The Latest Threat, "APT" Oh My...

  The three most prevalent delivery vectors for weaponized payloads, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media.  Don't think it's easy to plant a trojan in a high security company?  Try marking a USB stick with the name, "Employee Salaries" and through it in the parking lot of a company in the morning.  It's almost guaranteed to be mounted and opened by lunchtime on their network.
With the enterprise becoming increasingly complex to manage across all of the different platforms (OS, Virtual, Cloud) and business models (remote workers, outsourcing, social media)  and accompanied with today's advanced threats, the expectation that a single perimeter device, regardless of its features and functions, is insufficient.  As the famous saying went, “The Barbarians at the Gate” no longer applies, they are at your door.  So with that, where does one turn to save one’s digital assets?

 Advanced Persistent Threat,  APT

Well if you are in touch with any part of the Information Security discipline, you would be familiar with the flavor of the month expression,. “Advanced Persistent Threat”  APT, as most will know it.  But what is this? 

"What's Advanced Persistent Threat? Depends who you ask," says Greg Hoglund, CEO at HBGary, who says the "Air Force and DoD latched onto it" as a nice way to not have to keep saying "Chinese state-sponsored threat." He says we should "stop pretending it's not that."

To Hoglund, APT is just a new phrase to describe malware that took advantage of sometimes simple weaknesses in networks that the targeted, victimized organization spent millions of dollars investing in technology. APT is a wishy-washy expression, he says, because the threat usually "is not 'advanced.'" The attacks are generally routine ones against known vulnerabilities that could probably be stopped just by doing a better job of patching. "Russia, with their crimeware, is way more advanced," he adds.

APT is "the Chinese government's state-sponsored espionage that's been going on for 20 years," says Hoglund. "Let's just call it, 'Everything that matters to the state of China's global expansion."

Other security professionals have different definitions.

APT did become increasingly used after the attack on Google, says Gerry Egan, Symantec director of product management. In his opinion, APT means an attack targeted at an organization to steal data, especially intellectual property. "It's stealthy, not a slash-and-burn," he says. And it is persistent, not a one-time event, lasting a protracted period of time. But he disagrees that it's a term that should necessarily imply a state-sponsored act. "It could any organization that does this," he says.

Regardless of its origins, the APT has evolved into a technique rather than any specific type of malware.  One thing is for sure, it is initiated as an outside attack through phishing, spear phishing or zero day exploits, these attacks succeed in penetrating a company’s perimeter and stealing the credentials of insiders before finding and exfiltrating targeted data.

The Real Challenge

Data Security, or more correctly, comprehensive data security, is most often done with three or more different approaches.  The usual suspects in approach are technologies, organizations, risk, and compliance.  However, security teams find themselves mired in increasingly costly disparate programs that are grossly disjointed to provide any cohesive approach to anything. 

In addition, the old stalworths like Antivirus and other signature-based technologies are blind to the 1/3 or more malware kits that have never been seen before. Many of the new products available on the market have an autopsy focus and can only tell you how bad the attack has been and what machines need to be wiped. Most of the next generation technologies advertised in the market focus on the initial infection stage of the cyber attack, yet studies have shown that even with these tools in place there are significan gaps in the malware infection stage of the attack and some of the time malware does get through.

When you bring the “persistent” nature of these attacks into play – it means that your organization will be compromised if the defensive focus is on a single layer of your perimeter or network.Unfortunately, many companies are realizing that changing threats, multiple business technologies, and complexity of security products are only valid if the programs and technologies are unified into a single approach.  A successful data security program includes not just technology, but people, and process.

The Real Answer

Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D of Lockheed Martin presented a paper a while back, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” – certainly not new; however, still relevant.

