywhere else simultaneously. The attack itself will be well planned, often using social engineering tricks to get the program inside the perimeter. Users will be targeted specifically, sometimes using their personal home email and less protected home networks to get onto laptops, USB sticks and other media that can make their way into the workplace. Insiders may be used, and not just the ones that you screen and hire. You may be the target, but an upstream business partner, downstream service provider, or consultancy may do the hiring. Your network may even just serve initially as a conduit for the real target; a business partner, a consultant that works for both you and the ultimate target, or a shared service provider. Consider yourself a current target if you hold sensitive information beneficial to foreign governments, or have relationships with those who do.
Key target characteristics include:
- .mil and .gov sites.
- Defense Department contractors and subcontractors.
- Infrastructure companies, including finance, power and water.
- Individual CEOs, leaders of powerful enterprises or government agencies, and their staff.
- Personal information of other possible targets, such as freedom of speech activists or politicians.
- Hold trade secrets of great value. Intellectual property or patents that may be sold for high returns.
- Relationships with other organizations that embody one or more of the above characteristics.
How do you prepare for an APT attack?
The target of APT attackers so far has not been financial gain, even when they break into banks. They are currently targeting information, aiming to take all valuable intellectual property from a victim, transferring it to a “safe harbor” country, either to use for competitive advantage or to sell to others for profit. This behavior may evolve, and other attackers begin to adopt some of the APT authors’ tricks, mechanics, and code-base. Since every APT attack so far has varied, there is no single defensive plan of action. Still, the following outline below (based on Roger Grimes’ 11 step plan) should provide a pretty good starting point for any security program that is preparing for an APT attack.
- Build threat models based on past attacks against weaknesses in the environment. This will help identify where to start building defences and cleaning up messes.
- Implement a hardware and software asset management solution to better understand what makes up your environment.
- Follow change management best practices, and consider a change control solution. Change management is a process, and change control is a tool.
- Implement least-privilege, authentication, and access controls. Give users access only to resources they need to do their jobs.
- Delegate domain admin rights rather than assigning them outright.
- Implement configuration management, and audit against standards. Track your approved deviations, and watch for changes to your environment.
- Harden computers following vetted security guidance, like that offered through NIST or CSI.
- Deploy a vulnerability management solution to scan, identify, and remediate vulnerable hosts.
- Patch everything, especially browser add-ons and common or popular applications.
- Implement application controls and white listing to stop malicious programs from entering the environment unnoticed.
- Enforce strong password policies, with longer, complex passwords for standard user accounts. Use two-factor authentication if long passwords are a problem.
- Implement an enterprise log management system, aggregating and correlating logs with comprehensive auditing and alerting.
- Isolate security domains and hosts. If computers shouldn’t be talking to each other, don’t let them.
- Deploy and manage host-based or network-based intrusion detection or prevention systems (HIDS/NIDS/HIPS/NIPS). Keep those signatures up to date.
- Make sure antivirus scanners are checking for updates daily, set their heuristics to high, and scan on a regular basis. Tomorrow’s signature may detect yesterday’s malware.
- Educate users about common security risks, such as Windows, Adobe and Java exploits, fake antivirus warnings, phishing sites, Trojan downloads, etc.
- Monitor your network closely. Implement sensors and watch traffic patterns. Know what is “normal” and investigate anomalies.
- Develop and update incident response processes and procedures for the most common and disruptive incident types. Run exercises.
In a very large environment, fixing everything at once is simply impossible. The list is just too long to apply broadly, and the best solutions are not cheap. Instead, identify the company’s “crown jewels”, those intellectual property items that are critical to the organization’s well-being and continued operation, and expend initial efforts planning a monitoring and response strategy that focuses on protecting those parts of the network as the highest priority. As time and budgets permit, plan to expand these detective, preventative, and reactive controls out towards less risky, but still important assets. Devise a layered defense strategy that can be scaled to match your environment.
How do you identify an APT attack?
In a word, monitoring. In more detail, you will need to plan and implement a monitoring strategy, create a baseline of “normal” traffic, and review logs in detail. This kind of monitoring requires an IDS/IPS solution, and may include a host based IDS/IPS on sensitive servers and endpoint security solutions on desktops, and should also make use of log management and event correlation tools. This is an advanced threat, and will require advanced detection and response efforts. Hardware firewalls at the perimeter are not going to do this level of logging for you without impacting performance.
Examine where your data and email are flowing, both internally and externally. Look for anomalies, things that stand out as unusual traffic patterns, like increased or repetitive connections, foreign IP addresses, regular, periodic or consistently timed connection events, web connectivity when the user is not there, use of unusual protocols or ports, encrypted network traffic, anything that does not fit your organization. Do this for your baseline too, because you may already have been compromised. Data Leakage Prevention tools can also monitor the network for unapproved communications, specific data patterns, and special key words. Integrity monitoring and change control tools can also go a long way to identifying and even preventing APT attacks. These tools can be used to monitor files on disk and in memory for unexpected changes, and may prevent unauthorized software from being loaded onto systems.
The characteristics of APTs vary, but they generally:
- Gain entry through the end-user PC, using spear-phishing emailed links, attachments, drive-by attacks, P2P software, infected USB keys and memory cards, or Trojanized downloads.
- Maintain their presence by hiding, using rootkit techniques and slow communications patterns.
- Focus on gaining control of crucial infrastructure, communication systems, intellectual property and sensitive information.
- Automation is used to enhance the power of an attack against a single target, not to launch broader multi-target attacks.
- Attempt to communicate covertly, hiding data in HTTP, POP, DNS, or other common protocol streams.
- Communicate minimally, but usually on a routine schedule.
