Incident Response, Malware, TDR

Fact or fiction: Dissecting the myths of advanced persistent threats

In the past decade, the advanced persistent threat (APT) has evolved from a term only used in closed circles to one that is tossed around at nearly every tech trade show.

The myths and misunderstandings surrounding the acronym APT have simultaneously bemused and generally annoyed industry analysts, and confused the general public's understanding of what the term actually means. We can sort fact from fiction by presenting some common vendor myths and applying ground rules for what constitutes an APT in the enterprise.

Just so we're all clear, APT is a term created by the U.S. Air Force to describe Chinese threat actors.  However, whether an attack is truly APT or simply a well-financed adversary, the infiltration and exfiltration techniques are nearly identical.

The classic targeted attack scenario begins with an exploit – typically against a browser, document renderer, media viewer or human – that targets a software vulnerability or is so alluring to the user that it is manually opened. Email attachments and links sent via email are the most prevalent attack vectors, but things like physical breaches, targeted malicious ads and attacks of public-facing infrastructure, such as web or database servers, can also happen. 

The exploit then creates a malware instance on the host, either on disk or by injection into a process. In turn, that instance beacons out to a publicly unknown command-and-control (C&C) server using some sort of encoding or encryption.

Currently, there are three main technologies in the market that claim to address APTs: those that examine executable files for badness, those that attempt to discover the outbound communication of the malware, and those that scan the body of the communication for known patterns, such as Social Security or credit card numbers. 

Let's dive into the vendor myths.

1. "We catch C&C callbacks as they leave the enterprise."
Reality check: APT uses custom channel obfuscation that consistently evades detection.

Nearly all APT malware uses some form of obfuscation on the outbound callback. They also do not use domains or IPs that appear to be strange from a heuristic standpoint. They will not use a .cn or .ru domain. They do not fast-flux through IPs, but they do beacon extremely infrequently (sleeping a month is not uncommon once it is entrenched). In many cases, they use rented servers in legitimate data centers or leverage in-country, known-good websites that are compromised to provide a first hop for their C&C.

Any frontline analyst will tell you, the obfuscation used is often not a standard algorithm that can be generically decrypted, but rather proprietary or embedded steganographically into benign objects.

2. "We use reputation-based analysis and blacklisting to prevent threats."
Reality check: APT can use zero-day vulnerabilities to evade signatures.

The most prevalent methodology of extracting Windows executable files is by using a combination of reputation (third-party feeds), static analysis and dynamic analysis. But in even a moderately sophisticated scenario, this, too, falls down on the job.

Feeds from services such as Zeus Tracker, SRI and the Shadowserver  Foundation provide information about bot command formats, C&C IPs, bad URLs, file reputation, etc. While these services have a measurable effect against known malware, they are only as good as their latest signatures.

To suggest that a commercially available threat feed would have information about malware specifically crafted for an organization at day zero is simply absurd. All list-based defenses have an inherent gap, where they are unable to detect threats not contained on the list. And this is the case for any threat that has never before been seen in the wild.

3. "We use in-network analysis of EXE files (file-level heuristics)."
Reality check: Simple obfuscation implemented in shellcode hides executables.

The sudden influx of in-network executable analysis products hitting today's market rely heavily on file-level heuristics to find APTs. These products track how the bad EXE file was delivered to the user to find the initial exploit, then analyze it statically and dynamically.

Static analysis includes determining if it was compiled with a specific keyboard layout, or if the originating IP/URL is known bad. Dynamic analysis is simply the process of executing the file in a sandbox environment, and scoring the observed behaviors to look for signs of maliciousness, such as keylogging, document theft or privilege escalation.

This makes sense conceptually, but in reality this technique fails for even reasonably sophisticated malware due to the fact that the EXE is never passed in the clear on the wire.

In many APT scenarios, such as a targeted attack via an email attachment, the initial payload (EXE or DLL, generally) is contained inside the attachment, often encrypted, encoded and/or split in multiple sub-containers. (Operation Aurora is an obvious example of masking the initial EXE).

Without fully evaluating the entire lifecycle of an APT and looking past the claims made by vendors that only address part of the problem, it's easy to find yourself vulnerable to an attack. When researching APTs, it's easy to get lost in the hype, or wooed by fancy lingo. But hopefully after sorting through the above myths you can better prepare yourself against these types of attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.