Security optimize

Defending against Advanced Persistent Threats

Alfonso Barreiro defines the security class known as Advanced Persistent Threats (APTs) and describes the security view you should take of your organization to combat them.

Depending on who you ask, an Advanced Persistent Threat (APT) is either a nightmare scenario that keeps CSOs awake at night or just the newest security marketing buzzword. Let's take a closer look at what an APT really is and what defenses are available against them.

APT Defined

Ever since the term was introduced in the media, there have been numerous definitions of what an APT is. Perhaps the most hype-free definition is the one from NIST, which defines an APT as:

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders' efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.

This definition should clear up a common misconception about APTs, as sometimes they are characterized as a purely technical problem, like a zero-day vulnerability. An APT is an attacker that has a clear objective, willing and able to employ multiple tactics ranging from simple social engineering to extremely complex malware, adapting them as needed in order to fulfill that objective. This stands in stark contrast to the garden-variety attacker that uses large-scale automated tools to identify and compromise what are essentially just targets of opportunity.

Another notable characteristic is the amount of resources available to these attackers, which is one of the reasons that they have been often defined as being state-sponsored. This association also creates the misconception that APTs are only used by foreign governments, but the truth is that there are other organizations that can fund the activities of these attackers, ranging from companies willing to engage in industrial espionage to organized crime rings.

Defending against an APT

With the deck apparently so heavily stacked in the attackers favor, how can you defend against an APT? First, before you can mount a credible defense against this type of threat, you need to cover the basics. According to the most recent Verizon Data Breach report, 96% of all breaches were not very difficult because some basic security practices were not in place. Proper password and authentication policies, patch management procedures, proper firewall and IDS configuration, and log review procedures are among these basic security practices that should be second nature to your organization.

The second step is to evolve your view of what you have to secure. These types of attackers are looking for your most valuable information assets, and you need to know what that information is, where it resides, who has access to it, why they have access and when they access it. Answering these types of questions should give you a clearer picture of what are the most critical pieces in your infrastructure that need your attention. This, in turn, can help you identify where to focus on when searching for anomalies in your logs and to properly prioritize when incidents occur.

Another step you need to take is to recognize the importance of users in your organization to protect your information assets. Several cases of organizations that have been victims of APTs began with socially engineered attack vectors. User security awareness at all levels of the organization is key in any information security strategy.

About

I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, fo...

29 comments
bvergara
bvergara

is it descriptive? Is the constant use and marketing hype cause it to be debased.

Wunderbarb
Wunderbarb

>>>Thanks to MPAA, we now have hardware based DRM

JCitizen
JCitizen

I am seeing enough evidence to be very suspicious that some APTs are built into many of the OEM machines being sold everywhere. We are way too reliant on just a few manufacture sources, and oversite is so low as to be negligent in many cases. I've had machines that were so impossible to rid of malware, that I am sure the hardware itself is very possibly to blame. How do we know doped chips aren't being installed into motherboards, bios, and peripheral hardware? Thanks to MPAA, we now have hardware based DRM, and who is controlling and supervising the integrity of that? No one I trust! I can tell you that! The morass of tangled software and hardware that is DRM based in modern machines is a spagetti that will not be solved for a long while unless our "Cyber-Security" czar responds to the threat!! Fat chance of that!!! X-( The behavior I've gathered from these investigations, is mind boggling, and if I were to reveal my findings, I'm sure you would all think I was a paranoid schizophrenic! We better get a handle on it soon, or our US innovators will be doomed for the foreseeable future, and the US will become a second rate nation, by default. This article doesn't even TOUCH on the seriousness of this problem. We should demand better!!

