ADVANCED PERSISTENT THREATS MITIGATION SERVICES & SOLUTIONS

From

With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.

Advanced Persistent Threats

Document Tracker
Author
Manasdeep

Version
November 2012

Summary of Changes
Document Created

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 2 of 19

Advanced Persistent Threats

NOTICE
This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein.

Copyright
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd.

Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.

NII CONTACT DETAILS

Network Intelligence India Pvt. Ltd. 204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E), Mumbai 400 069, India Tel: +91-22-2839-2628 +91-22-4005-2628 Fax: +91-22-2837-5454 Email: info@niiconsulting.com

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 3 of 19

Advanced Persistent Threats

Contents
1. 2. 3. a. b. c. d. e. f. 4. 5. 6. 7. 8. 9. Introduction .............................................................................................................................. 5 Spear Phishing ........................................................................................................................... 7 Advanced Persistent Threat Life Cycle:....................................................................................... 8 Preparation............................................................................................................................ 8 Initial intrusion....................................................................................................................... 8 Expansion .............................................................................................................................. 8 Persistence ............................................................................................................................ 8 Search and Exfiltration ........................................................................................................... 8 Cleanup ................................................................................................................................. 9 Case Study Analysis: RSA SecureID hack ................................................................................... 10 Case Study Analysis: Operation Aurora .................................................................................... 13 Mitigation and early detection of an APT ................................................................................. 16 Security solutions to protect from APT ..................................................................................... 17 How can we help your organization ......................................................................................... 18 References............................................................................................................................... 19

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 4 of 19

Advanced Persistent Threats

1. I NTRODUCTION

Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organizations intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the countrys national security itself. The defensive tools and other controls are frequently rendered ineffective because the actors behind the intrusion are focused on a specific target and quickly adapt their ways to predict and circumvent security controls and standard incident response practices. As a result, an effective and efficient defence strategy requires good situational awareness and understanding. What are Advance Persistent Threats?[2] Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital. The entry point for espionage activities is often the unsuspecting enduser or weak perimeter security. Extensive research is done using social media sites, public available documents on organization, its processes, its technology and its people prior to craft an APT attack. The defence doctrine in the case of APTs must change from keeping attackers out to sometimes attackers are going to get in; detect them as early as possible and minimize the damage. Why the term Advanced Persistent Threats? [2] Advanced Attackers have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent Attackers give priority to a specific task, rather than seeking information for financial or other gain. If the attacker loses access, they reattempt access; often successfully. One of the attackers goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task. Threat APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The attackers have a specific objective and are skilled, motivated, organized and well-funded. What makes APT's so dangerous? APT attacks concentrate on people first and not on infrastructure details directly. Since people are the weakest link in the organizational security, there are more chances of data breaches than the traditional methods used by hackers A simple "voluntary action" done by innocent employee by biting socially engineered bait will bypass all the protection methods put forward by technology.
Confidential Network Intelligence (India) Pvt. Ltd. Page 5 of 19

Advanced Persistent Threats

If people are not properly educated or trained to combat social engineering, it is very difficult to contain the attack in the first place. APT's are silent, highly sophisticated, well-crafted attack paradigms which frequently use a customized code, combination of many 0day exploits and extensive research done on both the employees targets and the asset to be compromised along with well-planned method to clean up all evidences of its activities after its objective has been achieved. Attackers carrying out the APT are highly skilled hackers, with large resources at their disposal to find out various ways to enter into given organization. Frequently, these attackers are endorsed by massive scale funding, research and even government level support in some countries. The focus in APT is to obtain very specific information about the prized asset or to perform a very specific action when it is able to reach that resource. This makes an APT a very stealthy attack leaving a very small forensic digital footprint on compromised machines as it refrains from making any unwanted "noisy" activity on the network. Quite difficult to detect and trace back to their original sources. An APT may lie dormant on compromised systems for many months or even few years activating only when a specific action or at certain time takes place.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 6 of 19

