APT - There.. I Said It.
Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, "What Is APT and What Does It Want?"). Following are some of my thoughts on the topic:
- Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them.
- Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.
- What industries are targeted the most with APT? – I believe all industries are targeted depending on the motives of the attackers. Motives are one of those things that kill us in this industry, because they are so vast and sometimes they seem random. This is one of the things that separate physical security from information security. If you are defending the safety of the president, the attackers motives are pretty clear and keeping the president alive is your goal. Secret service employs strict and thorough security procedures, and I believe we can learn a lot from them. However, our IT issues run deeper: attackers may be after information, money, your Internet access/bandwidth, your partners or your employees, for different reasons ranging from economics to politics. Therefore, it’s a pretty level playing field with respect to the different industries that are attacked.
- What data is most often taken (this goes to adding more protections around the most valuable data)? – Depends on your attacker and your industry. Sometimes attackers are after intellectual property. For example, there have been a series of attacks against several major corporations, the latest of which includes RSA and the certificate authority Comodo. In each case the attackers were after something specific to the organization, such as information about RSA SecurID tokens, or copies of root-level CA certificates. The motives could also be political, and attackers are burying themselves in systems in an effort to disrupt communications or operations of SCADA systems (e.g., Stuxnet).
- What are the most common Trojans used with APT? – This is an interesting question, and I think an even more interesting point is how sophisticated malware is getting. The bad guys are using the same technologies we’re using, except they are implementing them for evil purposes. Attackers are using encryption, 0-day exploits, cloud computing and P2P networking technologies to increase their chances for success and reduce their operational overhead. You also have an underground economy that is growing, taking the work of the best hackers and putting it the hands of common criminals. So, you don’t have to be the worlds best hacker, you just need to have some money and know the right people and you can get your hands on some of the best tools. I think the most common malware that we see is not what we need to worry about, but rather the one-off attempts that are largely going undetected.
- What can be used for detection (system logs, AV logs, IDS logs, Netflows, DNS, VPN logs, Full packet capture, File system analysis)? - Detection is really the name of the game. Again, it’s hard to detect recon and exploitation. I’m not saying you shouldn’t try, but attackers have the advantage, mostly using social engineering and exploits that leave little trace or don’t even rely on a software vulnerability (Java applets, default/weak passwords, etc.). Detecting the remote connections to your systems is critical, because at the end of the day an attacker has to make a connection to control a system or exfiltrate data. I’m a big fan of log analysis and NetFlow data, which are big indicators of compromise. The key is to detect it as quickly as possible and not let a compromised system sit inside your network for extended periods of time (such as months or years).
- What can be done (logs, correlation of data across the enterprise, combine response efforts into a central location, keep data longer)? – I think some of the best technology for detection is software that monitors the behavior of processes. For example, if you can answer questions such as “Why is explorer.exe connecting to port 443 on a server in China” or “Why is Internet Explorer reading all of my NTLM hashes?” you can often detect the presence of attackers without relying on a signature.
- How can you tell you've been infected by APT? – Best case, you see the compromise in your logs and deal with it. Worst case you receive a bribe letter/email from evil attackers, or have your most private data posted openly on the Internet.
- How long should you maintain this network data (3 months, 6 months, 9 months, a year)? – There are some regulatory compliance requirements that will dictate how long you should store data of certain types. Compliance aside, its really up to you, I don’t think that storing more data will increase chances for success in detecting attackers. A year is best, but this needs to be balanced with your business goals and objectives with respects to cost and people time. More importantly, having large amounts of data will not help if you cannot or will not correlate it and use it to your advantage.
- What can be used for mitigation (DNS/IP Sink Hole, system remediation and reimage)? – I’m a huge fan of honeypot technologies. I’m not talking about setting up a system, letting people break into it, and watching them. I like to modularize the honeypots, and implement darknet space monitoring, tarpits (network and web), dummy accounts, etc. There is a lot of work going into this area (see my upcoming talk at SOURCE Boston for more information).
- Do you notify law enforcement when you find APT (or the company that you saw was infected by this malware)? – You should notify law enforcement if you believe your compromise is part of a larger scheme or you have incurred damages that could lead to criminal charges. The key here is to establish the relationship with your legal department and law enforcement before there is a compromise. Infraguard is a great program for keeping the communication channels open with law enforcement.
- Do you recommend security awareness to all employees and if so, do you have any examples/suggestions? – Absolutely, the best user education starts with personal and hands-on training. Embed this into your culture so it spreads in a positive way between employees.
- Are you seeing APT being used by certain countries or is it equally used across the globe? – I’ve had the same questions, and one of the best answers was provided to me by Brian Krebs. Many eastern countries, Romania and the like, have great infrastructure for training their people in highly technical jobs, however there are no such jobs available. So, they use their skills for evil rather than working in a much lower paying job.
Your APT Anti-Hype By Marcus Ranum