Marketing folks have already started using the term Advanced Persistent Threats (APT) extensively, many of them without understanding what it is. For many of them every malware identified, every attempted breach is an APT, they try to the spread the FUD and exploit to their advantage. Let's look at what APT is and what's new about this. I have known APT since last one year or so from many of the proponents such as Mandiant and Richard Bejtlich, so, the term in itself is nothing new but has been getting lot of press lately due to the Google China incident.
What is APT?
APTs are specific threats where the threat agents are highly motivated and they make these highly advanced, targeted, and customized threats to infiltrate into corporate networks and gain persistent access. Their goal is to take sensitive information, which can be used for variety of tasks.
A good example is a customized malware embedded in a PDF, which gets emailed in a typical social engineering attack to a specific individual who may have access to confidential information, including an organization's intellectual property. This malware is used to leak the important data out of the organization. The malware goes undetected by the organization's multiple defensive mechanisms, the traffic would also look legitimate since there is no sign of widespread attack or mass leak of information to a particular threat source. Many of the traditional defensive mechanisms fail in this case. Can user awareness be a good defense against these type of threats? Sure, to a certain extent. Since the exploit is so customized and the attacker has taken so much time and effort to look it legitimate, most, if not all users would fall for it.
With the increased popularity of social networking, adversaries find it easier to do social engineering attacks. I am not talking about home users and home computers, the danger is in allowing corporate users to access various social networking sites. One typical attack involves a video link, which may look like came from a friend, who is visible in your social networking profile. Since it came from a known person, most of the users will click on the link and the video. The video asks the user to download a codec or video plug-in, which is nothing but a deadly malware and now, the user unknowingly allowed the presence of adversaries inside the corporate network.
One of the APT Trojan is a new variant of the well known Zeus Trojan (there are conflicting notions as to whether APTs known to use Bots). It is spread via e-mails purporting to be from known organizations or known people and the system gets infected, when people click on it. The same Trojan is also sent as phishing message on Facebook and other social networking sites. Secureworks recently reported that Zeus Trojan is the one malware most utilized by criminals specializing in financial fraud.
Adversaries also use many of zero-day exploits in gaining foothold on the corporate networks. These zero-day exploits goes undetected by the various tools employed by the organization. The fact that product vendors some times takes more than 6 months from the date they have known about the vulnerability to release patches, makes it easier for these adversaries.
What are the characteristics of APT?
Some of the characteristics that Peter Silberman from Mandiant mentioned in a recent presentation based on their own investigation into many of this type of threats were:
- APT tries very hard to camouflage itself
- Use Windows file names like svchost.exe
- Usually not packed
- Replicate system DLL resource sections
- Small file sizes
- Copies itself to folders in \windows\system32\somesubfolder\* and executes as svchost.exe
The biggest problem in identifying this type of threats is organizational awareness. Many organizations are not aware of such adversaries, who are highly skilled and highly motivated. Another biggest problem is that organizations are not aware of the information these criminals are after and they are still in infancy trying to both identify and protect such information. Some of the ways to identify such threats are:
- Memory analysis
- Look for processes that should not be run from by a normal user
- Look for processes that runs from a path other than %systemroot%\system32 \. These are the two characteristics that the newly released tool Malware Rating Index or MRI look for
- Look for unknown executables both in %systemroot%\system32 and other directories
- Look for registry changes
- Look for unsigned DLLs that hooks on to regular processes
- Detecting unusual outbound traffic using netflow type of network behavior analysis tools. Many of such tools cannot look at encrypted traffic, so it is very important that organizations, while performing network analysis, spend cycles on identifying what is "normal" at least for traffic leaving or entering organizational boundaries.
- Awareness, - both user and organizational - goes a long way in identifying and preventing this type of threats.
- Ensure that the defense-in-depth methodology and tools are working as expected. This includes your AV, HIPS, NIPS, log monitoring, vulnerability assessment, patching, etc
- Actionable intelligence
These threats are real and getting increasingly sophisticated, tools and defensive mechanisms continue to play catch-up. As Rich Mogull put it, "There isn't a tool on the market, or even a collection of tools, that can eliminate these attacks".
What we need is a coordinated effort between high ranking information security professionals of both corporations and law enforcement who can share the intelligence on real time basis. This way organizations can take these intelligence and build effective responses to such threats. We are already seeing that in the form bay area CISO meet-ups and some other community gatherings.
Organizations must also go back to the basics and start identifying the critical assets and build threat based or risk based preventive controls.