lolloj - Fotolia
Published: 01 Oct 2014
The cyberthreat landscape has changed. We used to deal with hackers in the classic sense, from explorers of systems to script kiddies who used newly automated exploit tools, developed by taking hackers' technical knowledge and packaging it. In the background lurked the underground and criminal types who move into any vacuum, given enough time, if there is something to steal.
The modus operandi for these early criminals wasn't that different from what many enterprises encounter today. It involved phishing campaigns to try to trick people into logging onto their online bank accounts and, in doing so, giving up their credentials. Attackers developed viruses and bots that delivered remote access and administrative tools to the victim's computers, allowing the bot masters to harvest all the data. National intelligence services began to employ many of the tools and techniques those early criminals developed to use the Internet as a conduit for advancing their intelligence-gathering capabilities.
Nothing in our past has happened so quickly or with as far-reaching implications and dependencies. Critical networks, utilities and other infrastructures are all intertwined with the networks of companies and governments. Almost everything that's built, designed and manufactured is on the Internet. If the Internet stopped working, the global economy would collapse. With that dependency comes issues of national security. Governments have recognized the strategic and tactical advantage of having both defensive and offensive capabilities in the electromagnetic arena.
This paradigm shift has created the groundwork for advanced cyberthreats. Building on what cybercriminals began, security services from many countries have developed the capability to protect, attack and steal for their national interest. As these organizations responded to requests for intelligence from their governments, a whole new type of "threat" appeared on the cyber landscape.
The term advanced persistent threat or APT -- coined by U.S. Air Force Col. Greg Rattray in 2006 -- describes the new powerful cyber adversary noticed on government networks since the late 1990s and early 2000s. For the U.S. government, the APT is the Chinese; for the Chinese, the APT is the United States. It is always a question of perspective.
Intelligence gathering methods
How do APT attacks happen and why? To understand the anatomy and physiology of APT attacks, it helps to recognize intelligence-gathering methods used by security organizations around the world. All these agencies -- including the CIA, MI6 and the Federal Security Service (FSB) of the Russian Federation -- have administrative processes for receiving requests for intelligence products and information. They prioritize those requests and pass them out to the various departments, or organizations, that are then tasked with acquiring the information or products.
Where might a request come from? Say a delegation from country A attends the Paris Air Show, a key event in which hundreds of aerospace and defense companies show off their products and innovations. The delegation, which can include intelligence personnel, has a "shopping list" and spends a lot of time looking for specific technologies and systems. They notice a new and innovative radar system for sale from a defense contractor in a "banned" country. It would be illegal for the manufacturer to sell the technology to the delegation, so they cannot simply buy the technology and reverse engineer it. The delegation takes photographs of the sales display and picks up any other information it can. When the delegation returns home, a formal request for intelligence or collection on the radar technologies is submitted to their country's intelligence services. The intelligence request is prioritized, and when it is acted on, it will be assigned to a cyber-intelligence unit whose specialty is to gain access to other people's networks with the sole purpose of taking something very specific.
The APT is in the collection part of the classic intelligence cycle described on the CIA's website:
- Planning and Direction
- Analysis and Production
An APT "campaign" against the target begins. In this case, it is based on an intelligence request from country A's military to their intelligence services to find everything they can about a radar manufactured in country B.
The intelligence services, or their contractors, will begin by doing a comprehensive search of the target organization. This research will include basic information about the company such as the physical locations of facilities; corporate and supply chain relationships; contracts, products and services; leadership and board of directors; filings and financial reports; and whether it is publicly traded.
The organization will also look at the company's Internet foot print:
- Domain names, DNS records, MX mail records
- Registered IP ranges and scans of that information
- Email naming convention (first name.last email@example.com)
- Telco relationships and colocation usage
- Cloud usage
- Publicly facing services or websites
- Use of two-factor authentication
They will build an understanding of employees who work within specific divisions or programs or within leadership or corporate shared services. This information is gathered with help from LinkedIn and Facebook searches, academic papers, public websites, speaking engagement histories, and industry associations and forums. Once this data is compiled, a plan of action will be formulated to penetrate the network and steal the data on the target.
The offensive part of an APT campaign begins with the perpetrators executing their plans. In this example, it starts with social engineering. Having identified the physical location of the facilities that manufacture the target data, the APT will cast a net on social media to "link" to individuals associated with the program, or near the program, based on their LinkedIn profiles. The attackers will create false personas, using LinkedIn, Facebook pages and other social media. They will then try to "friend" individuals to discover email addresses -- both work and personal -- other friends or associations, addresses, skills they possess and other programs they've worked on.
