An advanced persistent threat (APT) attack is a little like a bed bug infestation: If you have one, you can sanitize everything and put protective measures in place, but there's a good chance they'll be back. New APT cases crop up monthly these days. What can we learn from them, and how can we protect ourselves?
Advanced persistent threats could be a misnomer, argues Ron Gula, co-founder and CEO at Tenable Network Security, a Columbia, Md.-based provider of network monitoring. “When APT was first bought out, I pooh-poohed it,” he says. “I said it was no different than The Cuckoo's Egg.” In that book, Cliff Stoll, an astronomer turned systems manager at Lawrence Berkeley National Laboratory, tracked a hacker who penetrated the lab's system via a telephone modem connection in 1986.
Intelligent, persistent intruders have been lodging themselves in victims' networks for years, experts acknowledge. These days, though, their motives are more focused. They are after the target's data – which they can use for political or financial gain – and their techniques are methodological.
They move from reconnaissance (looking for weaknesses) through initial compromise, establishing a foothold, and then privilege escalation. They move laterally through the network, gaining access to more systems, and establish backdoors to ensure that they can get back in later on. At various points along this process, they will steal data from under the administrator's nose.
Attackers can stay in a network for a long time. Twenty years after Stoll stalked his attacker (who turned out to be at a university in Bremen, West Germany), Mandiant (purchased for more than $1 billion by FireEye in December 2013) began stalking another intruder through multiple networks around the world. Seven years later, the New York-based cybersecurity firm published its APT1 report, describing the activities of what it believed was the Chinese People's Liberation Army's Unit 61398. It revealed that the group stayed inside a target's network for a year on average – and sometimes for more than three years.
The attacks typically use targeted spear-phishing emails with malware to gain a foothold in the system, says Mandiant senior consultant John Foscue. “It's 75 percent phishing emails and 25 percent people going to a bad website," he says. "Or someone forgot about a server sitting under a desk somewhere that hasn't been patched in five years.”
Not rocket science
In many cases, APTs can use less than sophisticated exploits to gain an initial foothold, even if the payload is more adept. That was the case with Carbanak, a banking-focused APT. Discovered in 2014, this attack used malware to steal $1 billion in funds from banks over a two-year period. Banks were infected with malware that recorded screen video of legitimate bank employees' sessions. It also manipulated Oracle databases to open and transfer money between accounts.
The Carbanak attackers needed to compromise endpoints to install the shell code that then unpacked the malware. For this, they used vulnerabilities dating back as far as 2012, rather than sophisticated zero-days, says Adam Firestone, president and general manager of Kaspersky Government Security Solutions (KGSS), an Arlington, Va.-based subsidiary of Kaspersky Lab that provides cybersecurity services to the US government and its contractors.
“That says attackers are really less interested in being brilliant than they are in the end effect,” he says. “They can count on the laziness and inefficiency of system administrators.”
Gently does it
Once attackers are inside a system, however, the lateral movement, exploitation of systems and exfiltration of data must be conducted with care to avoid detection. The less noise an attacker makes here, the better.
Attackers tread softly using existing tools already used by IT operations to explore and own new systems. Phil Burdette (left), senior security researcher on the Dell SecureWorks Counter Threat Unit's Special Operation team, refers to this as “living off the land.”
Software giving employees remote network access is fair game here. A user's remote access tool becomes an attacker's remote exploitation tool. These tools are whitelisted, removing the need to bypass malware scanning tools that might spot unauthorized software on the network. PowerShell is a commonly whitelisted tool, yet it carries considerable power. Netstat, AR Cache and local routing tables are all up for grabs, Burdette says. Using these, attackers can spot, contact and compromise other systems.
“The challenge is that when adversaries masquerade as legitimate users, how can network defenders identify what is legitimate activity versus adversarial activity?” he asks.
Hiding in plain sight
Savvy attackers will also use legitimate tools to hide in plain sight when communicating with existing malware and stealing data from networks. One good example of an attack using legitimate tools to communicate with its controllers and extract information from its target is HAMMERTOSS, a backdoor inserted onto victim systems by a Russian threat group that FireEye calls APT29.
APT29, which according to a FireEye report is an expert at covering its tracks, crafted a tool that communicated with team members via Twitter. The company explained that the tool would reach out to Twitter accounts with frequently changing, algorithmically-generated names. Each account contained a message with a URL and a hashtag indicating an image size. The backdoor was configured to check Twitter only during office hours making it indistinguishable from regular office traffic.
FireEye researchers found that APT29 tweeted a URL and a hashtag to the account, which directed the malware to a webpage containing an image. Command instructions for malware were hidden in the image using stenographic encryption and the hashtag told HAMMERTOSS where in the image to look.
The decryption key for the data in the image was created using hard-coded information from the malware binary along with characters from the tweet making it especially hard for security practitioners to access the command instructions.
The image would contain PowerShell instructions, or an executable file, FireEye revealed after examining the malware. It would often tell HAMMERTOSS to upload victim data to a cloud storage service, again cloaking its activity by appearing to be a legitimate tool.
Unpredictability is also a key feature in many APTs. HAMMERTOSS varied the image file size and Twitter handle used, making it difficult to look for consistent patterns in its behavior. It also used an alternative variant, identified by FireEye, called Uploader, which communicated directly with a URL instead of Twitter.
What can companies learn from these attacks and how can they protect themselves? If, as KGSS's Firestone says, few zero-days are used at the outset of these attacks, this suggests that anti-malware solutions and web protection software to check URLs are still important. These alone won't be enough, however, says Barry Vengerik, principal threat analyst at FireEye.
It's all too easy to reach for an “anti-APT” product offering, but real protection is more complex, involving a mixture of basic network hygiene and panopticon-like vision, he says. Companies must master IT Operations 101 first, patching their vulnerabilities and setting up internal penetration testing programs. “It's having the best practices in place, which plenty of folks still don't have, as well as having visibility,” he says.
That level of visibility can be difficult in larger companies or in recently-merged organizations. FireEye sees a spike in attack attempts on companies undergoing merger and acquisition activity, Vengerik says. Techniques such as log aggregation and scanning can help to improve visibility, as can internal IDS monitoring.
Baselining networks to find “normal” behavior can help to detect anomalies, but that can be difficult, admits SecureWorks' Burdette, because administrators may find themselves baselining an already-flawed system. That's why the initial anti-APT engagement begins by scanning for ongoing attacks.
Looking for specific tools is only one part of the approach, though. “We focus on how they operate, how they move laterally, keying off known behaviors and identifying those,” says Burdette. Attack groups typically take the path of least resistance, relying on tried and true techniques that require the least effort and continue to work. Investigation teams identify these attacks with different groups, creating a modus operandi that they can use to predict what a new attack will look like.
That can also help to close all the backdoors that the attackers put on the network to regain access to a system. These can stretch into double figures in some cases. It's impossible to tell with 100 percent certainty that they're all gone.
“We see re-entry attempts within about two weeks of eviction, mostly," Burdette says. "Until we raise the bar by implementing some fundamentals of good security practices, adversaries will use the same behaviors as they have done before. And if we don't see a re-entry attempt? That's even more worrying.”