rhys
rhys

Bottom line up front: Successful defence against APT requires: * depth in defence * continual improvement And then support for what I put forward in a more verbose form: From my own understanding an APT is: A threat created by a technically sophisticated adversary who will persist at their goal(s) adapting attack methods and/or vectors, often using gathered information (reconnaissance) to assist their goal. I question NIST's inclusion of "significant resources". I consider that any technically minded individual could create an APT with a very modest capital outlay. Commonplace threats are generally about low hanging fruit (easily achieved objectives). Where their objective is not met the attacker wastes no effort on a resistant target, instead the attacker persists with the same attack on a new target. When this attack stops making enough money they change attack method or vector. To my mind the APT is not about low hanging fruit as an end goal, although low hanging fruit may be used to assist the achievement of an end goal. To resist a common threat one line of defence can be a successful defence. To resist an APT requires depth in defence. If you fend off one attack the cost to the attacker is typically time (wages) and opportunity cost. With a high value target the attacker can afford many losses, whereas a single loss for the defence can be a total loss. This is where depth of defence comes in to reshape the field. The aim is to make it unfeasible for the attacker to breach your systems. No single defence is required to be impregnable under this model. Every day the trade off of productivity and security sees many security holes left vulnerable. As long as software cannot be guaranteed to have no zero-day exploits, you cannot rely on any single piece of software being secure. So layer your security and avoid single points of failure. Protect one database containing usernames, also protect another database containing password hashes, audit the two separately. Sure security on either may be broken but if you have good intrusion detection and audit you have a good chance of spotting untoward activity on one before the other is compromised. Given enough time any attacker will defeat any single system. Again depth in defence is there to make attack unfeasible. If they can get a key to one lock make sure they have to get a second key, have tamper evident locks, and change the locks with a frequency that makes it unlikely an attacker can penetrate a second level. Penetration can be time consuming for an attacker, so continual improvement and changing targets give a better chance of successful defence. Continual improvement is necessary. Patching is important. Review of your procedures and familiarisation of users with the procedures is also important. That firewall you bought in 1995 does not have the same intrusion detection capability as a firewall you can buy today. Attackers learn from their successes and failures. As a defender you cannot create a defence and assume that because the defence was sound when you implemented it, the defence will remain sound forever. So lastly to all sysadmins: Stay paranoid - I may rely on you!

SHCA
SHCA

Excellent synopsis, Alfonso. I particularly like your clear explanation of practical defense actionsthat do not involve add-on technology. I would add that for Small Business, APTs represent a game-changer. Not long ago, Small Business could ignore targetted attacks, since the attackers were primarily interested in vandalism and notoriery and sought high-profile enterprises or organizations. Since APTs are automated and come from organized crime syndicates seeking cash or marketable IDs, Small Business are for the first time in the crosshairs, and even MORE DESIRABLE THAN ENTERPRISES. (sorry about the caps, but I think this needs emphasis.) Small Businesses offer a quick turnaround of a reasonable payday, with very little chance of the attacker being pursued by law enforcement or superior skills. With automation, a skilled operative can steal hundreds of thousands of dollars, hundreds of times per year. That's eight-figure income with very-little risk.

Alpha_Dog
Alpha_Dog

The difference between an APT and a normal threat is that an APT is prepared to "go the distance" to get what they want, not just walk away at the first locked door. This sounds to me like the difference between a burglar prowling around looking for an unlocked door or window (normal threat), and a bank robber who will come armed and prepared, after a specific thing (APT). Simply put, we don't put bulletproof glass in our front room, nor a tube system for the mail man on our house, so it is just as unreasonable to create a massive security system on a network that has little in the way of threats. It would make more sense to secure what you can, and insure (backup) the rest. If your business has specifically valuable targets, you should store these off line or behind God's own firewall (vault).

Wunderbarb
Wunderbarb

I like the NIST definition. As usual with NIST, they are clear and far from any buzz. One of the consequences of this definition is that APT are highly technical, expensive attacks and thus targeted against high value assets. Although your three steps cannot be challenged, I do not find them specific to APT. They are part of good security practices. With my team, we use ten laws of security. Your steps map to some of them. Step 1: law N??7: Security is not stronger than its weakest link; close the most obvious holes Step 2: law N??2: Know the assets to protect; The foundation of any serious security. Step 3: law N??6: You are the weakest link; Your three steps are useful against all type of attacks. The difference is that defending against APT will require more skills, more training, more accuracy, more monitoring, more money... Which brings us to my law N??1: Attackers will always find their way; If your have high value assets, try to bring the fence high enough; Although in some cases, the asset is invaluable.

