APT to attack: Breaking down the advanced persistent threat | SC Media

APT to attack: Breaking down the advanced persistent threat

May 5, 2010

Every organization that maintains intellectual property should be aware of advanced persistent threats, reports Angela Moscaritolo.

It would come as no surprise to experts at defense contractor Northrop Grumman that students at a foreign university might be given the assignment to break into government or corporate networks. After all, these days state-sponsored hackers around the world are launching increasing numbers of cyberattacks against the U.S. military, government and corporations to obtain valuable intellectual property, says Timothy McKnight, vice president and chief information security officer at Northrop Grumman.

Most cyberattacks can be fought off with good defense-in-depth security measures, McKnight says. However, a small percentage are tough to stop even with the best security technologies and practices in place.

Holding an elite spot at the top of the long list of today's hacking techniques is the advanced persistent threat (APT). It's a name given to attacks that use customized malware to exploit zero-day vulnerabilities. This allows the bad guys to surreptitiously break into computer networks with the goal of stealing trade secrets and gaining continued intelligence about victims.

“This isn't just hacking for fun,” McKnight (right) says. “This is hacking for financial, military or nation-state gain.”

Plus, the APT is not just a single cyberattack, says Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham (UAB). Rather, it's a series of attacks against many points in an organization.
“Each attack might gather a little bit of information,” Warner says. “The idea is, if you discover one, I might have 20 more in place. They might not even be active.”

Stages of attack

While each APT attack is unique, many follow a common formula, according to Mandiant's M-Trends report on APT attacks, released in January. Before launching the attack, cybercriminals carry out a reconnaissance effort to identify key individuals within an organization to target, according to the Washington, D.C.-based security firm, which provides cyberattack response services. Using social networking sites and other publicly available information, attackers gather personal information about their targets and plan the hit.

APT intruders use a range of techniques to gain initial access into a corporate network. The most common method of entry is to launch a spear phishing attack – which entices victims through social engineering strategies sent out via email – to install malware on a user's system.

The malware used in APT attacks is often a one-off version, never to be seen again after it's used against its intended target, says Chenxi Wang (left), principal analyst at Forrester Research. By the time the malware is discovered and security companies have created a signature to protect users from it, the signature is already useless because that version of the malware is generally never used a second time.

“Because of its nature of being a specially crafted message, it's very difficult to catch,” Wang says.

In fact, according to Mandiant, just 24 percent of all APT malware is detected by anti-virus software. Further, once the network has been successfully infiltrated, APT attackers steal domain administrative credentials, which are used to impersonate legitimate users and install multiple backdoors throughout the network. These backdoors give attackers a stronger foothold in the environment and a reliable way to get back in.

Subsequently, by masquerading as legitimate users, attackers can move laterally through a compromised network and are essentially able to “hide in plain sight,” says Michael Malin (right), executive vice president of Mandiant.

Attackers then obtain valid user credentials for additional company systems, such as those used by the human resources and financial departments. On average, APT attackers access 40 different systems on a victimized organization's network, the majority of which are broken into using valid credentials, according to the Mandiant report. Once intruders have penetrated an organization's systems, they plant various utilities to capture data, including programs that steal emails, list running processes and install dormant executables or additional backdoors.

Stolen data is then exfiltrated from the compromised network to the attacker's remote command and control (C2) servers. At that point, APT intruders seek to maintain their persistence in the network for as long as possible and can efficiently respond to the organization's efforts to remediate the compromise.

“In one way, the APT is like the boogeyman – it could be anywhere,” says UAB's Warner. “It defies traditional information security products.”

Victims and perpetrators
A group of cybercriminals using APT tactics recently managed to plant customized malware on several U.S. government computers, adds Warner. The attack started with a spear-phishing email that was sent to a number of federal employees – who attackers hand-picked knowing those individuals would be accustomed to receiving such a message. Recipients were told to follow a link included in the email to access a report that pertained to their job.