Advanced Persistent Threats

2. S PEAR P HISHING

Spear phishing is a deceptive communication technique in which a victim is lured via email, text or tweet by an attacker to click or download a malicious link or file. The common objective of this technique is to compromise the victim machine by stealthily inserting a backdoor which seeks to obtain unauthorized access to confidential data remotely. These attempts are more likely to be conducted by attackers seeking financial gain, trade secrets or sensitive information. Spear phishing is a popular technique used in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 7 of 19

Advanced Persistent Threats

3. A DVANCED P ERSISTENT T HREAT L IFE C YCLE [5]

a. Preparation The Preparation phase includes the following aspects of the lifecycle: Define Target Find and organize accomplices Build or acquire tools Research target/infrastructure/employees Test for detection

APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data may be needed before plans can be carried out. Highly complex operations may be required before executing the exploitation plan against the primary target(s). b. Initia l intrusion The Initial Intrusion phase includes the following aspects of the lifecycle: Deployment Initial intrusion Outbound connection initiated

After the attacker completes preparations, the next step is an attempt to gain a foothold in the targets environment. An extremely common entry tactic is the use of spear phishing emails containing a web link or attachment. c. Expansion The Expansion phase includes the following aspects of the lifecycle: Expand access and obtain credentials Strengthen foothold The objective of this phase is to gain access to additional systems and authentication material that will allow access to further systems d. Persistence The Persistence phase spans numerous aspects of the lifecycle. Overcoming a targets perimeter defenses and establishing a foothold inside the network can require substantial effort. Between the times APT actors establish a foothold and the time when there is no further use for the assets or existing and future data, APT actors employ various strategies to maintain access. e. Search and Exfiltrati on The Search and Exfiltration phase includes the following aspects. Exfiltrate data

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 8 of 19

Advanced Persistent Threats

The ultimate target of network exploitation is generally a resource that can be used for future exploit(s) or documents and data that have financial or other perceived worth to the intruder. A popular approach to search and exfiltration is to take everything from the network that might be of interest. Some frequently examined locations include the infected users documents folder, shared drives located on file servers, the users local email file and email from the central email server. f. Cleanup The Cleanup phase includes the following aspects of the lifecycle. Cover tracks and remain undetected Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was targeted and eliminating evidence of who was behind the event. The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 9 of 19

Advanced Persistent Threats

4. C ASE S TUDY A NALYSIS : RSA S ECURE ID HACK [ 3][4]

a. Brief Summary Around March 2011, RSA SecureID system was attacked by using a sophisticated APT attack paradigm. A series of spear-phishing emails titled "2011 Recruitment Plan" were sent to small groups of low-profile RSA employees. Although they landed in Junk folders, the email title was interesting enough to persuade an RSA employee to open the Excel spreadsheet attachment. The excel sheet was infected with (now patched) Adobe Flash zero day flaw CVE 20110609. With one Trojan compromised machine, the attackers then started harvesting credentials and made their way up the RSA hierarchy ultimately gaining privileged access to the targeted system. The targeted data and files were stolen, and sent to an external compromised machine at a hosting provider. Fortunately, RSA saw the attack and using its implementation of NetWitness, stopped it before more damage could be done. b. What went wrong? Even though the SPAM filters did their job by directing the mail to Junk Folders, the interestingly titled email was enough to entice one employee to deliberately pull out the mail and open the attachment. This was the typical first stage of APT attack; social engineering done via spear-phishing. The attackers collected intelligence on the organizations people, not infrastructure. Then they used spear phishing email to the employees of interest. The 0-day installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609) which was prevalent in older versions of Adobe. Typically, Adobe Reader is seen only as PDF file opener software and hence not patched very often as compared to mainstream updates rolled by Microsoft Windows and Oracle which are typically licensed by the firms. Hence, the attackers had now found a way to sneak inside the RSA network by vulnerabilities present in the end-point to access users PCs. Once inside, privilege escalation attacks were carried out by constantly updating the Trojan remotely. When you look at the list of users that were targeted, you dont see any glaring insights; nothing that spells high profile or high value targets. c. What made the atta cks difficu lt to detect ? The rationale of a remote administration tool is simply to allow external control of the PC or server, are set up in a reverse-connect mode: this means they pull commands from the central command & control servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to
Network Intelligence (India) Pvt. Ltd.

