August 2016 – Advanced Persistent Threats

The term ‘APT’ usually refers to a group, such as a foreign government, with both the capability and the intent to persistently and effectively target a specific entity. It is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Definitions of precisely what an APT is can vary widely, but can best be summarised as follows:

Advanced: Operators behind the threat use the full spectrum of computer intrusion technologies and techniques. While individual components of the attack may not be classed as particularly ‘advanced’ (e.g. malware components generated from commonly available DIY construction kits, or the use of easily procured exploit materials), the operators can typically access and develop more advanced tools as required. They combine multiple attack methodologies and tools in order to reach and compromise their target.

Persistent: Operators give priority to a specific task, rather than opportunistically seeking immediate financial gain. This distinction implies that the attackers are guided by external entities. The attack is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a ‘low-and-slow’ approach is usually more successful.

Threat: There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The criminal operators have a specific objective and are skilled, motivated, organized and well-funded.

Why should you worry about APTs?

The primary objective of APTs tends to be data theft. Experts estimate many terabytes of sensitive information is stolen from companies across the globe yearly without the organisations even being aware that there has been a compromise. In some cases, experts have identified some APTs that have been active within organisations for longer than 5 years at a time. APTs have also been identified that targets specific data, such as documents, spreadsheets, CAD drawings or PDF files, which indicates that APTs usually mine specific types of data.

If the information your organisation stores or processes have any value outside your organisation, for example if it contains intellectual property, business contracts or negotiations, policy papers or internal memoranda, and if the systems containing this information is directly or indirectly connected to the internet, than dealing with APTs should be a part of the information security strategy for your organisation.

The APT attack strategy

Understanding the attacker’s strategy is central in putting effective countermeasures measures in place to guard against APTs. Generally the attacker follows these key steps:

The initial compromise – The most common method used for this step is spear phishing, achieved through sending the target a carefully crafted e-mail containing malicious attachments, a link to a malicious file, or a link to a malicious website. Malicious content can also be sent to targets via social networking sites or by placing malicious code on web sites regularly visited by the target. If the recipient’s computer is vulnerable to the exploit code, the malware will install or modify key files on the computer and change start-up parameters to ensure the malware is running all the time.

Establish a foothold – Once the malware is installed on an insider computer, it will attempt to create a covert internet connection to a computer controlled by the attackers to create a backdoor into the target’s computer. The communication methods used by the backdoors vary from clear text or simple encoding to the use of more advanced encoding or encryption. These backdoors will give the APT groups basic access to a system, typically through a command shell or graphical user interface.

Escalate privileges – The attackers will use backdoors to try to gain access to more resources within the victim environment. Attackers prefer to use privileged accounts such as local administrators, domain administrators and privileged service accounts. They will attempt to gain access and compromise these through the use of cracking tools to reverse engineer passwords. A number of publicly available tools can be used for this purpose.

Internal reconnaissance – Using the privileged accounts, the attacker can now collect information about the victim environment. For example, the attacker can use built-in Windows utilities to obtain information about the internal network, computers on the internal network, domain trust relationships, as well as information about domain users and groups. The attacker can also start identifying data of interest by searching by file extension, key word or last modified date. Data of interest may take many forms, but most commonly consists of documents, the contents of user email accounts, or databases. Therefore file servers, email servers, and domain controllers are customary targets of internal reconnaissance. Some APT groups use custom scripts to automate the process of reconnaissance and identification of data of interest.

Move laterally – In most cases, the systems that the attacker initially compromised do not contain the data that they want. Attackers will use compromised accounts to access to additional computers and devices in the network, execute commands remotely and install malware on these systems.

Maintain a presence – Attackers then focus on fortifying their position by ensuring continued control over key systems from outside of the victim network. They may use different families of malware on multiple computers and use a variety of external ‘command and control’ server addresses to evade capture, or to maintain a presence if some of the malware is discovered and removed.

Complete the mission – The main goal of APT intrusion is to steal data. Once APT groups find files of interest on compromised systems, they often pack them into archive files before stealing them. They most commonly use the RAR archiving utility for this task, but may also use other publicly available utilities such as ZIP or 7-ZIP. APT threat actors not only compress data, but frequently password-protect the archive. From there they use a variety of methods to transfer files out of the victim network, including FTP, custom file transfer tools, or existing backdoors.

APT Countermeasures

The old adage ‘prevention is better than cure’ cannot be more appropriate for guarding with APTs. Your initial focus should therefore be reducing the opportunities for an attacker to compromise your security perimeter and gain a foothold in your organisation. Whilst there are many ways to do this, we consider the following as key:

1. The first layer of defence is making sure employees are aware of the threat and understand how an attacker could try to dupe them into inadvertently running malware on their computer.

2. Implement a robust e-mail anti-spam solution to prevent these types of e-mails from reaching your employees in the first place.

3. Provide employees with clear acceptable use policies as a clear guide to the safe use of company computers, mobile devices, e-mail services and the internet.

4. Providing clear social media usage policies and guidance, for both private and professional social media sites.

5. Install and maintain up-to-date anti-virus, anti-malware and host-based intrusion detection software on your employees’ computers and on servers.

6. Restrict the operating system permissions of the end-user to the minimum level required. Be wary of granting local administration access, as malware inadvertently run by a local administrator could piggyback on this access level to bypass the software installation controls inherent in more recent operating systems (i.e. Windows 7 UAC).

7. Always use complex passwords for privileged user accounts, and never give the accounts names that obviously give away its purpose.

8. Application-layer firewalls at the perimeter of your corporate network and the internet may be able to block suspect outbound network communications if set up correctly.

9. A robust security incident reporting and management procedure will ensure that you are alerted of any coordinated attempts to compromise your organisation, and that you can deal with this quickly and appropriately.

Take Action

APT may sound like something out of a spy novel, but unfortunately it is a very real threat to governments, organisations and individuals across the globe. Don’t get caught napping, do something about it today.