APTs Part 3: Know Your Enemy

In the first two installments in this series, I talked about getting rid of the FUD around APTs and why they should matter to you, even if you aren’t a government agency, or one of the biggest companies on earth. Now let’s get down to the controversy that is consuming a lot of bandwidth in security circles: What is an APT and how is it any different from older malware attacks out there like botnets, blended attacks, and standard binary-based viruses? So much is written about the topic, yet many people don’t really understand it and are just rehashing an old topic under a new name. 

The jaded folks in the security community say that all of the talk about APTs is FUD because true APTs are very few and far between. I beg to differ. I’d say that the APT buzz is not Fear, Uncertainty, and Doubt but rather Fear, Certainty, and Damage.

Let’s start with what makes a “true” APT (all examples are real):

Advanced: Attackers use a spectrum of sophisticated intelligence-gathering technologies: 

Months prior to the actual data-stealing attack on an organization, the attackers:

• Infiltrate and take control of another (not the target’s) company server. Often this is done through SQL injection of an old table on a neglected web page, or an insecure web application. This will be used as a dead drop for data later on, and the data trail will end there.
• A custom piece of malware is sent to an employee’s personal email account (knowing that the employee checks their personal email at work). That malware then begins to travel through the network, mapping it and checking for security measures in place. And yes, surveillance of the individual target started before surveillance of the network. Frequently the target of this email is identified through a search of the social web or LinkedIn or Facebook profiles, simple search queries for executive officers on corporate sites, etc. In a social society, there is an abundance of information available about any target, making it that much easier to social engineer a very compelling email to the subject in their native language, using their own likes and information against them to compel them to open the email. The attackers may have already “friended” and conversed with the subject over social sites to gather information.

Persistent: The attacker absolutely must succeed in their goals. They will conduct patient, steady, ongoing monitoring to find vulnerabilities, repeating attempts, and changing tactics if detected to try, try again:

• In our example, the malware has now mapped the network and has sent information to the attackers about the security protocols in place, including the AV and the proxy firewall address in place. At this point the attackers know how to get in, and more importantly, where their prize probably resides.

Threat: They also often use multiple vectors of attack, including specifically crafted malware and previously unknown zero-day vulnerabilities.

• In our example, we’ve already seen one custom piece of malware used to conduct surveillance—now comes the killer code.
• A new email is sent to a personal email account of a different employee; one with access to the data that the bad guys want. Remember, this isn’t a botnet looking for online banking credentials to clear your account. These guys are thinking bigger. They want the intellectual property that makes your business run, they want your source code, or if it is a nation-state, they may want something bigger, either for political or military gain.
• The new code is also highly refined. It knows which systems to evade and where to go to get the data. It’s aware of how to get that data out without immediate detection. The code is also polymorphic, updating itself frequently to continue to remain undetected by AV and other security measures. Then, the data is often exfiltrated without the IT or security team noticing. Only after a separate incident will the security teams see something fishy in the logs – this is the first time the connection with suspicious IP addresses (remember step 1?) is often noted.

I’ve recounted this episode, not to scare you, but to help you understand exactly what we mean when we say “APT”. It is always important to understand the tactics and protocols of your enemy. Sun Tzu warned, "If you know yourself but not the enemy, for every victory gained you will also suffer a defeat."

Let’s all get on the same page when we talk about APTs. Like we said before, APTs won’t target everyone, but it is important to understand how they work, and how we must change our security tactics because of them. Because while your organization may not be the next target of a state-sponsored attack, those same exploits and tactics are frequently used by other hackers to simply steal money or other important information from your company. There’s actually quite an ongoing vicious cycle of consistent improvement in malware techniques:

For example, the "Capitalist" hacker who designs his malware for commercial gain creates the attacker toolkit, the "Nationalist" hacker who designs his malware grabs that and improves on it or combines it with the attacker toolkits from other sources, then the "capitalist" hacker learns from that and incorporates the enhancements into their publically available attacker toolkit, and the cycle repeats itself.  Again the central point is they all have M16 weapons and some are attacking banks and others are using them in national wars. It is just the reason that changes and the person who is impacted that changes, the gun is the same in both cases.

Surprisingly, the tactics to combat these threats, whether genuine APTs or their data stealing derivatives in the headlines are surprisingly similar. We’ll get into that more in the next post.

So, what are some of the first changes you have made within your organization in light of recent attacks? What are you planning to do next?