- Communicate with foreign systems where jurisdiction is cloudy in order to store targeted data and send and receive updates and commands.
- Will attempt to map, query, or connect to other potential target systems on the network.
How do you handle the event?
Once you’ve detected an attack, you analyze it to gain actionable intelligence that allows you to remediate that attack and augment your future detection efforts. By iterating through this cycle you get better and better at managing sophisticated threats. APT incidents can be handled in a similar fashion to BotNet incidents, and these two attack types are often confused with one another. When you detect an anomaly, consider it an event initially. Investigate the source/destination addresses using online tools and intelligence sources, packet capture, and protocol analysis. Visit the affected system and see what processes are running that match up with communication times and ports in use. You need to confirm that the event is in fact malicious, and that it fits the characteristics of APT.
Assign both the APT event and the remediation event special keywords that all response team participants will use in online communications. Use common phrases such as “benefits update,” “football game,” or “open door policy.” Think of something boring enough not to attract unwanted attention from attackers who may be monitoring your communications.
What if the event is found to be an actual APT incident?
Every APT incident is going to be somewhat unique, and the best actual reaction will depend upon the details of the specific attack. The fundamental cleanup and defense techniques are the same ones that security teams have been using to deal with other malware agents for the past 20 years. Confirm, Identify, Contain, Eradicate, Remediate, Restore, Monitor.
As with any malware incident, determine the best way to contain the particular problem that you have identified. Gather up as much intelligence as possible about the malware, the source and destination of communications, methods and targets, so that management can make a containment decision. This decision should be made at the appropriate level of management. You might simply remove each compromised computer from the network immediately for forensic analysis. You may elect to capture and study a sample of the malware agent. You might initially allow the compromised systems to continue running to prevent the attackers from becoming aware that they’ve been discovered, and taking up a new strategy to mask their presence or cover their tracks, making eradication virtually impossible. This is an individual risk decision for each company, event, and data set that may be at risk.
Gather the remediation team to develop your containment, and eradication plans. This team should include security staff, technical staff, senior management representatives, vendor specialists, affected business unit team leaders, and others as required. In general, start small, and bring in additional resources as necessary. Everyone involved should sign an NDA document, even if the company already has one in place, to reinforce the need to keep all information secret, at least until a formal communication plan can be created and implemented. Insider involvement or complicity is a horrible thought, but cannot not be simply ruled out. Loose lips sink ships.
Inventory all of the systems that are exhibiting characteristics of the APT agent or that have had communications with them. If you miss one infected system in your containment efforts, you will not likely achieve containment. Focus on containing the communication channel. If the malware can’t get the data out, you will at least have stopped the bleeding. If you can identify how the information is being exfiltrated, and the destinations that the data is going to, re-route the protocols in use to those destinations, and the destinations themselves. Block the communications only as a last resort. Be ready for the attacker to take notice, and for their tactics to change quickly. Remember that the attacker has chosen this target for a reason, invested many hours in preparing the attack, has had ample opportunity to fortify his position, may have remote access and control setup, and will have likely provided multiple means to maintain his ends. Monitor your network closely while the affected systems are replaced, forensically imaged, and analyzed. Freeze those assets if possible. APT are the tools of professional hackers and agents of espionage. It is what they do for a living.
Contained, eradicated, restored. All done?
Not quite. The attacker got in, and could do as they wished at their leisure for some period of time. You no longer own the network. Try to determine how the malware agent got into the network. Audit the entire organization for unauthorized change, suspicious activity, improper accounts, and unusual access attempts starting a week or two before your suspected compromise start time to now. Look into account creations and access elevations. Every change that has been made in the organization should be audited for the correct approvals and verified against change records. Audit your infrastructure devices, your printers, websites, FTP sites, and Active Directory structures. You are going to be looking for the proverbial needle in a haystack. That’s why you need the magnifying lens provided by the 18 items listed above (and more!) to prepare for the attack. If you are attacked using APT and lack some or all of those tools, you will probably need to stand up a fresh network and start over. You can’t restore from tape if you don’t know when the attack started. APT investigations have shown that the problem is seldom detected early.
Send a sample of the malware agent to your anti-virus and IDS/IPS vendor to aid in signature development if you haven’t done so already. Also consider sending a copy to independent researchers through Virus Total and/or other multi-vendor clearing houses. They have established relationships with major vendors. The best way to eliminate this threat is to provide a united front. By providing samples to your vendors and others, these threats can be scrutinized deeply, unique and common characteristics identified, better signatures and heuristics developed, and the targets for these agents can be reduced. The harder it is for these miscreants to gain a foothold within any organization, the less money they will be making to develop new malware agents, and the sooner we can all get back to business.
Create a timeline of events and book a Post Incident Review meeting. Gather the containment and remediation teams together to review actions taken, successes and mistakes made, lessons learned, and most importantly, what information may have been plundered. Start preparing to deal with the media. If the incident involved regulated or sensitive data (which it always will…) management may need to get Legal and Privacy folks involved. Prepare all communications, and let the company know how to deal with requests for information. Everyone should know the official song and dance, and be moving to the same tune. Your corporate reputation is now at stake. Do not lie about what happened, but never shoot your company in the foot, or in the heart. “No comment” remains a safe response.
If anything positive can be said about the aftermath of an APT incident, it is that experiencing one will be a culture changing event for most organizations. The purse strings will probably loosen up around security spending, executives may suddenly start speaking in security tongues, and the security team will be expected to do a little bit more reporting after the mess is cleaned up. Expect to hear things in meetings regarding Security Awareness, new security projects, and security programs. Every silver lining has a cloud, you will be busy.