Who is behind APTs (Advanced Persistent Threat), Detection, Response, Mitigation Steps for Advanced Persistent Threats ? Usually, they are from a state sponsored group. Why? State sponsored attackers have the resources to conduct a very slow, below the radar campaign, and aren’t necessarily looking for a direct or immediate monetary pay off. Their motivation is for a competitive advantage and eventual economic or military gain. The targets are trade secrets, such as designs and formulas; mergers and acquisition information; email contact information and other information of high level executives, so a successful phishing campaign can mirror an organization’s email; and an organizations’ law firms, investment firms, and other third party contractors.
eCrime malefactors are also specialized groups, and though not sponsored by a state, are frequently the product of large criminal enterprises. Individual participants will have specialties: access team, a database team, and an exfiltration team. Again, referencing the Kellerman article, Peter the Great versus Sun Tzu, and other recently published research papers, such as The Elderwood Project from Symantec, many of these groups are known in the West by nicknames, and certain proclivities they use become their calling cards.
Why So Hard to Detect ?
As pointed out in the Verizon report, the vast majority of infiltrations (92%!) are discovered by a third party. APT teams are masters at eluding detection, flying under the radar of signature based IDS and anti-malware software. The infectors have multiple instances so that if one remediation pass removes some, others are hidden deeper, and survive to reinfect the target. The cleaning may only appear to be successful. The attack –and your actions- is closely monitored, so that if one communication channel or attack is eliminated, another is activated to take its place, even if that means using another computer. Make no mistake, once you try to eliminate an APT (Advanced Persistent Threats) attack and aren’t successful, it will be more difficult the next time.
From the prevention side, making life more difficult is the fact that as the Symantec Elderwood blog points out, and described by KrebsonSecurity, supply chain attacks and Watering Hole attacks are increasingly used to gain entry, at least by APT (Advanced Persistent Threat) teams. If you can’t trust your suppliers, business is impacted, but most businesses do not thoroughly vet supply side security. In the military, you might get away with limiting web surfing. If you try telling your users they can only visit direct business related and approved web sites, you will be looking at a revolution.
The basics of incident response still apply, as enumerated by SANS and described by Richard Bejtlich. These include the following steps: Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity.
A useful incident handling chart that follows ITIL standards is available here. For the purposes of APT (Advanced Persistent Threat), Mandiant and PwC recommend a slight change to tradition Incident Response, in that depending on the target, the prudent course is to contain by limiting access immediately. The examples where this scenario might apply include eCrimes, where attackers are not interested in persistence, but the quick grab of millions in untraceable currency. Another example includes a secret manufacturing process or design that if sold to a competitor, puts the company out of business. In these cases, limit access to the target immediately, and try to contain other attacker access.
In many targeted, “advanced” attacks, a “win” must be redefined. You might not keep the attackers out completely. You can make their life very difficult, increase your detection ability, speed, and efficiency, and investigate and remediate in hours, not months or years. Remediation consists of containment, eradication, and recovery.
The steps to mitigate, as recommended by Jim Aldridge:
- Isolate WAN connections to prevent exfiltration of data, and infiltration of commands
- Permanently block attackers’ command and control servers by address and domain.
- Replace compromised systems.
- Reset passwords.
- Directly address the attack methodology and life cycle with further technical measures.
- Verify that your control measures are effective.
- Reconnect to the Internet.
Methods to Limit Initial Access:
- Employ good, standard security practices
- Frequent, up-to-date patching of OS, common vulnerabilities in Java, Adobe Reader, Flash
- White List applications – only approved remote desktop applications, approved proxies, etc. Allow no P2P, obfuscation software, anonymizers
- Remove Administrative privileges from all workstations; limit full use on servers where possible
- Constant updating of signatures on IDS/IPS and anti-malware – except for DDoS, all security threats depend on avoiding security
- Increase Visibility
- Traffic inspection of everything – all traffic without exception
- Decode traffic to find hidden tunnels and other streams
- Where ever possible, decrypt SSL, inspect and re-encrypt
If not possible, know what applications and servers are supposed to be sending SSL traffic, and to what addresses.
(by Tom’s IT Pro)