Escolar Documentos
Profissional Documentos
Cultura Documentos
From
With all the buzz surrounding the term Advanced Persistent Threats (APTs), we decided to de-mystify the jargon and present the view from the trenches.
Document Tracker
Author
Manasdeep
Version
November 2012
Summary of Changes
Document Created
Confidential
Page 2 of 19
NOTICE
This document contains information which is the intellectual property of Network Intelligence. This document is received in confidence and its contents cannot be disclosed or copied without the prior written consent of Network Intelligence. Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied. Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual property or other rights of any third party or of Network Intelligence; indemnity; and all others. The reader is advised that third parties can have intellectual property rights that can be relevant to this document and the technologies discussed herein, and is advised to seek the advice of competent legal counsel, without obligation of Network Intelligence. Network Intelligence retains the right to make changes to this document at any time without notice. Network Intelligence makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein.
Copyright
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved. NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt. Ltd.
Trademarks
Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owners' benefit, without intent to infringe.
Confidential
Page 3 of 19
Contents
1. 2. 3. a. b. c. d. e. f. 4. 5. 6. 7. 8. 9. Introduction .............................................................................................................................. 5 Spear Phishing ........................................................................................................................... 7 Advanced Persistent Threat Life Cycle:....................................................................................... 8 Preparation............................................................................................................................ 8 Initial intrusion....................................................................................................................... 8 Expansion .............................................................................................................................. 8 Persistence ............................................................................................................................ 8 Search and Exfiltration ........................................................................................................... 8 Cleanup ................................................................................................................................. 9 Case Study Analysis: RSA SecureID hack ................................................................................... 10 Case Study Analysis: Operation Aurora .................................................................................... 13 Mitigation and early detection of an APT ................................................................................. 16 Security solutions to protect from APT ..................................................................................... 17 How can we help your organization ......................................................................................... 18 References............................................................................................................................... 19
Confidential
Page 4 of 19
1. I NTRODUCTION
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to an organizations intellectual property, financial assets and reputation. In some cases, these threats target critical infrastructure and government institutions, thereby threatening the countrys national security itself. The defensive tools and other controls are frequently rendered ineffective because the actors behind the intrusion are focused on a specific target and quickly adapt their ways to predict and circumvent security controls and standard incident response practices. As a result, an effective and efficient defence strategy requires good situational awareness and understanding. What are Advance Persistent Threats?[2] Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking attacks using subversive and stealthy means to gain continual, persistent exfiltration of intellectual capital. The entry point for espionage activities is often the unsuspecting enduser or weak perimeter security. Extensive research is done using social media sites, public available documents on organization, its processes, its technology and its people prior to craft an APT attack. The defence doctrine in the case of APTs must change from keeping attackers out to sometimes attackers are going to get in; detect them as early as possible and minimize the damage. Why the term Advanced Persistent Threats? [2] Advanced Attackers have a full spectrum of intelligence-gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence-gathering techniques. They often combine multiple targeting methods, tools, and techniques in order to reach and compromise their target and maintain access to it. Persistent Attackers give priority to a specific task, rather than seeking information for financial or other gain. If the attacker loses access, they reattempt access; often successfully. One of the attackers goals is to maintain long-term access to the target, in contrast to threats that only need access to execute a specific task. Threat APTs are a threat because they have both capability and intent. APT attacks are executed by coordinated human actions, rather than by mindless and automated pieces of code. The attackers have a specific objective and are skilled, motivated, organized and well-funded. What makes APT's so dangerous? APT attacks concentrate on people first and not on infrastructure details directly. Since people are the weakest link in the organizational security, there are more chances of data breaches than the traditional methods used by hackers A simple "voluntary action" done by innocent employee by biting socially engineered bait will bypass all the protection methods put forward by technology.
Confidential Network Intelligence (India) Pvt. Ltd. Page 5 of 19
If people are not properly educated or trained to combat social engineering, it is very difficult to contain the attack in the first place. APT's are silent, highly sophisticated, well-crafted attack paradigms which frequently use a customized code, combination of many 0day exploits and extensive research done on both the employees targets and the asset to be compromised along with well-planned method to clean up all evidences of its activities after its objective has been achieved. Attackers carrying out the APT are highly skilled hackers, with large resources at their disposal to find out various ways to enter into given organization. Frequently, these attackers are endorsed by massive scale funding, research and even government level support in some countries. The focus in APT is to obtain very specific information about the prized asset or to perform a very specific action when it is able to reach that resource. This makes an APT a very stealthy attack leaving a very small forensic digital footprint on compromised machines as it refrains from making any unwanted "noisy" activity on the network. Quite difficult to detect and trace back to their original sources. An APT may lie dormant on compromised systems for many months or even few years activating only when a specific action or at certain time takes place.
