This is the first post in a series dedicated to the trendiest, most disputed and most used acronym in the recent history of information security. My purpose for this series of three posts is to define the phenomenon (as we see it), to take a look at possible counter-measures – a review of the self-denominated “next generation security solutions” – and finally to try to come up with an effective response that shouldn’t cost you a fortune.
I. The WHY
Why have I decided to dedicate a series of posts to APTs (Advanced Persistent Threats), in context?
The answer is simple; after having seen and read a lot of literature on this topic and after directly observing, first-hand, several APTs, the worry is that the more this is written about, the more it is adding to the confusion of notions or the intentional or unintentional misclassifications and the marketing veils that create further confusion.
II. The WHAT
If we try to find a definition for APTs we are confronted with a large set of notions:
… and, unfortunately the list of definitions can cover several pages.
The common factor is that APT is a successful hacking attack, performed over the Internet, directed to an important target, by an attacker that has enough patience, sophistication and means.
Actually this is a pretty good definition, but someone could say; ok, but this sounds actually like the definition of any “hack”? Could we place in the same basket a sponsored attack with the objective to infect the IT components of the power grid (as in the recent Dragonfly/Energetic Bear operation), or with the recent incidents affecting the big retailers or payment card operators that have exposed information about millions of accounts of card holders (the Target breach)? From a purist perspective, they may be different types of attacks: the first is an operation that took years to succeed while the second is a rather intensive attack of a cybercriminal organization (apparently located in Russia). But, aren’t they the same facets of the same old hacking story?
III. The HOW
As in medicine, we will try to define the malady by its symptoms; therefore, we discuss an APT when:
Once the list of common symptoms has been presented, maybe a useful step would be to present the anatomy of an APT attack:
Stage 1: Reconnaissance – Attacks have a precise objective. To achieve the objective all the information related is useful - the attacker(s) try to identify and gather anything: names of persons that can access the information or targeted systems, network maps, security infrastructures, profiles of top managers /VIPs and their family members, preferences of IT and security personnel, anything that can be used to develop the attack.
Stage 2: Intrusion – Even though we have seen cases of one step intrusion, normally the intrusion is fragmented: at first a modest piece of malware is planted that has the role of establishing a first connection point inside the network or system. This component has the role to contact the deployment or update servers, where other parts of the malware reside. Normally this component comes as a spear-phishing, or a browser object “acquired” from social networks or infected sites, it is executed in background and many times it is resident only in the memory and is purged once it has downloaded the other components.
Stage 3: Infiltration – as a consequence of the previous stage, pieces of malware with more “interesting” payloads are used:
Actually this stage is more interesting from the malware research perspective.
Stage 4: Exfiltration – the information that is key to the attack or can help to achieve the objective is communicated to the attackers. In early APT attacks, the connection has been directed to a command and control center, but in time the attackers have realized that this is an easy way to trace the attack back to them so they started to use multiple servers, with different routines for switching between them. The exfiltrated information has started to be extracted in chunked and encrypted formats.
Stage 5: Persistence and/ or Self-Destruction – a successful APT is incredibly interesting to observe from the perspective of its mechanism complexity and effectiveness. Once all the previous stages have been successfully completed, according to the objective, this malware infrastructure may be kept active, may be instructed to become dormant or, if the objective has been achieved, may be instructed to self-destruct and eventually hide or delete its traces. Recent evolutions in APTs manifested an increasing trend of using small providers to get to the “big accounts” – service providers, accounting firms, legal advice or financial auditors; they all have become equally good candidates to reach the high level targets.
Now that we have seen the common factors, we have passed through the flow of successful APTs, now we move to a proposed theory.
IV. The Theory
This theory is based on experience and observation: 14 years of direct experience in the field of information security and observation of APTs in the past 4-5 years.
Looking back, historically, we have had the “romantic” times of “hacking for fame” attacks, when people were compromising security of systems and networks just to see whether they could do it and to spot out their vulnerabilities. But these old times started to come to an end in 2004-2005, when we started to talk about the blended threats, multi-vector attacks, organized attacks, security ops and so on. With the increase in sophistication of the technologies we use (social networks, smartphones and tablets, devices always connected) we started to face an increase in the sophistication level of the successful attacks, such as government funded or organized cyber-crime.
CONCLUSION:
All the above being exposed, our conclusion is that nowadays any hacking attack that wants to be successful must be sophisticated, take time to develop, have a clear objective and use multi-stage fragmented malware. Whether we look at the high level government APTs or we investigate an organized crime operation, we are looking at two facets of the same reality. No matter if the objective is espionage, taking down networks or plants or entire grids, in the case of states or “just” to exfiltrate millions of credit card accounts details, these attacks share the same structure and methods.
Stay tuned for our next post about APTs!
tags
Horatiu B has been in the field of information security for about 14 years, switching lanes between marketing, sales, consultancy and business development. Engineer by formation, he thinks that a diagram says 10 times more than a speech but sometimes you have to employ words in order to describe diagrams. Horatiu’s principal areas of interest are in security management, practices, processes, buying behaviors and psychology.
View all postsDon’t miss out on exclusive content and exciting announcements!