This is the first post in a series dedicated to the trendiest, most disputed and most used acronym in the recent history of information security. My purpose for this series of three posts is to define the phenomenon (as we see it), to take a look at possible counter-measures – a review of the self-denominated “next generation security solutions” – and finally to try to come up with an effective response that shouldn’t cost you a fortune.
I. The WHY
Why have I decided to dedicate a series of posts to APTs (Advanced Persistent Threats), in context?
The answer is simple; after having seen and read a lot of literature on this topic and after directly observing, first-hand, several APTs, the worry is that the more this is written about, the more it is adding to the confusion of notions or the intentional or unintentional misclassifications and the marketing veils that create further confusion.
II. The WHAT
If we try to find a definition for APTs we are confronted with a large set of notions:
- A set of stealthy and continuous computing hacking processes (Wikipedia);
- A cybercrime category directed at business and political targets, requiring a high degree of stealth over a large period of time (Damballa, Security ISV)
- A cyberattack launched by an attacker with substantial means (Tecnopedia)
- A particular sort of sophisticated Internet attack (Information Week).
… and, unfortunately the list of definitions can cover several pages.
The common factor is that APT is a successful hacking attack, performed over the Internet, directed to an important target, by an attacker that has enough patience, sophistication and means.
Actually this is a pretty good definition, but someone could say; ok, but this sounds actually like the definition of any “hack”? Could we place in the same basket a sponsored attack with the objective to infect the IT components of the power grid (as in the recent Dragonfly/Energetic Bear operation), or with the recent incidents affecting the big retailers or payment card operators that have exposed information about millions of accounts of card holders (the Target breach)? From a purist perspective, they may be different types of attacks: the first is an operation that took years to succeed while the second is a rather intensive attack of a cybercriminal organization (apparently located in Russia). But, aren’t they the same facets of the same old hacking story?
III. The HOW
As in medicine, we will try to define the malady by its symptoms; therefore, we discuss an APT when:
- It has been successful – meaning that we talk about it when it has been discovered by the victims, the authorities or by security professionals;
- It proves to be persistent – a long duration, multi-stage attack;
- It has a precisely-defined objective – the objective can be a specific information or type of information (this is normally found in espionage attacks that may be fleeting or continuous) or can have the possibility to interact or control systems or networks (as we have seen in the recent attacks over the power grid);
- It is targeted – we don’t have a ‘general’ attack, directed towards many entities that has been successful by chance – as a matter of fact in this kind of attacks chance plays a minor role;
- It passes undetected for a large period of time – large is yet to be defined, it could be weeks, or it could be years. Again, undetected is a relative term that has important consequences – these attacks are normally crafted such as to pass undetected by signature-based antivirus engines (they are scanned against them and the objective is to pass as a clean file); however several more advanced technologies may signal them - at least as suspicious files. Another “feature” of APTs is their use of security evasion techniques – from IDS and anomaly detection up to evasion of virtualization and emulation environments, as these are current methods for malware analysis.
- It is based on a continuous interaction with the authors – all APTs contain a communication component that is used for self-updating, for data exfiltration and eventually for self-destruction and traces deletion once the mission is being completed.
- It employs sophisticated and multi-purpose malware and eventually multiple vectors of attack, over various platforms.
Once the list of common symptoms has been presented, maybe a useful step would be to present the anatomy of an APT attack:
Stage 1: Reconnaissance – Attacks have a precise objective. To achieve the objective all the information related is useful - the attacker(s) try to identify and gather anything: names of persons that can access the information or targeted systems, network maps, security infrastructures, profiles of top managers /VIPs and their family members, preferences of IT and security personnel, anything that can be used to develop the attack.
Stage 2: Intrusion – Even though we have seen cases of one step intrusion, normally the intrusion is fragmented: at first a modest piece of malware is planted that has the role of establishing a first connection point inside the network or system. This component has the role to contact the deployment or update servers, where other parts of the malware reside. Normally this component comes as a spear-phishing, or a browser object “acquired” from social networks or infected sites, it is executed in background and many times it is resident only in the memory and is purged once it has downloaded the other components.
Stage 3: Infiltration – as a consequence of the previous stage, pieces of malware with more “interesting” payloads are used:
- Connectors to the Command and Control Center;
- Malware updating routines;
- Components in charge of lateral and vertical steps – infection of other systems / networks or privilege escalation in order to be able to perform higher level tasks;
- Discovery modules – information scanners and crawlers;
- Mutation mechanisms – the malware can be programmed to change host or to change format.
Actually this stage is more interesting from the malware research perspective.
Stage 4: Exfiltration – the information that is key to the attack or can help to achieve the objective is communicated to the attackers. In early APT attacks, the connection has been directed to a command and control center, but in time the attackers have realized that this is an easy way to trace the attack back to them so they started to use multiple servers, with different routines for switching between them. The exfiltrated information has started to be extracted in chunked and encrypted formats.
Stage 5: Persistence and/ or Self-Destruction – a successful APT is incredibly interesting to observe from the perspective of its mechanism complexity and effectiveness. Once all the previous stages have been successfully completed, according to the objective, this malware infrastructure may be kept active, may be instructed to become dormant or, if the objective has been achieved, may be instructed to self-destruct and eventually hide or delete its traces. Recent evolutions in APTs manifested an increasing trend of using small providers to get to the “big accounts” – service providers, accounting firms, legal advice or financial auditors; they all have become equally good candidates to reach the high level targets.
Now that we have seen the common factors, we have passed through the flow of successful APTs, now we move to a proposed theory.
IV. The Theory
This theory is based on experience and observation: 14 years of direct experience in the field of information security and observation of APTs in the past 4-5 years.
Looking back, historically, we have had the “romantic” times of “hacking for fame” attacks, when people were compromising security of systems and networks just to see whether they could do it and to spot out their vulnerabilities. But these old times started to come to an end in 2004-2005, when we started to talk about the blended threats, multi-vector attacks, organized attacks, security ops and so on. With the increase in sophistication of the technologies we use (social networks, smartphones and tablets, devices always connected) we started to face an increase in the sophistication level of the successful attacks, such as government funded or organized cyber-crime.
All the above being exposed, our conclusion is that nowadays any hacking attack that wants to be successful must be sophisticated, take time to develop, have a clear objective and use multi-stage fragmented malware. Whether we look at the high level government APTs or we investigate an organized crime operation, we are looking at two facets of the same reality. No matter if the objective is espionage, taking down networks or plants or entire grids, in the case of states or “just” to exfiltrate millions of credit card accounts details, these attacks share the same structure and methods.
Stay tuned for our next post about APTs!