Countering the Persistent Threat
AN ADVANCED PERSISTENT THREAT (APT), sometimes called an Advanced Targeted Attack, is a sophisticated cyberattack designed to infiltrate a network based on that system’s distinctive vulnerabilities. Though attacks can be broadly categorized as Web-based or e-mail-based, no single method is used consistently in these types of attacks. Instead, a variety of practices are employed to increase the probability of a successful breach. That’s why they are called “advanced.” They are called “persistent,” because once the malware gains a foothold, the code often remains inside a network for long periods of time, slowly but surely spreading from machine to machine either until the target is reached or to spread the damage.
The actors behind these attacks may be nation states or organized criminals, and the reasons range from political sabotage and espionage to financial gain. The following is a look at the evolution and nature of APTs, as well as what companies can do to guard against them.
Cyber experts generally agree that the term APT originated from the Air Force, citing Mike Cloppert, a security engineer at Lockheed Martin, and what he wrote in a series of blog posts called “Security Intelligence” for the SANS Institute in 2009. The post reveals, “I first heard this term used by the USAF’s 8th Air Force in a small meeting room in 2006…. I give them credit for coining this term, which is any sophisticated adversary engaged in information warfare in support of long-term strategic goals.”
APTs have evolved from attacks on servers to attacks on individual employees’ machines. Ten years ago, servers were the crown jewels, “so that’s really where all the attackers were focused,” notes Darien Kindlund, manager of threat intelligence at FireEye, which focuses on APT attack solutions. But once servers were hardened, hackers moved to the client side. That’s proven to be a good strategy. There are more client-side computers to target, and those machines tend not to be as well secured, so the attackers’ “overall success rate is much higher,” he says.
Kindlund describes what happens after an APT successfully gains a foothold. “Exploit code is delivered to the user’s browser, and that exploit code then instructs the browser to download another piece of code, which is commonly referred to as a backdoor,” explains Kindlund, “and once that code is downloaded, it is executed, and then, effectively, at that point, the user’s workstation is running a piece of malicious code that then beacons out to a separate command and control infrastructure, which signals to the attacker that the machine is ready to be controlled remotely.”
The attackers will use that specific workstation as a pivot point to move laterally throughout the rest of the organization, identifying other assets that they can compromise to achieve their objective, which might be to steal proprietary data or destroy files.
The threat landscape has also become much larger over time. Now smaller companies further down the supply chain find themselves being targeted because they can then be used as a way to get at valuable information in a larger business partner’s network. “We’re seeing this kind of attack going broader than perhaps some companies realize,” says Stephen Cobb, of software provider ESET. “The thing that we have seen in the last couple of years is that the supply chain is now part of the attack surface.” That means that companies of any size must revisit their risk exposure and defenses.
Pathways. There are two primary attack delivery methods, or vectors, that are used for APTs: The Web and e-mail. “Every other use case is really a variation of those vectors,” says Kindlund.
In Web-based attacks, an attacker causes a Web page to host malicious content, which will surreptitiously download onto any visitor’s computer. Users don’t even realize that they have downloaded anything.
But the most common vector used to launch APT attacks is e-mail, specifically targeted e-mail called spear phishing. In a report titled Spear-Phishing Email: Most Favored APT Attack Bait, IT security company Trend Micro found that between February and September of last year, 91 percent of targeted attacks involved spearphishing e-mails. The report notes that high-profile attacks on security firm RSA and on e-mail service provider Epsilon in 2011 both “began with the opening of a spear-phishing email.”
Spear-phishing messages usually reference facts or issues that lead the person to believe that the content is legitimate; they are meant to trick the person into opening an infected attachment or clicking on a URL that leads to an infected site.
These targeted e-mails are one form of what is called social engineering. Richard Henderson, senior threat researcher at Fortinet, a provider of network security applications and threat management resources, says social engineering attacks are an easy way for an attacker to gain a foothold into a network. This is because the method demands little resources on the attacker’s part and often shows a high return on investment. “It takes very little effort for me, as a security researcher, to pick a target and spend a few hours [learning about him or her]…. That’s usually the best method to make that initial entry point into the network, and [the attackers] do it because it works,” he says.
Attackers. While sending a social-engineered e-mail isn’t hard, other aspects of the APT are complex, which generally means that those using APTs aren’t just run-of-the-mill hackers. In Threats on the Horizon: The Rise of the Advanced Persistent Threat, a Fortinet paper authored by Henderson, he notes, “There are only a few groups globally that have the capability, skills, funding, and infrastructure to launch an APT.”
