When a Fortune 500 company received an alert that its intellectual property was being siphoned from its network, IT security personnel were able to stop the theft of the important data within 21 minutes. Because the exfiltration was discovered in-process, they were also able to turn the tables on the perpetrator of the cyber crime and retrieve the stolen information from the hacker's FTP site. Fortunately for this organization, its network security solution provided the ability to discover and stop advanced persistent threats (APTs) throughout the threat lifecycle – in this case during the exfiltration phase. Without this ability, the company would have experienced an actual loss of data.
So, why is understanding the threat lifecycle so important? There is a perception that most threats are malware-based, and that having an anti-malware protection device in place at the “main” entry point to the network will adequately protect against APTs. In fact, only 28 percent of threats lodged against large companies are malware attacks, according to the "2012 Verizon Data Breach Investigations" report. If this were a baseball game and a fielder allowed 70 percent of all balls hit his way to get by him, he wouldn't be a Gold Glove candidate – he'd probably be on the bench.
In order to match wits with – and stop -- sophisticated and stealthy APTs, you need to look beyond the entry points, and monitor the entire threat lifecycle. There are many ways in which an APT can enter a network, and even more ways it might act once inside. The key is identifying the APT before it has exfiltrated valuable information.
It's also useful to think of an APT not as a “what” but as a “who” -- a person or group of people, often from a nation-state or a criminal organization, trying to steal something for financial gain. To better understand how to protect against these APTs throughout the entire threat lifecycle, we need look no further than our national pastime. As you're probably aware, a baseball game is comprised of two teams, each getting three outs an inning over the course of nine innings to outscore their opponent. Each team sends a batter to the plate, one at a time, who then attempt to safely reach base with the goal of rounding the base paths to score a run at home plate. Like an APT, the batter has one main purpose, to get on the base paths and wreak havoc with the end game of securing something of value.
An APT is similar in that it initially is focused on infiltrating the network, then it propagates throughout the network, and ultimately moves to exfiltrate the valuable target information – scoring the run.
Infiltration is the first phase of the advanced threat lifecycle and the initial penetration point of the enterprise network. This is the way that the APT gets into the network. There are many ways this can happen – it can be a server-side attack or it can be a client-side attack; it can be as sophisticated as a zero-day exploit or as simple as guessing somebody's password; it may be malware based or non-malware based; in rare cases (think Stuxnet), it may not even be network based. In each of these scenarios, the attacker gains access to and control of (“compromises”) an enterprise computing device (an “asset”) such as a desktop or laptop computer, a server, a tablet, or a smartphone.
In baseball, the batter assumes the role of infiltrator. It is his job to safely reach base. Just like threats can access the network in many ways, the batter can also access the base paths via a number of methods. He can reach base safely via a base hit, can receive a free pass via base on balls, can be hit by a pitch, or can reach base on a dropped third strike. Once on base, the batter has gained access to the other team's “network.”
Similar to security solutions focused on the entry point of the network, the opponent in a baseball game is trying to stop the batter from reaching base. If they should fail to stop him from reaching base, there are still a number of places along the base path in which they can cut him down before he safely crosses home plate and scores a run.
Command and Control Communication is the second phase of the threat lifecycle. In this phase the attacker sets up a way to control the compromised asset remotely (over the Internet), typically by installing a malicious and stealthy remote access program (a “backdoor”) on the compromised system that communicates with a remote “command and control” server over the Internet. The backdoor enables the attacker to control the compromised system; download more malware onto it (typically in an encrypted, non-executable form); and use it as a base for exploring the enterprise network and progressing the attack. Command and control communication can occur over any network port or protocol.
In the baseball scenario, this is the equivalent of a batter, or batters, who after reaching base, become runners awaiting communications from outside sources -- the coaches at first and third base -- who will signal them when to move to the next base. A runner moving to the next base is akin to an APT boring deeper into a network and preparing for the exfiltration stage.
Much like an APT that may sit in stealth mode for days, months or years before making its move, runners may sit and wait patiently on base until the coach signals them to steal, to be strategically moved along by the batter by way of bunt, hit-and-run play, or sacrifice fly. Or they may wait for the current batter, another external source in this phase, to advance them with a hit.
Propagation is the third phase. In this phase the attackers “walk around” inside the enterprise's internal network, compromising more systems, dropping more backdoors, and seeking higher levels of privilege and better access to valuable, sensitive or classified information. The duration of this phase of the attack is highly dependent on the size and complexity of the enterprise network and the strength of the enterprise's authentication, authorization, and access control mechanisms.
With four bases to advance to along the base path, it is possible for more than one runner to populate the base paths simultaneously. Just like an APT is moving throughout the network, albeit along an unclear and undefined path, the team at bat is attempting to place multiple runners on base to secure more runs during that particular inning.
Exfiltration is the final phase in the threat lifecycle and is the objective of most (but not all) targeted attacks. In this phase the attackers stage the target data and push it out of the enterprise network, across the Internet, to one of their data drop and collection sites. Data exfiltration can occur over any port or protocol.
As has already been mentioned, batters come to the plate with the intention of successfully reaching base, and will then attempt to navigate their way around the base path to return home and score a run for their team. We can consider a run scored a successful attempt at exfiltration, because they have been able to successfully complete their mission.
However, it is possible to complete this mission, but lose the baseball game. As previously stated, in every baseball game there are two teams, each with an equal amount of opportunities to thwart their opponent's attacks, or better their opposition's successful exfiltration.
In the article's opening example, IT security personnel at the Fortune 500 company discovered that the company's data was being exfiltrated, creating the appearance that it was game over for that data. However, like the home team in a baseball game, behind by two runs in the bottom of the ninth, the company has last at-bats and was able to navigate its way to the stolen data and retrieve it – the equivalent of the come-from-behind win.
It was only because security was watching the entire network – all ports and protocols and all phases of the threat lifecycle -- that the threat was discovered and steps could be taken to not only stop it, but reverse its course.