The “Kill Chain” is a traditional warfare term defining the command and control process for targeting and destroying enemy forces in such a way as to make it most difficult for the enemy to continue in the battle. However, Lockheed Martin and other leading cyber defense companies have started to use “Kill Chain Defense” to define a new defensive strategy for guarding against APTs and other unconventional cyber threats. The two critical ideas behind the successful execution of Kill Chain Defense are to:

1. Accept the fact that cyber defenses only focused on a single stage in a cyber attack will fail or be circumvented
2. A Kill Chain Defense exploits an inherent weakness in the cyber attack model, namely that the cyber attack must complete all steps in the attack to success. Failure to do so, even breaking one link in the chain, will result in disruption of the attack.

THE INTRUSION

The intrusion kill chain breaks intrusions down into distinct phases, which are defined quite well in the Lockheed Martin paper:

1. Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies. 
2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable. 
3. Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media. 
4. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment. 
5. Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
6. Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.
7. Actions on Objectives - Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.

The goal is to use the “kill chain” to help you develop capabilities that allow you to identify attacks earlier in the kill chain, rather than waiting for late-stage attacks to become apparent.  I like this, as it is very consistent with my views on focusing on early indicators vs. lagging indicators in breach detection.  In other words, develop capabilities that help you identify intrusions while they are still in phases 1, 2, or 3 – and the lower the number, the better.

THE DEFENSE

The goal of a Kill Chain Defense is to collect and correlate attack intelligence, identify anomalies that signal malware and challenge the malware’s adaptability and stealth in ways it was not designed to circumvent. This is accomplished by gathering and correlating data from all possible stages of a cyber attack and deploying effective defensive controls to the stages where the attack is most vulnerable. This model can be broken down into 4 defensive capacities: prevention, detection, containment and investigation. 

• Prevention: Deploy multiple blocking controls targeting the “malware introduction” stage to attempt and stop the initial infection
• Detection: Find and alert security teams to malware attacks either in the introduction stage or if the malware has penetrated initial defensive system, detect malware at the command and control, expansion, target identification or exfiltration stages.
• Containment: Deploy blocking controls that prevent the malware from spreading in the expansion of command and control stages if an initial infection could not be blocked. Controls focus on blocking bad applications or unknown or suspect cross-network and off-network communications, isolating machines from the network and alerting machine owners to risks and actions to take in real time.
• Investigate: Investigation focuses on collecting intelligence on the attack itself in order to determine details of its methodology and its actions. Information collected from this stage is used to improve all other defensive postures so that the cyber threat defense process is constantly improving and preparing for the next generation of attack.

As mentioned, an important assumption in the Kill Chain Defense is that an attack will defeat one or more individual technology layers and succeed in infecting one or more systems. This does not mean you disregard the defensive of any particular layer even if the technologies available are nascent. The Kill Chain Defense relies on the ability to detect and defend across all stages of a cyber attack and all layers of a network system. This includes network defenses like next-gen firewalls, intrusion detection systems, malware detection engines, network and endpoint detection capabilities, application whitelisting and memory scanning detection capabilities.

The most effective defense against cyber attacks requires a unified and layered security approach that can identify and isolate different stages of an attack by identifying anomalies challenging the malware’s adaptability and stealth in ways it was not designed to circumvent. This Kill Chain defensive strategy requires the ability to detect and defend across all stages of a cyber attack. Technologies to help do this include network defenses like next-gen firewalls, intrusion detection systems, malware detection engines, network and endpoint cyber attack detection and prevention technologies, application whitelisting and memory scanning capabilities. When a force multiplier is added, in the form of an integration that can detect, correlate and create actionable intelligence and then effectively deploy prevention and containment controls, companies will for the first time have an effective cyber attack defense with a very high probability of success.

Source(s):

• http://www.networkworld.com/news/2011/020111-advanced-persistent-threat.html
• http://www.itscolumn.com/2012/03/28-types-of-computer-security-threats-and-risks/ 
• http://www.tripwire.com/state-of-security/it-security-data-protection/security-controls/intrusion-detection-and-the-kill-chain/
• http://papers.rohanamin.com/wp-content/uploads/papers.rohanamin.com/2011/08/iciw2011.pdf
• http://www.pcworld.com/article/224932/nss_labs_finds_most_firewalls_vulnerable_to_attack.html

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 21 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 399-6085 x502