Advanced persistent threats are nothing if not, well, persistent

By | July 31, 2012

Posted in: Network Security Trends

Advance persistent threats (APT) is a different kind of animal. It just doesn’t let go, even after you kick it off,  and eradicate it from your networks. You’ve got something it wants, and it just keeps going after it. As  SANS APT instructor Rob Lee put it in a recent posting: “We tell this to executives: Once you are victim of APT you will be dealing with it forever.  You are not going to go back to a time you were pre-APT. This is the kind of thing you will be dealing with from a security perspective from this day forward. It’s a matter of how many waves occurred this month.” In an interesting report just issued, the “Lifecycle of an Advanced Persistent Threat,”  Dell SecureWorks paints a vivid and alarming picture.

The thing to understand about APT is that the bad guys have something you have and they want it bad enough to be persistent. So they won’t give up and they will make every effort to hide what they are doing. The myth is that they use zero-day exploits to gain a foothold. This is actually rarely true because it is rarely necessary and may be used only as escalation when lesser measures have failed. The first step is using existing flaws to leverage spear-phishing techniques, where most of the initial research takes place. It’s very difficult to stop a well-researched spear-phish, aimed at one or several targets.

The report indicates that APT is well-organized; it’s unsaid but perhaps with the support of active involvement of nation states. At any rate, the resources are dedicated for more than the average smash-and-grab tactics. APT actors treat operations professionally; a setback prompts revised business strategies. Normal security activities do not make problems go away.

IT departments have multiple issues to deal with; APT has one.

Preparation may include bypassing authentication and gain access to their objectives, sometimes immediately, sometimes through privilege escalation. C&C (command and control) channels must be decided on, perhaps with alternatives. Attacks are tested against known defensive mechanisms to minimize the change of detection. For example, customized malware is often written to trick AV, often using common tools such as psexec and password dumper. These tools are tested against up-to-date antivirus and other security tools. They can, of course, be updated once they are installed to assure continued evasion.

It might want to steal all relevant documents, but not be” noisy” about it. In this case, it may search for key words and meta data, and require only a drop site, rather than a command and control server.

The attack can be limited to a single goal, but it can be much, much more far-reaching if the attacker is willing and able. Instead of a simple goal, attackers can escalate and collect large amount of data from different parts of the network. If the attackers are able to elevate privileges beyond the initial use’s account,  the sky is the limit. They can access data from file shares, files from numerous workstations, email files, etc. In organizations with unified messaging, they can even read fax messages and listen to audio files.

By using keyloggers they can and web form grabbers they can bypass non-Windows credentials. Encrypted or compressed files are often used in exfiltration to evade DLP.

Clean-up of a successful operation involves removing all signs they were there. Until next time.

You May Also Be Interested In: