tharun15 - Fotolia

Long-duration advanced persistent threat attacks now the norm, say experts

Threat experts at RSA Conference 2015 say today's most dangerous attack techniques reflect a shift toward long-duration attacks that are often nearly impossible to detect.

SAN FRANCISCO -- Top information security threats experts at RSA Conference 2015 spoke about the most dangerous attack techniques being seen in the wild, and many recent attacks show threat actors are more willing than ever to take their time to plan and execute long-duration advanced persistent threat attacks.

SANS Institute instructor Ed Skoudis , CEO of Counter Hack Challenges LLC, began the talk by detailing how threat actors have been changing their tactics when conducting data breaches, citing the recent Sony Pictures Entertainment Inc. hack as an example.

Skoudis said in the past, threat actors would breach an organization, gather data, and then either hold it to commit identity theft or credit card fraud, or "dump it en masse for massive disruption and embarrassment of the organization.

"But, there was an interesting characteristic of the Sony breach which is that the bad guys got in, did some stuff over time, and then they released their data they had gotten from the breach in piecemeal fashion," Skoudis said. "So, on one day they would release some stuff, and Sony would try to control it, and then the next day more data would come out. And the data was specifically chosen to make what Sony had said about the breach on the first day not true or appear to be confused on the second day."

Skoudis said that he expects this kind of slow release of data and related public relations games will happen more often in future data breaches because a slower, more carefully planned exposure of data is more difficult for organizations to deal with.

"You don't have the full picture on day one of what your adversary has and how your adversary is going to play you in releasing that data over time," Skoudis added. "It changes the game in a way that is harder for incident response teams and the PR teams to deal with."

New tools raise Kerberos security risk

Skoudis went on to describe various issues related to Microsoft Kerberos access management and authentication protocols. He said there has been a boom in the number of tools available that can read hashes, plain-text passwords, and tickets from memory.

In response to a vulnerable code path in domain controllers running on Windows Server 2008R2 and below, Microsoft in November released a critical, out-of-band patch to fix a serious Kerberos security vulnerability.

Skoudis noted that while Microsoft has released patches to limit the amount of time hashes and passwords that are stored in memory, the same has not been done for tickets. Tickets are stored in memory on the machines that an authenticated user is using, Skoudis said, and while they often have a time-limit, a lot of damage can be done in that time, including creating more tickets to extend the attackers time in the system.

"If you get a powerful enough ticket, you can pass that ticket, use it for authentication as an administrator, start creating your own accounts, and issue more tickets as needed," Skoudis said. "This is all building to the 'golden ticket.'"

In order to create a so-called golden ticket to enable full access, an attacker would need to get into the domain controller to acquire the domain NT hash, which Skoudis called "game over" in terms of exploitation, but said that there would be even more issues in post-exploitation and allowing an attacker to stay on the system.

"Because Kerberos, especially Microsoft Kerberos, is designed to work in offline mode," Skoudis said, "the bad guy can actually start printing brand new tickets for non-existent users."

All servers would allow that ticket, because it was created using the NT hash, and attackers would be able to authenticate to any service as any user, even if the user doesn't exist. Making this even worse, Skoudis said, the only way to stop this would be to replace the NT hash of the domain admin, which is a significant rollout.

Skoudis said a good way to help mitigate these types of attacks is to implement Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which he said wasn't too difficult to deploy, and would go a long way to stopping intruder access.

Attackers making strides in ICS security knowledge

Michael Assante, director of ICS and SCADA security training at the SANS Institute, noted that attackers targeting industrial control systems (ICS) are not only getting more sophisticated in terms of techniques used, but are also taking the time to understand control systems intimately, and sometimes better than employees tasked with maintaining the systems.

"There's always the idea that attackers don't understand the process, and that was the defense," Assante said, referencing the concept of security through obscurity. "Well, we're starting to see evidence that not only are they getting the skill sets necessary, but they're also spending enough time in the environment to understand the systems."

The delivery techniques in ICS campaigns are also getting more sophisticated, Assante said, and they fall into four major categories: spear phishing, water holing, trojanizing ICS files and direct ICS exploits. Assante said that the last two show that attacks are becoming more targeted as adversaries understand systems better and know to expect certain processes or characteristics of those systems.

He said that the best defense strategy involves discarding the "old way of thinking" about ICS defense, which revolved around good security architecture, segmentation and firewalls, because attackers now assume those as a given and have found reliable methods of access anyway.

"We need to move beyond the hygiene part now that we have targeted attacks," Assante said. "It's time for us actually to focus on presumption of guilt for control systems that are highly vulnerable. In the Black Energy 2 exploits, those vulnerabilities were known for over three years."

He said that the focus should be on action monitoring, use more methods of monitoring within the systems, and have engineers making smarter engineering choices when building control systems.

Attacks using encryption on the rise

John Pescatore, director of the SANS Technology Institute based in Bethesda, Md., talked about the various threats that have risen up regarding encryption, including SSL validation flaws like those detailed on Android or as part of the POODLE attack, as well as crypto-ransomware, which he described as a big growth area that is important for enterprise.

"You don't have to delete data anymore, you can encrypt data strongly and it's as good as destroyed if you do it right," Pescatore said. "Many small businesses are finding that if malware comes in and encrypts user files, they don't have good backups, and it's cheaper for them to pay off than it is to figure out how to replace that data."

This is another area where attackers are playing the long game, according to Pescatore, as crypto-ransomware has been found to infect enterprise servers and encrypt business data, but stay in residence for months. He said the malware will decrypt the data when it is accessed, in order to stay undetected, but will be encrypted through backup cycles, meaning that the backups won't be accessible once the ransomware is activated.

Next Steps

Can advanced persistent threat protection find custom malware? Expert Nick Lewis discusses.

SANS Faculty Senior Fellow Eric Cole explains why security awareness training isn't enough to stop accidential insider threats.

Dig Deeper on Emerging cyberattacks and threats