Confidential

Page 10 of 19

Advanced Persistent Threats

detect, as the PC reaches out to the command and control rather than the other way around. Since the attacks use a combination of social engineering with vulnerabilities in the endpoint to access users PCs. they are difficult to detect because they are activated by "volunteering" action taken by victim and not done forcefully. Once inside the network, they just have find our way to the intended target using privilege escalation attacks by remotely updating and improving the trojan remotely. d. Spreading of atta ck Once inside the RSA network, the APT moved laterally inside the network. Still they need users with more access, more admin rights to relevant services and servers, etc. This was done very patiently as the attacks knew that any kind of fast and "noisy" activity will attract attention from network monitoring tools. The second stage comprised of attackers first harvesting access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators. When attackers think they run the risk of being detected, they move much faster and generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase. e. Carrying ou t the attack In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction. The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack. f. Lessons learnt Although, technological controls like spam filters did their job, employee awareness about social engineering attacks was not widespread. Importance of securing end-point security, hardening and patch management cycle is the most crucial factor to prevent APT from spreading.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 11 of 19

Advanced Persistent Threats

Network monitoring and logging policies must leave a log trail which can trace back the activities for analysis at a later date.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 12 of 19

Advanced Persistent Threats

5. C ASE S TUDY A NALYSIS : O PERATION A URORA [1]

a. Brief Summary Operation Aurora was a cyber attack which began first publicly disclosed by Google on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China. The attacks demonstrated high degree of sophistication, with strong indications of well resourced and consistent advanced persistent threat attack. The attack was aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec, Northrop Grumman, Morgan Stanley etc. As a result of the attack, Google stated in its blog that it plans to operate a completely uncensored version of its search engine in China "within the law, if at all". If not possible, it may leave China and close its Chinese offices. Research by McAfee Labs discovered that Aurora was part of the file path on the attackers machine that was included in two of the malware binaries. The primary goal of the attack was to gain access to and potentially modify source code repositories at these high tech, security and defense contractor companies. Security experts immediately noted the sophistication of the attack. Two days after the attack became public, It was reported that attackers had exploited purported zero-day vulnerabilities (unfixed and previously unknown to the target system developers) in Internet Explorer. After a week, Microsoft issued a fix. Additional vulnerabilities were found in Perforce, the source code revision software used by Google to manage their source code. b. Attack Ra tiona le Corporate and state secrets espionage activity becomes bolder over time with little public acknowledgement or response from governments. According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source reported that the Chinese Politburo directed the intrusion into Google's computer systems. The cable suggested that the attack was part of a coordinated campaign executed by "government operatives, public security experts and Internet outlaws recruited by the Chinese government." The report suggested that it was part of an ongoing campaign in which attackers have "broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002." Operation Aurora was largely an attack used to gain political power and influence over western countries by Chinese government.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 13 of 19

Advanced Persistent Threats

c. "Operation Aurora " Working Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. d. Deciphering the code: Atta ck Analysis Operation Aurora name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The code behind Operation Aurora known samples of the main backdoor trojan appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. The compiler component does use a resource section, but the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. However, one interesting clue in the binary points back to mainland China. The first thing that is unusual about the embedded CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm here uses a table of only 16 constants; basically a truncated version of the typical 256value table. The most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. The full paper was published in simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites. This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese. This again gives a strong indicator that Operation Aurora was orchestred and funded by the backing of federal government of China.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 14 of 19

Advanced Persistent Threats

e. Attacks Aftermath The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down. Security researchers have continued to investigate the attacks. HBGary, a security firm, recently released a report in which they claim to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity. On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The New York Times, both of these schools have ties with the Chinese search engine Baidu, a rival of Google China. f. Lessons Learnt APT's are not just traditional "Malware". They are well defined, fully supported by large organizations or governments with strong backing of well compensated highly skilled programmers and hackers. The aim or an APT is to gain power, create imbalance in market by paralyzing governments or rival corporate organizations. Industrial and government sponsored espionage to keep the vested interests of competing corporate and states well satisfied.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 15 of 19