JCitizen
JCitizen

you seem educated on the matter; surely you are aware that many HD capabilities in PC systems, especially cable ready system(MCard), were required since 2008 to be only government approved MPAA standards, hardware. When I ordered my HP CTO desktop, It had to have a DRM approved bios, video adapter, multi-media bay, tv card, digital tuner module, and blu-ray burner. Even the operating system was specially coded for this scheme, and a separate product key was required for both the operating system and the media center package!! Just a FYI in case you weren't already aware. It has been a three year nightmare for me, and has only abated somewhat since SP2 for Vista Home Premium x64 systems. I'm sure even Microsoft had to abandon this scheme, as I see separate hardware devices are becoming available for private builders. I saw many government approved OEM go down the poop-shute since then, but then the stock market crash didn't help.

JCitizen
JCitizen

A DRM scheme which has been taken over by criminals within an organization(remember Sony?); is a threat you will not easily extract from a PC system. That fits my understanding of an APT to a tee! The only recourse is to either remove all HD related hardware, or buy a computer without it; and definitely get a clean operating system from Microsoft. Microsoft seems resigned to the problem, because they are offering free installation disks with SP1 to aid in fixing this issue. I've been struggling with DRM issues for three years, and found many of my clients with similar problems, were in even deeper hot water. I very vigorously suspect they fell into a trap built into every new computer that have these features if they are surmised to be a potential target. Almost all of them, are industrial developers, or are in the information chain to an innovator. At the very least - it is a giant fiasco, and failed DRM scheme for one of my clients. The other victims had obvious attack evidence upon forensic examination. It didn't take much sleuthing to see this, because the attackers are so brazen.

AnsuGisalas
AnsuGisalas

It's basically a government approved trojan... but one hell of a whopper of one. Big enough to have all sorts of flaws included, providing attack vectors in abundance in all likelyhood.

Wunderbarb
Wunderbarb

I agree with AnsuGisalas, this is not APT. APT are highly sophisticated attacks "hand-crafted". The first time APT was coined was for the RSA hack which ultimate target was Lockeed Martin. The attack is complex and with multiple steps. See http://eric-diehl.com/blog/?p=783 The objective of an APT is often very precise (and not simply driven by gaining money. There are other easier attacks to skim money).

AnsuGisalas
AnsuGisalas

I don't think that was part of the definition. An APT is a person or persons, not a script or bot.

AnsuGisalas
AnsuGisalas

...rather than a stray looking for a warm body to nest in. Basically, I think the big lesson is that with an APT you [i]have to forget ALL the low-hanging fruit crap[/i], an APT will be bringing a ladder. It might be a contract hit, it might be someone with a chip on their shoulder, or who knows, maybe a random corporate stalker... but they're after [i]you[/i]! Here's what I think was left for future investigations by this blog: How do you become aware that you have an APT on your hands? Logging the port scans? Asking that employees disclose all suspicious contacts, including "wrong numbers"? Looking at incoming phone call sources? In the end, if you want to defend against APTs, it's a war. And a defensive trench war at that. You have to have a disciplined, dedicated work force to get anywhere. You can't have any flab on your corporate body : No pointy-haired bosses, no office cranks, nothing that can create predictable rips in your armor. It's a whole other game than corporate business as usual. But think about that for a while, maybe there could be derivative benefits from those preparations? After all, the point is to remove weaknesses by improving the work force mentality, not by engendering paranoia. Paranoia isn't preparedness, it's just another kind of weakness that an attacker can exploit.

AnsuGisalas
AnsuGisalas

An APT is a person, so, you have to look at the payout yield: monetary value of assets that can potentially be stolen / time investment to pull off the theft with reasonable certainty. If your system is a pushover, taking half a day of research and half a day of action to get through, then all it needs to pay off is one day's salary - say, 800$/day. And given that it only has to be an average payoff for the type of business you run, it doesn't matter if the actual yield of your specific organization is half that, you can still find yourself targeted. But even then, an APT doesn't have to be about money. Hacktivists are often APTs in their own right. A disgruntled ex-employee can be an APT (or, much worse, it could be a present employee - imagine that one for a sec). An APT that is after a business partner may also decide to check if they can get at them through you... The one thing that defines an APT is [i]they're out to get YOU, and have the means to[/i]... it changes everything. Now your employees must actually want your organization not to be breached, rather than simply want not to be personally held responsible for such a breach. It's a huge difference, and it's all about the hearts and minds.