Those groups tend to be nation-states or hackers in league with them, especially China. “It appears that China’s APT interests are quite comprehensive: They target foreign corporations and governments in order to steal both state and trade secrets,” says Henderson. News reports over the last few years have also highlighted the threat from nation-state attacks. For example, in March of this year, the Washington Post reported that the design for some of the United States’ most sensitive and costly weapons systems in the Department of Defense’s network had been compromised by Chinese hackers.
“A lot of this is the attempt to steal corporate secrets, corporate trade information, engineering schematics, diagrams, plans, products, in order to leapfrog the 20 years of research that they would have to do to come up with these technologies themselves,” Henderson says.
But knowing with certainty who is the perpetrator and what is the motive isn’t necessarily possible. And it may be beside the point. Cobb notes that that can distract from the main concern, which is building a strong defense against APTs. “You need to protect against actors of all kinds.”
One of the most pernicious things about APTs is their persistence. In fact, they have even started to show new levels of persistence, said Shane McGee, general counsel at Mandiant, at a CSIS conference on cyberthreats earlier this year. They will have code written in such a way as “to make sure that if you clean one or two systems, they are still in there; they are just waiting in the wings with another attack,” he said. And in some cases, multiple threat teams will coordinate their efforts so that they can attack you from different directions, he said.
Because APTs take this type of sophisticated and layered approach to attacking a network, companies must likewise employ a layered methodology in their defenses. Companies like SourceFire, Fortinet, FireEye, ESET, and others provide a suite of threat mitigation products that function in unique ways to fight off APTs. User education also has to be part of the mix.
Traditional computer defenses can help against APTs. “The most common method of detection is signature-based, and by and large all security vendors, particularly the ones that are looking at network traffic, are going to use some form of a signature-based technology to detect attacks,” says CP Morey, vice president of marketing at SourceFire, a security solutions vendor recently acquired by Cisco. But that approach will only go so far. It will not work against the so-called zero-day attacks that haven’t yet been built into signature defenses.
Other techniques include essentially “looking for bad behavior,” he says. Anomaly detection is another major resource for threat detection. “It can be something as simple as having a baseline of what traffic looks like on your network, and if you see something that’s dramatically different, that could be an indication that there’s a problem,” he notes.
A different approach is to set up a virtual machine—sort of a lobby/filter area—through which content must pass before it can enter the network, known as Malware Virtual Execution (MVX). It’s similar to the honeypot concept but instead of being a fake lure, it’s an antechamber to the actual network. MVX is the technique being used across all of the software offered by FireEye. “We’re analyzing content inside a virtual victim machine, looking to see how that content ultimately changes the environment, and, assuming no suspicious activity occurs, then we pass that content directly through to the endpoint,” says Kindlund. “It’s kind of like taste-testing food before you serve it to the king,” he explains. “That’s effectively what we’re doing at a technical level.”
Not only is the malicious content not passed on, but it is also analyzed and added to a database of intelligence on malicious code. This threat intelligence is available to both FireEye and the individual companies using the system. “The security analysts [who are] local to the organization can build up over time a large repository of localized threat intelligence that’s specific to their organization,” he notes. That information can be used to improve defenses over time.
FireEye has a defense system for Web-based attacks that sits as close to the endpoint as possible to provide maximum protection. The Web-based appliance called the Web MPS (malware protection system), is “designed to be deployed on the trusted side of the proxy in an organization, so it’s effectively below all of the other security filters or defenses within the organization,” says Kindlund. “The idea is that the Web MPS is focused on threats that maybe other existing defenses would miss, such as a next generation firewall or an upstream proxy server.”
Kindlund explains how FireEye’s Web MPS technology operates differently than an upstream proxy server. “An upstream proxy server only has the resources to perform ‘static analysis’ on network content, where the server is checking network content for known patterns of ‘badness,’” according to Kindlund. FireEye technology goes further and employs dynamic analysis with the virtual victim machine technology to catch unknown zero-day vulnerabilities.
FireEye has a separate appliance for email called the EMPS (e-mail malware protection system). “That is typically deployed closest to the exchange cluster or some other mail store on the trusted side of the upstream link,” says Kindlund. The company also has a third appliance, the File MPS, which performs “recursive, scheduled, and on-demand scanning of accessible network file shares to identify and quarantine resident malware without impact to corporate productivity,” according to FireEye’s Web site.
A company similar to FireEye is AhnLab. It offers what it calls a single architecture solution that provides Web-based, email, and file-sharing protection in one appliance. In an independent test of AhnLab’s product, NSS Labs scored AhnLab’s Malware Defense System (MDS) in the 90th percentile and above. Tom Hance, vice president of sales and marketing at AhnLab, says the company lets clients “simplify their boundary configurations” so that when they have to make a change, “they don’t have to contact and login to seven disparate devices to do that job,” he says. “We stop the attack before it executes on the endpoint and analyze it in real-time at an extremely high speed, comparatively, and block it.”