Confidential
Page 6 of 19
2. S PEAR P HISHING
Spear phishing is a deceptive communication technique in which a victim is lured via email, text or tweet by an attacker to click or download a malicious link or file. The common objective of this technique is to compromise the victim machine by stealthily inserting a backdoor which seeks to obtain unauthorized access to confidential data remotely. These attempts are more likely to be conducted by attackers seeking financial gain, trade secrets or sensitive information. Spear phishing is a popular technique used in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle.
Confidential
Page 7 of 19
APT attack and exploitation operations typically involve a high degree of preparation. Additional assets and data may be needed before plans can be carried out. Highly complex operations may be required before executing the exploitation plan against the primary target(s). b. Initia l intrusion The Initial Intrusion phase includes the following aspects of the lifecycle: Deployment Initial intrusion Outbound connection initiated
After the attacker completes preparations, the next step is an attempt to gain a foothold in the targets environment. An extremely common entry tactic is the use of spear phishing emails containing a web link or attachment. c. Expansion The Expansion phase includes the following aspects of the lifecycle: Expand access and obtain credentials Strengthen foothold The objective of this phase is to gain access to additional systems and authentication material that will allow access to further systems d. Persistence The Persistence phase spans numerous aspects of the lifecycle. Overcoming a targets perimeter defenses and establishing a foothold inside the network can require substantial effort. Between the times APT actors establish a foothold and the time when there is no further use for the assets or existing and future data, APT actors employ various strategies to maintain access. e. Search and Exfiltrati on The Search and Exfiltration phase includes the following aspects. Exfiltrate data
Confidential
Page 8 of 19
The ultimate target of network exploitation is generally a resource that can be used for future exploit(s) or documents and data that have financial or other perceived worth to the intruder. A popular approach to search and exfiltration is to take everything from the network that might be of interest. Some frequently examined locations include the infected users documents folder, shared drives located on file servers, the users local email file and email from the central email server. f. Cleanup The Cleanup phase includes the following aspects of the lifecycle. Cover tracks and remain undetected Cleanup efforts during an intrusion are focused on avoiding detection, removing evidence of the intrusion and what was targeted and eliminating evidence of who was behind the event. The better the APT actors are at covering their tracks, the harder it will be for victims to assess the impact of the intrusion.
Confidential
Page 9 of 19
Confidential
Page 10 of 19
detect, as the PC reaches out to the command and control rather than the other way around. Since the attacks use a combination of social engineering with vulnerabilities in the endpoint to access users PCs. they are difficult to detect because they are activated by "volunteering" action taken by victim and not done forcefully. Once inside the network, they just have find our way to the intended target using privilege escalation attacks by remotely updating and improving the trojan remotely. d. Spreading of atta ck Once inside the RSA network, the APT moved laterally inside the network. Still they need users with more access, more admin rights to relevant services and servers, etc. This was done very patiently as the attacks knew that any kind of fast and "noisy" activity will attract attention from network monitoring tools. The second stage comprised of attackers first harvesting access credentials from the compromised users (user, domain admin, and service accounts). They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators. When attackers think they run the risk of being detected, they move much faster and generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is likely the attacker had to move very quickly to accomplish anything in this phase. e. Carrying ou t the attack In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA case established access to staging servers at key aggregation points; this was done to get ready for extraction. Then they went into the servers of interest, removed data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction. The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack. f. Lessons learnt Although, technological controls like spam filters did their job, employee awareness about social engineering attacks was not widespread. Importance of securing end-point security, hardening and patch management cycle is the most crucial factor to prevent APT from spreading.
Confidential
Page 11 of 19
Network monitoring and logging policies must leave a log trail which can trace back the activities for analysis at a later date.