AnsuGisalas
AnsuGisalas

I don't know how to check which solutions can actually be layered, and how to see if they are tripping each other up... and how to see if they leave holes open by covering too many of the same things and leaving too many of the same things uncovered. Of course, that might be a more costly article to research.

JCitizen
JCitizen

in instances I've observed. The automated parts of the, surveillance, acquisition, and attack, are 97% of the operation, from a figure I just grabbed out of the air. The remote participation from the cracker is just administrative, to oversee their 'bot' minions and finalize some of the configuration, to assure continuation of operations. I've even seen the attackers leave notes on the victim's machines! Usually in their native language, but not always. They are a very confident and outlandish lot!

Alpha_Dog
Alpha_Dog

If one prepares for APT attacks by doing the research, taking precautions, understanding the parts of the org that are targets, etc... we have not only dealt with the bored teen, but also the determined intruder. To my mind it simply states that we need to secure our assets by conducting the kind of wargames we should have been doing anyway, and then act upon the information. To be blunt, we have always dealt with security in this way and have never had a breach, even in quarterly exercises with our sister organization who knows our architecture and physical security. Then again, we all cut our teeth on DoD and HIPAA, and now do aerospace.

JCitizen
JCitizen

One thing about it though. I have several cautions: 1. Don't buy refurb machines; one of my victims looks like they were targeted by the attacker this way - but they were probably being surveiled before this action, and an unsupecting partner took bad advice on the source of the purchase(the bad advice coming from a plant in an outside vendor). More likely the refurber was doping all the machines going through their doors - an infiltrator is always a possiblity here of course - in fact more likely than not. 2. Beware of any machine that has a blu-ray, or HDMI output on display chip/adapter. I very strongly suspect someone in high places is setting traps in both the hardware and software DRM here. I'm especially suspect of Cyberlink, although I now trust none of them! 3. Beware of being or cooperating with Microsoft Partners! Their network has been cracked and you will never know if you are actually connected through them without being on VPN to the partners web sources. I strongly suspect there are inside rats in that maze! We were able to get Microsoft to admit the were redirects placed by crackers somewhere on the web, with bad certificates sending the built in updater to poser sites. We can't get them to admit it publicly - however. I'm willing to risk it all to argue with anyone from Redmond to prove me wrong. Its time we started calling a spade a spade, and think outside the box to get to the bottom of this! I'm beginning to think the only hope my clients have is to completely isolate the machines that have intellectual property and records on them from the web, and use Live CDs for any other web access, on machines in a DMZ. But then, you got to ask - which Linux source do you trust? So far for me, it is SourceForge and/or On-Disk.com; but how long will that last?

