This is the first part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. This first part introduces the reader to the different phases of an APT and discusses the methodology, prevention and detection techniques of the initial phase of an attack in detail.
The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.
Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.
Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defense radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.
“If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu
As technologies implemented in organizations are becoming advanced, the threats are rapidly evolving too. Through tenacious and coordinated attacks on one’s infrastructure, APTs are able to infiltrate and overwhelm the organization.
The threat landscape has changed. But the general principles of war remain the same. Knowing the modus-operandi of your faceless attackers helps one evaluate, and harden one’s security measures, and gear up towards facing the attackers head on. This paper aims to help you do just that.
The stages of an APT can broadly be classified as follows:
• Target reconnaissance
• Initial compromise
• Expanding access and strengthening foothold
• Data exfiltration and cleanup
The reconnaissance phase of a targeted attack sets the stage for the rest of the threat campaign and therefore involves a high degree of planning. The perpetrators spend significant amounts of time learning about their target, collecting as much information as possible about the human, physical and virtual resources of the organization. The intelligence garnered during this stage not only helps the assailants determine key points of entry into the target network but also empowers them to navigate the victim’s network once inside more effectively & efficiently.
The target’s virtual network is plotted using publicly available resources. These resources include:
• DNS records
• WHOIS information
• Email messages
• Inadequately protected network logs
• Misconfigured servers, etc.
The organizational structure is also studied to determine employees and their organizational access levels, using social media, search engines and the target’s own website. Profile intelligence gathered could include potential passwords, personal and official email addresses, whether the user is a regular employee, a SOHO user, or a contractor.
Based on this harvested intelligence the infrastructure needed for the attack will be acquired, the course of action to successfully execute the campaign will be determined & evasion techniques that could be followed during the attack will be planned. New domains may be registered, command and control servers set up, exploits crafted, vulnerable employees identified, custom social engineering schemes plotted for these target employees, malicious files created, etc.
Recently, US airport workers from over 75 airports were targeted via malicious emails based on information such as their names, titles, and email addresses that were harvested via publicly-available documents .
Fig.1 shows how a simple search engine query can divulge information like emails exchanged between personnel in public forums which may seem innocuous, but can be used to launch a spear phishing attack. Popular mailing lists mask this sensitive information to avoid it from being scraped and abused by bots. Valid users on the other hand are allowed access after solving a simple CAPTCHA.
Fig.1: Search result revealing email addresses and other information about employees of an organization.
Most of the intelligence collected by the assailants during this stage is publicly available and in general doesn’t involve the attackers touching any of the internal systems. Information that was gathered from previous APT campaigns but applicable to the current one could also be reused. This makes detecting an APT during these early stages of the attack challenging.
Usual best security practices such as conducting periodic penetration tests, hardening the applications & the operating systems, etc. are still relevant, but these measures by themselves don’t stand a chance against this adversary.
Organizations should take care to both restrict the amount of information that is flowing outside and be aware of publicly available sensitive information which could potentially be used against them.
Automated bots can be used to collect publicly available information on the company, the employees, etc. from popular social networking sites and search engines, etc. The data collected can automatically be analyzed for potential sensitive leaks.
Fake profiles at different organizational levels meant to be trip wires can be set up on popular social networking sites and connection attempts and profile hits can be analyzed. This could allow organizations to both recognize if they are being targeted and predict which individual or group of individuals are being targeted.
Images courtesy of google.com
Manager, K7 Threat Control Lab
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: