Monitoring Indicators of Attack (IOA), as opposed to Indicators of Compromise (IOC), could discourage Advanced Persistent Threat (APT) groups from relentlessly attempting to gain access to systems, as evidenced by a new case study.
A blog post from CrowdStrike detailed how, after months of gathering information and trying to regain entry to one company's systems, APT group “Hurricane Panda” ceased all efforts.
This marks the first time CrowdStrike has documented a group recognizing its failure to access a network and, instead of continuing, chose to step away from a target, said Dmitri Alperovitch, CTO and co-founder of Crowdstrike, in an interview with SCMagazine.com.
In this case study, the China-based group breached a company's system in April 2014 and eventually had its access revoked. At this point, Hurricane Panda continued to attempt to regain entry and even toted out a zero-day vulnerability (CVE-2014-4113). However, access still was blocked because of the impacted company's monitoring of IOAs, which CrowdStrike defines as a series of actions an actor must perform to be successful.
For instance, the impacted company detected the execution of the group's preferred webshell, which it uses to provide “full command execution and file upload/download capabilities,” the post said.
Because this action was caught, Hurricane Panda resorted to their zero-day and still failed, as it also was detected.
Later that year, a separate company reported a similar Hurricane Panda attack. This time, however, once losing access and then getting its webshell on a webserver, the group then opened a virtual terminal and executed commands to determine whether the company had installed the same threat detection system as the prior infection.
Because they had, the attackers willfully stepped away.
“While a few events don't make a trend yet, it is certainly exciting to see how attackers are now finding the need to react to a system that is detecting their activity not just based on known IOCs, but based on revealing the intent of their action – credential theft, persistence, code execution, lateral movement, data destruction, and so on,” the post said.
For Alperovitch, this example highlights the need to look beyond the malware a group has used in the past or the specific exploits it's leveraged, and instead, focus more on suspicious general behavior.
In this case, burning through a zero-day made the cost too high for the group to warrant continued effort.
For IT security professionals, though, this means that the fight against APTs will be a long one, Alperovitch said.