In our forum, we have discussed about Advanced Persistent Threat (APT) before.
Who and What it is?
Over the last few years we have seen different Information Security strategies breaking down. We always talk about Defence in depth or Defence in breadth strategies. But in front of Advanced Persistence or Zero Day attacks, those strategies also became less effective. Think how complicated it would if the attack remains undetected and the attacker stays there for a longer period of time. Also what if a group of well organized hackers working together as part of a team, targets an organization for a cyber attack. And if someone is sponsoring all the money that is required for launching these sort of attacks. Their goal may include industrial or military espionage or may be for financial benefits. This is what we call APT aka Advanced Persistent Threat. Previously these sorts of attacks were targeted against mainly government or military/defence industries. Now APT attackers may be from different criminal organizations attacking high profile organizations or even from countries who wants to take revenge against another country. If we look at the history of APT, we could see that successful APT attacks have resulted after months of patient data gathering and learning.
The phases are already explained in the article. The main focus of APT attackers is to remain invisible with the help of malwares. They will move from one compromised host to other and give the attackers remote access to the target networks. The challenge is that these hackers are too good to make sure that they won’t generate any network traffic that would help in finding them.
I would compare this APT with cancer. At point of a compromise, nothing would be visible and by the time when we realize about it through the visible signs of attack, the damage would have been already been done.
A, P and T
I would like to expand the letters A, P and T for APT, what it actually meant for me
Advanced –Using multiple attack methodologies and tools, High level of sophistication and more than that the skills possessed by the attacker
Persistent – Principle of slow and steady wins the race, focus is on the target regardless of the time taken, will continue until the goal is reached.
Threat – Killer chain, the amount of human involvement compared to other attacks where they mostly involve malware or other tools.
How is it different?
Having all the possible effective solutions through the defence in depth principle how is it possible? This is where APT hackers differ from other attackers. In a normal attack, once a hacker identifies that his target has all the proper defence and his tools are not good enough to reach the network, then he won’t waste much time. APT hackers normally carry out extensive research to know more about your network, defences and tailor the attack to evade your specific defences, explore your network and launch the attack.
I have all the Infrastructure, still?
But again the question of HOW is there. I have Endpoint antivirus, HIPS/HIDS, IPS, DLP to catch these malwares. Still how is it possible? For me, Malware is the key player behind these attacks.
Signature based – Only known enemies
We all know that most of the endpoint antivirus or HIPS/HIDS are signature based. Keeping information about all these signatures in depth, hackers create malwares that can easily bypass these devices. Over a lakh of malwares are getting automatically generated and released on a daily basis. So how practical it would be for the antivirus vendors to release updates.
As we all know normally when a new malware is identified, antivirus vendors release a new update to properly detect that malware. What about releasing multiple variants of malware at scheduled interval of time to constantly remain ahead of antivirus signature updates? Coming back to the main topic, when they launch attacks, they will ensure that the antivirus solution is not having the required signature that can help in finding them. For effectively doing so, they need to understand more about the antivirus solution the target is using. Malwares will be written based on that. This is why APT attacks differ from other attacks. It is all about knowing your enemy well and planning the attack strategies silently, more or like a slow poison.
Sandboxing and Evasion
Many of us would be thinking that by using a behaviour-based detection system or a sandboxing solution we can deal with these attacks. I have written about the challenges with sandboxing technologies and evasion techniques before.
Another problem that DLP or IPS faces is encryption. I too agree that traffic has to be encrypted for protecting data and privacy, but there are other risks associated with it. With encryption, we won’t be able to have a look at the data deeply. Actually encryption creates blind spots in network defences that can be effectively used by a hacker as a pathway to launch exploits and steal important data. We need to implement solutions that have the ability to detect and respond to hidden threats in encrypted traffic.
Phishing again in action
Another interesting factor is the entry point of these attacks. The hackers start with a normal social engineering attack in the form of spear-phishing (attackers send spoofed emails with malicious links or attachments to infect machines). Also with the help of malware, the hackers would be able to get high personalized information which can be used on a later stage. They target certain individuals whom they believe possess some weakness, may be not from a technology team. During the initial research and data gathering phase, they will identify the people whom they are going to start with. If you still argue with me that you are too good to identify this sort of phishing attack, then I will give an example. If some mobile application is offering you some good discount when you purchase through them, as a normal user you won’t even think about how legitimate it is. You also won’t even think about what permission it is asking, you will simply install that application and avail that discount thinking that you will uninstall after the purchase. But by that time, your personal information would have been uploaded to the malicious application server and can be used for the next level of attacks.
Even though there are multiple vectors behind APT attacks, I would rate Malware as the key player behind these attacks. Zero Day Vulnerabilities also have a big role to play. Zero Day Vulnerabilities are security vulnerabilities present in a software or application and the vendor has not released a patch or sometimes even don’t realise they exist. This will give a window of minimal days between the first attack and the fix. If an attacker can identify the software or application that has zero day vulnerability, they can exploit it.
What about browser component attacks that can install malware?
What about a USB drive or a CD drive left in parking lot as gifts?
Yes, in our organization network, we have disabled USB drive and the users won’t have the permission to install any software. What about doing those from a personal machine? Most of the organization provides access to webmail for their employees and they can open it from personal machine. If the malware gets installed in personal machine and has the ability to capture the credentials, then it would be all easy for the attacker.
Expect the Unexpected
APT is a sophisticated attack and is often explicitly developed to evade traditional antimalware and IDS/IPS solutions. We should never think about our organization size or lack of competitor in the line of business as that may lead you to trouble. There is no period of relaxation in cyber security. If we let our guards down for any period of time, the chance of a compromise is very high. Always our principle has to be Expect the Unexpected. We will talk about the mitigation strategies in the next part.
Authored by Aju Nair