JCitizen
JCitizen

Before beginning work, I remove the machine from the network - flash the bios, hard drive/blu-ray( if firmware capable), and remove all internal cards. Then I use the factory diagnostic disk and/or Darik's Boot and Nuke to blast any malware that is hidden in any sectors marked as damaged by the criminals. These are the reason wiping and re-installing doesn't work. This article should have gone into more depth on this, but it was about avoiding it altogether, but was too simplistic. I then re-install, but password protect and disable the original owner, or hidden administrator(in home versions), after creating an administrator account. I close all sharing loopholes as much as is possible without destroying functionality. I make sure the machine's operating system is fully updated behind a UTM gateway appliance before applying all layered defenses. I am relying less and less on AV/AM real time protection, and more and more on solutions that rely on more preventative measures, like behavioral heuristics, whitelists, registry hacks, and host files. Using a good perimeter hardware device can't hurt, but of course that is only one peg on the board. Kernel based solutions have become paramount to keep the malware from manipulating the solution. If I do use a popular AV/AM product, it has to offer real time protection of some form or another on standard accounts, or else it goes into the trash. The Microsoft NT5 or 6 kernels are both pretty good defenses, so I always assure the client uses standard accounts to receive the full protection of the new NTFS security structure. I can usually re-install their hardware, and see if any alarms go off, in a reinfection attempt. Even if the defense fails - by this time, it is obvious the attackers are serious, and a more radical plan has to be developed. Some of them have success moving to Apple or Linux - but then again, the threat profile on those is growing as time progresses too! As far as testing, I just had to try over and over again, combinations of solutions for home and SMB clients, that probably don't interest enterprises. So I rarely go through the list of successful utilities I've found to be the best. I ran them concurrently and looked for stability issues, and kept an eagle eye on the event viewer to see if there were any conflicts. System resources haven't been a problem with the candidates I've selected, and all of them use separate technologies to be effective toward this goal. The only problem, is many of these utilities get too successful and the developers think they need to load bloat onto their creations, and they turn into huge suites, that become more and more ineffective or down right unusable - so my lists changes by the month! For one of the innovators, I am trying [b]Drive Vaccine[/b], which started out being a card based(hardware) solution, but evolved into a software product. This solution is "supposed" to be better than Steady State on XP, and Faronics Deep Freeze. Their web site actually explains why, and it is very complicated, so you may find it an interesting read! I'm trying to get one of my most vexing problem situations solved with this, if I can just get the client to cooperate with this test. I'll will definitely post somewhere on TR, if and when this occurs. I'm too busy to run my honey pot lab anymore - I've found my clients make the best test bed - bless their hearts. This is a cruel way of doing business, but since most of them are indigent at this time of their life, I'm just doing it for the pure pleasure of thwarting the criminals in their master plans.

JCitizen
JCitizen

to at least write a book. But that client has already lost some partners under "suspicious" circumstances, and is terrified to go public!

AnsuGisalas
AnsuGisalas

That's absolutely horrendous. It's a wonder Hollywood hasn't already grabbed that scenario, it's just so terrifying.

JCitizen
JCitizen

education I've received from reading article an video links on Brian Krebs site, the attacker does little until his bots find a mark, and then it becomes like the anti-tank guided missile analogy. Even then most of the surveillance and data gathering algorithms need little console participation from the cracker. Just a few minutes of analysis and a few clicks on the console to pick the next path or launch a new exploit pack. If the goal is just to steal money, then yes, the man-in-the-middle takes more personal attention. Some of my victims were robbed by these dedicated teams so they no longer had the funds to do business anymore. They like to keep them on a string, like a marionette puppet, so they can keep them in the gutter, where they can watch them and keep them from bringing in the Calvary or gaining legal help. In one instance I had to spend about a month waiting for the victim to find a way to contact me that wasn't poisoned or completely under control of the crackers. This included the victim's email and telephone! :O !! Once contacted, I was able to give them advice on defeating the communications interruptions, until we at least had that factor cleared up; the rest of the case isn't over yet.

AnsuGisalas
AnsuGisalas

The ATGM doesn't do anything without an operator, but the operator is still just pointing and clicking. However, the social engineering threat and the whole persistence thing are definitely un-bot techniques. They are the human touch. Too bad it's the withering kind.

Alpha_Dog
Alpha_Dog

This is why we have quarterly attempts on each other's networks. The victors get bragging rights as well as an all expense weekend... The losers also benefit by learning something new and are able to fix the hole. Four years ago, these exercises were a different story. both sides got their weekends and when they came back, there was work to do. Eventually the networks hardened and now it's rare for there to be a victor. Bottom line: The only defence against APT and any other threat is to acknowledge that mistakes are made, technology and methods advance, and that the constant improvement cycle must be nurtured.

AnsuGisalas
AnsuGisalas

It's very easy to become complacent when every report is positive... it's easy to make the mistake of going from an inductive "We haven't failed" to a deductive "We don't fail", implying "We can't fail". I more than suspect it's easier to fall into this trap if one doesn't have a firsthand idea about the work that goes into "not failing". Every time some company lets a pointy-haired one out to say "We don't make mistakes", I know that's a company worth hedging against :D

JCitizen
JCitizen

he's probably use to the "we" vernacular, because of all the "team building" going on in our institutions. I know I can't do without my cohorts! :)

AnsuGisalas
AnsuGisalas

as long as you don't let it go to your heads. :^0