Advanced Persistent Threats (APTs) can be among the most insidious cyberattacks faced by businesses. The Stuxnet worm is the most frequently-cited example, but others include Carbanak, discovered in 2015 and specifically targeting financial institutions, and the 2014 Sony Pictures Entertainment hack, described by one observer as ‘the perfect APT’. ISACA’s 2015 Advanced Persistent Threat Awareness Study found that 74% of respondents believe they will be targeted by an APT, and 28% had already been attacked.
Several factors contribute to the success of APTs. They’re designed to be stealthy and evade detection, enabling them to spread undetected across networks over weeks or even months. And they can often be controlled by the hacker employing them to gain wider access to systems. Yet mitigating the risk of falling victim to an APT attack can be simpler than you might think.
It’s all about going back to basics: understanding the fundamentals of how such an attack is planned and deployed, and how your organization’s network structure can help or hinder such an attack. Understanding, in short, how to reduce the attack surface you have available to malicious hackers.
In this blog, I will examine the structure of a typical APT attack, and explain what you need to look out for to tell when it’s happening. And in the following blog I will explain how going back to basics can be remarkably effective in reducing your vulnerability to APTs.
All APT attacks start with a reconnaissance or an information-gathering stage, during which the attackers aim to identify the most appropriate route into your network.
Typically, a mix of techniques will be used. Open Source Intelligence (OSINT) includes simple port scans and vulnerability scans of externally open services. Human Intelligence (HUMINT) can be sought out through social engineering and by targeting key employees for access information. Vulnerabilities can even be identified through onsite visits, whereby attackers physically gain access to the site (perhaps by pretending to be legitimate visitors), take photographs and ultimately gain a more in-depth understanding of how the business operates and is structured.
Foot-printing – identifying which versions of software or resources an organization is using, and creating a profile of its network infrastructure – may often be attempted, through techniques such as banner grabs, SNMP sweeps and zone transfers. Through foot printing, attackers seek to gain an intelligent picture of what a business’s network actually looks like in order to establish what security policies and applications are already in place, or identify remote access capabilities that could provide them with access points.
Delivering network exploits
All this reconnaissance aims to help the attackers identify an appropriate access point for targeting your network – a way in that is not only feasible, but also most likely to go unnoticed. This access point is used to deliver a network exploit- a malicious tool or application that allows the attacker to explore your network.
Attackers may use a variety of attack vectors in order to deliver such an exploit, many of them highly sophisticated and ingenious. A decade or two ago, an email attachment would probably be the primary mode of attack. Carefully crafted ‘phishing’ emails, tailored to the individual target, are still often an effective means of launching an APT attack, though their malicious content may be hosted on an external website rather than delivered as an attachment. The victim clicks on a link and unknowingly downloads the exploit that way.
A variant of this technique is the so-called ‘water-hole’ attack, whereby attackers compromise an existing website that they know a user is likely to visit – this is the kind of information they will have gathered through social engineering reconnaissance. Indeed, social engineering can be used directly for exploit delivery as well as reconnaissance; an individual user may, for example, be given a USB stick with malicious content pre-loaded. Part of Stuxnet is thought to have been delivered this way. The increasing trend for BYOD also means that attackers can use mobile malware to infect users’ devices and gain access to a corporate network that way.
Exploration and lateral expansion
Having succeeded in getting inside your network, the attacker’s aim is to move laterally within your network to ultimately get to your valuable business data. The original entry point is useful to the attacker because it gets them into the network – but the valuable data is usually on another computer system. So the attacker needs to discover a path to the valuable data, and possibly compromise additional computers along this path. All the compromised computers on this path are sometimes called “stepping stones”.
This lateral movement is where APT’s persistency comes in. Exploration takes time – time during which individual users may reboot their systems, change their security signatures and otherwise make it difficult for the attacker to re-access their machines.
Therefore, attackers aim to deploy software directly onto individual machines that will allow them to come back whenever they need to, even if the user has rebooted or patched it. The most common way to do this is via Remote Administrator Tools (RATs) – the same type of tools that are used for remote troubleshooting or helpdesk functions. The installation of a RAT gives attackers a backdoor to revisit compromised machines whenever they need to.
Finally, the attacker needs to extract the information they are stealing, copying it from where it is stored to a site under the attackers’ control. This may be blended into something that looks benign over HTTP, or encrypted in ways that make it difficult to understand that something sensitive is exiting the network, such as over HTTPS.
Spotting the signs
In today’s cyber world, it’s near impossible to prevent malicious attackers from carrying out their initial reconnaissance, and from gaining access to your network. However, it usually is possible to spot when any of these stages in an APT are happening – because every stage causes changes in network traffic.
At the reconnaissance stage, OSINT and foot-printing techniques will generate additional traffic. Later, lateral exploration across your network will generate unusual traffic, such as two machines communicating that never normally communicate, or protocols and ports being used that are never normally active. Data exfiltration will generate additional (outbound) traffic. With careful and clever network monitoring, you can identify these changing network traffic patterns.
By understanding the anatomy of an APT it becomes easier to remediate against them in the event of an attack. In my next post I will examine how going back to basics can be remarkably effective in reducing your vulnerability to APTs.
Receive notifications of new posts by email.