Confidential
Page 12 of 19
Confidential
Page 13 of 19
c. "Operation Aurora " Working Once a victim's system was compromised, a backdoor connection that masqueraded as an SSL connection made connections to command and control servers running in Illinois, Texas, and Taiwan, including machines that were running under stolen Rackspace customer accounts. The victim's machine then began exploring the protected corporate intranet that it was a part of, searching for other vulnerable systems as well as sources of intellectual property, specifically the contents of source code repositories. d. Deciphering the code: Atta ck Analysis Operation Aurora name was coined after virus analysts found unique strings in some of the malware involved in the attack. These strings are debug symbol file paths in source code that has apparently been custom-written for these attacks. The code behind Operation Aurora known samples of the main backdoor trojan appear to be no older than 2009. It appears that development of Aurora has been in the works for quite some time some of the custom modules in the Aurora codebase have compiler timestamps dating back to May 2006. The compiler component does use a resource section, but the author was careful to either compile the code on an English-language system, or they edited the language code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof. However, one interesting clue in the binary points back to mainland China. The first thing that is unusual about the embedded CRC algorithm is the size of the table of constants (the incrementing values in the left pane of the assembly listing). Most 16 or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm here uses a table of only 16 constants; basically a truncated version of the typical 256value table. The most interesting aspect of this source code sample is that it is of Chinese origin, released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers. The full paper was published in simplified Chinese characters, and all existing references and publications of the sample source code seem to be exclusively on Chinese websites. This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese. This again gives a strong indicator that Operation Aurora was orchestred and funded by the backing of federal government of China.
Confidential
Page 14 of 19
e. Attacks Aftermath The attacks were thought to have definitively ended on Jan 4 when the command and control servers were taken down, although it is not known at this point whether or not the attackers intentionally shut them down. Security researchers have continued to investigate the attacks. HBGary, a security firm, recently released a report in which they claim to have found some significant markers that might help identify the code developer. The firm also said that the code was Chinese language based but could not be specifically tied to any government entity. On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years. They have also tracked the attack back to its point of origin, which seems to be two Chinese schools, Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The New York Times, both of these schools have ties with the Chinese search engine Baidu, a rival of Google China. f. Lessons Learnt APT's are not just traditional "Malware". They are well defined, fully supported by large organizations or governments with strong backing of well compensated highly skilled programmers and hackers. The aim or an APT is to gain power, create imbalance in market by paralyzing governments or rival corporate organizations. Industrial and government sponsored espionage to keep the vested interests of competing corporate and states well satisfied.
Confidential
Page 15 of 19
Here are some practical ways by which we can develop a proactive way to mitigate and prevent the further spread of APT in our organization: Make sure that you have encryption and password features enabled on your smart phones and other mobile devices. Use strong passwords, ones that combine upper and lower case letters, numbers, and special characters, and do not share them with anyone. Use a separate password for every account. Properly configure and patch operating systems, browsers, and other software programs. Use and regularly update firewalls, anti-virus, and anti-spyware programs. Don't use work e-mail address as a "User Name" on non-work related sites. Use common sense when communicating with users you DO and DO NOT know. Do not open e-mail or related attachments from un-trusted sources. Don't reveal too much information about yourself on social media websites. Verify Location Services settings on mobile devices. Allow access to systems and data only by those who need it and protect those access credentials. Follow your organization's cyber security policies and report violations and issues immediately. Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to learn the ways to identify the same
Confidential
Page 16 of 19
There are many security solutions available that address your need for protection from APTs. Some of the popularly used are mentioned as follows:
a. EMET EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution. It does so by opt-ing in software to the latest security mitigation technologies. The result is that a wide variety of software is made significantly more resistant to exploitation even against zero day vulnerabilities and vulnerabilities for which an update has not yet been applied. EMET Highlights Making configuration easy Enterprise deployment via Group Policy and SCCM Reporting capability via the new EMET Notifier feature Configuration EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML files that contain pre-configured EMET settings for common Microsoft and third-party applications. b. Bit9 Parity Suite This solution provides an extensive list of features for protection against APTs: Features of Bit9: Application Control/White-listing Software Reputation Service File Integrity Monitoring Threat Identification Device Control File Integrity Monitoring Registry Protection Memory Protection
Confidential
Page 17 of 19
Confidential
Page 18 of 19
9. R EFERENCES
1. 2. 3. 4. 5. 6.
Confidential
Page 19 of 19