Advanced Persistent Threats

6. M ITIGATION AND EARLY DETECTION OF AN APT

Here are some practical ways by which we can develop a proactive way to mitigate and prevent the further spread of APT in our organization: Make sure that you have encryption and password features enabled on your smart phones and other mobile devices. Use strong passwords, ones that combine upper and lower case letters, numbers, and special characters, and do not share them with anyone. Use a separate password for every account. Properly configure and patch operating systems, browsers, and other software programs. Use and regularly update firewalls, anti-virus, and anti-spyware programs. Don't use work e-mail address as a "User Name" on non-work related sites. Use common sense when communicating with users you DO and DO NOT know. Do not open e-mail or related attachments from un-trusted sources. Don't reveal too much information about yourself on social media websites. Verify Location Services settings on mobile devices. Allow access to systems and data only by those who need it and protect those access credentials. Follow your organization's cyber security policies and report violations and issues immediately. Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to learn the ways to identify the same

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 16 of 19

Advanced Persistent Threats

7. S ECURITY SOLUTIONS TO PROTECT FROM APT

There are many security solutions available that address your need for protection from APTs. Some of the popularly used are mentioned as follows:

a. EMET EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. EMET Highlights Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. b. Bit9 Parity Suite This solution provides an extensive list of features for protection against APTs: Features of Bit9: Application Control/White-listing Software Reputation Service File Integrity Monitoring Threat Identification Device Control File Integrity Monitoring Registry Protection Memory Protection

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 17 of 19

Advanced Persistent Threats

8. H OW CAN WE HELP YOUR ORGANIZATION

a. Drafti ng Privileged ID Management P oli cy & Procedures It is easy to observe that privileged IDs represent the highest risk for data leakage in the organization. Such IDs are numerous due to the large number of systems and devices in any network. Managing the access of these IDs and monitoring their activities is of crucial importance for the prevention of APT Attacks. Technology solutions such as Privileged Identity Management make this task easier. But this needs to be combined with the right policy framework and comprehensive procedures We can guide your organization to draft Privileged ID Management Policy & Procedures Privileged ID allocation process of the approval mechanism for it Privileged ID periodic review procedure for this Monitoring of privileged ID activities mechanisms, and procedures for logging and monitoring privileged IDs Revocation of a privileged ID what happens when an Administrator leaves the organization? How are vendor-supplied user IDs managed Managing shared/generic privileged IDs b. Conducting Penetrati on 2 .0 Exercises We engage in conducting Social Engineering exercises to demonstrate the effect that how big an impact can be on your organization information assets data leakage. Our Spear Phishing testing methodology will test your organization's preparedness against social engineering attacks. Since social engineering form a vital part in APT's Life Cycle, the results from this exercise are important indicator for your preparedness level against an APT attack. c. Conducting U ser Awareness Workshops We also engage in conducting user awareness workshops to train users about the pitfalls of getting trapped in social engineering attacks. Rather than just presenting the theoretical concepts, we stimulate practical exercises to infuse the impact of social engineering which can bypass all the state of art technological controls in an organization. d. Endpoint Securi ty Solu tions Network Intelligence has partnered with CyberArk, Seclore, Impervia and Boole Server to manage the privilege ID management, and achieve Confidentiality, Integrity and Availability of files and folders present in the network. Using these state-of-art endpoint solutions offer a peace of mind in addressing your security needs.

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 18 of 19

Advanced Persistent Threats

9. R EFERENCES
1. 2. 3. 4. 5. 6.

http://en.wikipedia.org/wiki/Operation_Aurora http://en.wikipedia.org/wiki/Advanced_Persistent_Threat https://blogs.rsa.com/anatomy-of-an-attack/ https://blogs.rsa.com/it-security-in-the-age-of-apts/ http://www.secureworks.com/assets/pdf-store/articles/Lifecycle_of_an_APT_G.pdf http://www.issasac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf 7. http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentT hreats.pdf

Confidential

Network Intelligence (India) Pvt. Ltd.

Page 19 of 19