The link, instead, directed users to a unique piece of malware that had never been used against the masses before, Warner says. A later investigation revealed that the malware was detected by just two of the top 43 anti-virus tools.

Several government employees were fooled by the legitimate-looking message and clicked on the link. With that, their computers were compromised. Malware was installed that was crafted to scan compromised machines for Microsoft Word documents and send them via file transfer protocol (FTP) to the attackers' computers.
Warner could not disclose any other details of the attack, but said it wasn't an isolated incident. The U.S. government has been the victim of several other cyberattacks this year that were equally surreptitious, he said.

APT is not just a government problem, though, adds Warner. Every organization that maintains intellectual property could be at risk of APT.

“We see these attacks constantly,” says George Kurtz, CTO at McAfee, who classified Operation Aurora, which recently targeted Google and 30 other corporations, as an APT attack. “I certainly think that these attackers have footholds in not only government, but also in corporate America.”

It is difficult to determine the origin of these cyberattacks since hackers are expert at concealing their physical location, but there have been reports that APT-style attacks have emanated from many countries, including Russia, Iran, Israel and France. However, some experts say there is reason to believe a majority of APT attacks are linked to China. For example, through its investigations into a number of APT attacks, Mandiant researchers discovered that intruders are often interested in obtaining information related to major upcoming U.S./China mergers and acquisitions or corporate business negotiations.

Further, a recent report, prepared for Congress by the U.S.-China Economic and Security Review Commission, states that circumstantial and forensic evidence indicates that many of the hacking attempts aimed at the Department of Defense are coming from the Chinese government and other state-sponsored entities.

Still, over the past several years, China has made strides in protecting the intellectual property of American companies, U.S. Secretary of Commerce Gary Locke said during a July speech before the U.S.-China Business Council in Beijing. For instance, there has been a “marked” increase in the number of intellectual property-related criminal prosecutions in China, he said.

“However, American companies in fields as diverse as energy, technology, entertainment and pharmaceuticals, still lose billions of dollars every year in China from IP theft,” Locke said.

Thwarting the attack

There is no single security technology or practice that will protect organizations from APT attacks, experts say.
“It's difficult to keep APT out,” says Forrester's Wang. “My advice is: Don't even try, because you won't succeed.”

Instead, she says, companies should concentrate their efforts on limiting the damage once an attacker has broken in. The principles of compartmentalization, need-to-know and least privileged access will help to limit exposure and damage.

Similarly, UAB's Warner recommends that if they haven't already, organizations must identify and classify all data they maintain and restrict access to sensitive information. Then, actively monitor the points where data can be accessed to determine if inappropriate access has been made. In addition, he recommends that organizations consider implementing customized exfiltration rules that watch all outbound data to determine if it is coming from systems that contain sensitive information.

Enterprises that have sound information security management practices should be equipped to deal with this threat, Warner says. Unfortunately, many are not prepared, he adds.

“We buy something from a vendor and put it on like a Band-Aid and don't have good risk management procedures,” he says. “This is far more sophisticated and advanced to go through than installing a new anti-virus or patch.”

Northrop Grumman's McKnight, who was formerly a special agent with the FBI, says that creating organizational awareness about this problem is one of the most important ways to deal with it. “We speak to our board about this on a regular basis,” he says.

In addition, Northrop Grumman has implemented an employee awareness program focused on the APT and likely targets within the organization. As part of the strategy, employees are sent mock spear phishing emails, McKnight says. They are then given immediate feedback and training about cybercriminal tactics that can harm the company.

Like many others, McKnight recommends implementing security best practices to prepare and respond to APT attacks. He suggests implementing tactics that include appointing a security leader, such as a CISO or CSO, gaining executive sponsorship, and planning a strategic and tactical approach to company-wide IT security.

“The goal is to get attackers to go elsewhere,” McKnight says. “You want to improve security to a level that the resources they are applying against you are counterproductive.” 

prestitial ad