The ABCs of APTs

July 24, 2013
How to identify and stop Advanced Persistent Threats

Advanced Persistent Threats (APTs) pose a great challenge for cybersecurity professionals. The well-written codes are not just scripts that knock on the door and go away if no one answers. Instead, APTs gnaw at that door and eat it away until they find a hole; once the hole is created, they unleash their infected payload into a system — often covering their tracks to avoid detection.

These exploits are developed by skilled, motivated, organized and well-resourced programmers working with a well-defined road map. The attacks can take many months to develop and even longer to successfully deploy.

While we are still stinging from potent computer viral strains such as Stuxnet, new strains of equally potent threats lie in wait, yet to be unleashed. Only halfway into 2013, landmark security incidents stemming from APTs have captured the attention of government and enterprise commercial customers alike, with cybersecurity topping terrorism on the list of most critical national that affect our society.

The Edward Snowden National Security Agency “whistleblower” case has set off shockwaves through enterprise and corporate organizations as well as private citizens that may not have recognized the sophistication of technology for eavesdropping, interception of communications and data exfiltration by insiders or unauthorized sources. People now have an “eyes wide open view” of systems capabilities and systems intelligence that can capture, collect, and use data for cyber offensive (CNO) purposes — even so, the rise in cyber-attacks for corporate espionage is destined to become more prolific over the next couple of years, especially among nation-state and organized hacking groups.

Although big and well-armed companies such as Google, RSA, Sony, DigiNotar and Lockheed Martin have been hit, there are signs that APTs may be going after smaller and less well-protected organizations to get to their eventual targets. Many corporations are now finding that sales representatives, software developers, and corporate executives are now privy to and are taking advantages of stockpiling and collecting data and information relevant to their organization that can be used for financial, employment protection, or other personal gain.

APTs Defined

The term “APT” is commonly used to refer to cyber threats involving Internet-enabled espionage techniques. They use a variety of intelligence gathering and attack techniques, such as infected media, supply chain compromise and social engineering, to access sensitive information. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent.

APTs require a high degree of stealth over a prolonged duration of operation in order to be successful. The attack objectives therefore typically extend beyond immediate financial gain, and compromised systems continue to be of service even after key systems have been breached and initial goals reached. Definitions of precisely what an APT is can vary, but according to Damballa, an Atlanta-based firm specializing in advanced threat protection, APTs can best be summarized by their named requirements:

Advanced – Criminals behind the threat use the full spectrum of computer intrusion technologies and techniques. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent – Criminal operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful.

Threat – means that there is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminals have a specific objective and are skilled, motivated, organized and well funded.

The Methods of Attack

APTs generally follow a specific methodology in launching attacks. The first phase in the process is to begin targeting and “footprinting” an environment. During this time, data collection and attack vectors assess network hardware, software, web, and email systems for “soft spots,” or weaknesses that can be exploited without detection. As the goal is to maintain “persistence,” an APT often has the ability to change and to morph into new code, and attach itself to other systems and begin to transmitting data (the exfiltration process) to external sources.

APTs can be launched from multiple threat sources, which include Internet malware infections through pirated software, internet downloads, malware and script injections, as well as physical infections from USB devices, infected appliances and installed network equipment that has a pre-installed backdoor allowing unfettered access by the attacker. Some backdoors lie dormant for months prior to execution and are activated by triggers set by the attacker to activate based on specific event or criteria.

One of the key characteristics of APTs is the implementation of software that allows the attacker to gain remote control and to maintain a consistent connection to its data source. Many APT exploits begin by targeting or “phishing” the computer or device of an individual user to gain access to more privileged organizational systems.

Compromising employee endpoints with malware has become the preferred method — as it is a far simpler path into the corporate network than a direct network attack. The most common method to initiate the launch of an APT is the collection of username/password combinations of targeted organizations, and to exploit weak identification and authentication processes. Password reuse by individuals who use passwords and pin numbers to access web resources, financial/banking, and other online resources often provide gateways to attackers to gain privileged access corporate information resources.

Staying ahead of the Threat

Common tools are available to scan your network and discover known vulnerabilities; and keeping your systems up-to-date and patched has always been the golden rule in information security. However, identification of APTs is much more difficult than simply installing anti-virus software. It involves the isolation of normal information flows and transaction processes and those that should be “flagged” for further analysis. The “low and slow” process of data exploitation — capturing and recording small amounts of information to be transmitted so to not be detected — is common in an APT; thus, they generally do not create a “spike” that can be identified using network traffic and monitoring tools.

Increasing monitoring and detective capabilities of your network infrastructure is critical for identifying APT threats. For example, a company which has employees that work in a specific location between the hours of 8:00 a.m. to 7:00 p.m. should flag data that is being transmitted outside the network at 11:00 p.m. Another example would be to enhance user login monitoring to display the last user login time, so that individuals and system administrators can correlate when authorized users have access to protected information resources, and detect potential anomalies and potential breaches.

The evolution of “sandboxing,” which is a process where users conduct common activities such as email access, web browsing and external connections with untrusted users in an environment that does not connect to internal network systems has become a popular way to segment corporate data from being captured by attackers.

Another way to stay ahead of APTs is to modernize information architectures to become more of a “moving target.” Many information systems and architectures remain unchanged for many years, enabling clear mapping and tracking of a target’s information resources. Although all systems can ultimately be decoded and decrypted and figured out over time — whether through dynamic or static means — an organization can make this task extremely difficult by routinely changing encryption keys and passwords, and using multiple strong authentication methods.

Three Steps to Stopping APTs

The first — and easiest — step to protecting systems against APTs is to move from username/password combinations to strong multi-factor authentication. Start by combining integrated solutions such as biometrics or smart cards with passwords. This creates strong assurance that only authorized users can access protected information.

Second, make it your organization’s goal to compartmentalize information within various user groups (i.e. human resources, finance, IT). This ensures that only the proper permissions are given to each user to perform the duties associated with their job.

Third, make security awareness training among executives, employees, and IT staff a priority. These exercises should be conducted on a periodic basis (quarterly, if possible) to ensure that organizations are committed to the fact that security is everyone’s responsibility.

Get Help

One of the common thoughts in the security community is to treat information systems and devices as if they have already been breached. Lowering the confidence factor that the appropriate security controls are in place and effectively working, has many security practitioners conducting internal assessments of the information systems, endpoint devices and processes for vulnerabilities that can (or have) been exploited.

Many security products that were only available to enterprise commercial customers are now being made available under a subscription or Software as a Service (SaaS) model that small and medium business can take advantage of as well. Professional services contracts are available for companies with limited expertise in evaluating and assessing the security posture of their business. Developing a relationship with a trusted security provider that can deliver customized external IT security audits (even for small and medium business), is a practice that no organization should forego.

Darnell Washington is the president and chief executive officer of SecureXperts Inc. (www.securexperts.com). With more than 25 years of professional information technology experience, he is actively involved in the design of secure network information technology architectures. He maintains technical certifications in Microsoft, Novell, and Citrix operating systems, and is a Certified Information Systems Security Professional (CISSP).