Posts Tagged ‘“Advanced Persistent Threats”’

Advanced Persistent Threats – What is an enterprise CSO to do?

October 26, 2012 1 comment

What exactly is an Advanced Persistent Threat (APT)?

Is it just a new buzzword?  Is APT a new type of malware, a new type of botnet?  Is it merely politically versus financially motivated hacking?  These are some of the questions that are asked about APT.  The consensus among industry experts is that APT may be operationally “advanced” but not advanced in the technical sense of the word.  The attackers may be a group of people who rely on persistence – after an attack there may be no activity for months or years lulling the victim into a false sense of security but the infection persists in the victim’s environment unknown to them.    The goal of an APT is to traverse the victim’s network and target specific confidential data on that network and exfiltrate that data by using an external command and control server using the least sophisticated attack-tools possible.

Methods used in APT attacks

Spear phishing is a method favored by attackers.  Since it uses an element of impersonation spear phishing attacks bypass existing email filters.  It is a way to trick employees into clicking on links or into opening email attachments in email that originates from within the employee’s own domain.   Tools in the tool chest of APT attackers include a collection of single-use zero day vulnerabilities (vulnerabilities for which the major Antivirus players haven’t released a patch yet).  Attackers also invest in command and control protocols that can stay undetected.

Recommendations for a Chief Security Officer (CSO) on dealing with APT:

  • Patch every host in you network from host computers to network attached printers/copier machines – on the day the patch is released.  Don’t procrastinate.
  • Use whitelisting technology (in the form of whitelist agents) especially on non-Windows devices like network printers.  Whitelisting may also take the form of instituting a corporate policy on “approved” encrypted USB drives that may be used by employees who wish to download files from their computers.
  • Log Domain Name Service (DNS) queries and Dynamic Host Configuration Protocol (DHCP) queries in your network.
  • Store a few months to a year worth of NetFlow/IPFIX traffic possibly in a scalable Hadoop cluster built using commodity x86 servers.  Use this data to learn how many hosts in your network have connected in the past to a blacklisted IP address outside your network.
  • Use full packet capture for post-mortem investigations to augment your in-house forensics capabilities.
  • Try to block attacks using an Intrusion Prevention System (IPS) rather than just detecting them using Network based Intrusion Detection Systems (IDS).  Look into an IPS that can detect executable code in .chm (which are Microsoft compiled HTML help) files.
  • Make sure that Host based Intrusion Detection (HIDS) is not disabled on your Active Directory servers so that malicious attempts to determine a password by brute force may be detected.
  • Create an APT task force for detailed malware analysis and have them use sites like contagiodump to keep informed about new exploits and vulnerabilities.
  • Don’t assume that a commercial Security Information & Event Management (SIEM) will have a “stop APT now” button.  A commercial SIEM may collect, normalize and base line data but still requires human involvement to find the root cause.
  • Create a social footprint (Twitter, Facebook, LinkedIn, Pinterest) of your executives, setup honeypots to trap attackers who prey on the Facebook accounts of your executives.
  • Create awareness programs to educate your end-users about the dangers of spear phishing.  Use them as your first line of defense even if such education doesn’t deliver a 100% return on investment.
  • Reach out to your peer CSOs and to agencies like the FBI for a confidential internal briefing and exchange of lessons learned.

In conclusion even implementing all of the above steps may not give you 100% protection but it will definitely get you further along.  APTs are a fact of life today and CSO and CIOs have no option but to figure out a plan to deal with them.