From this social media information the APT will create a target list of named individuals directly or indirectly associated with the target programs, or in a position to get to the projects indirectly, or provide the next hop to the target. This social engineering generates the targets for a spear-phishing campaign. Almost all APT attacks include some form of spear phishing, or targeting of malicious messages, with the intention of compromising victims' computers.
For the APT to launch these campaigns, there has to be infrastructure and tools at their disposal. The big APT actors have deep funding from national governments for R&D into activities such as creating exploits or testing code against most commercial security tools. The APT toolbox typically includes the following:
- Extensive command-and-control (C2) hosts of computers that have been leased at cloud providers, or hosts that have been compromised for the purpose of being a C2 host. These hosts tend to communicate home indirectly. It is not smart to have a C2 host owned by the government of country A, or a C2 host that communicates directly back to country A. Instead, they communicate through a layer of hosts and proxies to obscure the destination of the traffic. It is through those networks of C2 hosts that the malware deposited by spear phishing communicates back to establish channels, back to the compromised hosts and then to download rootkits and remote administration tools (RATs).
- Websites with waterholes or drive-by exploits (the place the URL on the email goes to) to infect a host.
- Internet file shares to drop the exfiltrated data. These file shares can include Google Docs accounts or Dropbox accounts.
- Extensive malware library to get a toehold onto a network to download RATs and rootkits. The malware will try to exploit near-zero-day, or zero-day vulnerabilities. Zero-days are typically used with higher value targets because once they are in the wild, patches and signatures can be developed.
- Windows administrators with extensive skills in domain and host configurations. These technicians will drive infected hosts to continue to gain hosts on the exploited network, find the data and exfiltrate it.
Based on the initial reconnaissance of the target, a template for the campaign will be selected to get the data from the target. These templates, or the modi operandi, are based on the technologies the target company has deployed, the network security of the target and the value of the target.
Once the template is selected and approved, and resources are lined up, the spear phishing emails are sent to the targets. Mail is delivered and disappears behind the target's firewalls. Success is noted if a piece of malware beacons out to a C2 host, whose address is in the exploit code.
A few years ago, most companies were helpless against this type of threat and compromise was easy. The modi operandi from those early campaigns have persisted, with some modification as defenses have improved. As awareness of the APT has grown, so have the active defenses against it, meaning that the APT actors have to adjust their MOs to defeat the emerging defenses companies put up.
Understanding how an APT actor operates can help an organization build active defenses against it. Traditional signature-based firewalls and IDSs are ineffective against APT attacks. The APT actors have copies of all commercial security devices and software and build their templates to easily defeat systems such as antivirus and antimalware tools.
Here are some other ways to prevent APT attacks:
Use threat intelligence. This includes current information on APT actors; threat intelligence harvested from analyzing malware; known C2 sites; known bad domain names, emails addresses, malicious email attachments, email subject lines; and malicious links and websites. Threat intelligence is for sale commercially and is shared by industry cybersecurity groups. Care must be taken to make sure the intelligence is relevant and timely. Threat intelligence is used to establish "trip wires" to alert you to activity on the network.
Create strong egress rules. Stop all outbound traffic from the enterprise except Web traffic, which must be proxied, with all data sharing, malicious sites and uncategorized sites blocked. No SSH, FTP, Telnet, or other ports and protocols should be allowed out of the network. This will break the communications channels from the malware to the C2 hosts and stop the unauthorized exfiltration of data off the networks.
Collect strong log analytics. Verbose logging from critical networks and hosts should be collected and analyzed for unusual behavior. Logs should be retained for a period of time to allow for investigations. Alerts on matches with threat intelligence should be established.
Hire security analysts. The role of security analysts is to tie the threat intelligence, log analytics and alerting to an active defense against APT. Experience is key in this role.
Are you in an industry with the APT threat? Does your company have something an APT actor would be willing to spend time and money, trying to steal?
Enterprises can ask the FBI if they are in an industry targeted by APT threats. If the answer is no, then spending the money on active defenses against the APT might not be a good investment. But organizations that might become potential "targets" must consider it.
About the author:
Adam Rice is the CISO at Alliant Techsystems (ATK). An InfoSec professional with 17 years of experience, he has served as CSO of a global telecommunications company; general manager and vice president of a managed security services business; director in several network consulting companies; and is a retired U.S. Army noncommissioned officer. He is also a regular contributor to several information security publications.
Send comments on this article to firstname.lastname@example.org.