To test potentially malicious URLs and other common sources of Internet threats, the company executes those files in their cloud-based appliance, AhnLab Smart Defense, before passing them on to the endpoint. For nonexecutable files, such as documents in spear-phishing e-mails, AhnLab has a virtual machine environment similar to FireEye’s that exists inside the appliance, where it verifies whether or not a file is malicious before sending it to the user’s computer.
Security Management spoke to Dave Merkel, chief technology officer and vice president of products at Mandiant, for some perspective on the differences between the two solutions. Merkel says that FireEye’s solution, being spread out across three appliances has the advantage of more network traffic processing power to more efficiently spot and block APTs.
The other differentiator is the testing of potential malware. AhnLab does it in the cloud, while FireEye uses its virtual victim analysis, which takes place in the appliance itself. “An advantage to having it in the appliance itself is no traffic ever leaves your network, you don’t need extra bandwidth to send stuff up to the cloud, [and] if you’re working in a network environment where you don’t have access to the Internet, the device can still work,” explains Merkel.
“The disadvantages are, it only scales based on how much hardware you buy versus if you’re connecting to some vendor’s cloud, then [the vendor] could be provisioning and adding more capacity to improve performance, and you don’t have to deploy anything else. Similarly, if something’s in the cloud, you don’t have to upgrade it; they can add new features and capabilities, and there’s no work for you,” he notes. “So there are tradeoffs with different environments based on what’s important to the customer.”
In full disclosure, Mandiant does provide its own solutions for guarding against APTs and partners with other vendors to offer more comprehensive defense systems. FireEye is one of those partners.
While threat analysis teams at AhnLab and FireEye are helping companies respond to attacks, SourceFire’s product suite, FirePower, has an interesting feature which allows its customers to write their own code to defend against an attack as soon as it’s been detected. Morey explains the value of being able to essentially write your own rules. “I’ve been attacked, I have the file that’s doing the damage, now what do I do? In a lot of cases, it means you hand that off to your security vendor, and hopefully, in a few days, you get something back from them that you can put into the product that you own that protects you from that problem,” he says. “Meanwhile, you’re under attack so the problem just continues to get worse and worse. So one innovation that we carried into the endpoint arena that we really take from the network is this notion of giving the customers the flexibility to write their own signatures, their own security content, to deal with these attacks as they’re under way.” Morey says most, if not all, of SourceFire’s customers choose their product because of that ability to write one’s own security signatures.
User education. The human factor is also important. That means educating users, especially about the risk of spearphishing attempts. “The bottom line is, if you have all these technologies in place, and someone still manages to get an e-mail with a link to malware out there, and it’s an unknown zero day, and it’s on a brand new server that hasn’t been picked up by anybody’s IP reputation systems, there’s a good chance it’s going to get through,” says Henderson. Fortinet’s e-mail quarantine service does stop many of these messages from getting through to the desktop, but Henderson emphasizes that the human element is the last line of defense since technology cannnot stop all APTs.
One company with a unique approach to detecting spear-phishing attacks through user education is PhishMe. When an enterprise signs up for PhishMe, its users are periodically sent fake phishing e-mails from the education firm. When the user clicks on the link or downloads the attachment from the e-mail, PhishMe sends that user a message indicating the attack was not real, but reinforces the fact that it could have been. If the user is discerning enough to determine the message is a phishing attempt, they can click on a PhishMe toolbar button installed in the e-mail application to report it (this button feature was unveiled at the Black Hat security conference this year in Las Vegas).
Rohyt Belani, cofounder and CEO of PhishMe, explains that the idea behind the company was to immerse users in an experience to promote learning, rather than looking for a silver bullet to stop spear-phishing attempts, because “it is impossible for any particular technology to be 100 percent effective at stopping these types of attacks.”
It simulates attacks in a controlled manner and puts in bite-sized education with instant feedback to the user. “You do that often enough, it starts sitting in people’s head,” he says.
As an additional resource, PhishMe provides reporting to an organization on how well their employees are learning to detect spear-phishing attacks and if there are specific departments or individuals who need additional training. “We’ve touched over 4 million unique individuals using our products and over 220 companies now, and we have hard evidence to show, on average, we’ve taken these folks down in susceptibility by 80 percent,” says Belani. “If you can actually demonstrate a change in behavior, that’s not a waste of time.”
Beyond desktop user education, IT departments should adhere to routine security practices, an area that Henderson of Fortinet says often goes overlooked. One of those is deploying patches to security software. “We find that companies are continually falling prey to exploits that are taking advantage of vulnerabilities that have been patched, and in some cases have been patched for a significant amount of time,” he says. “If they’re not rolling out these patches with any degree of expeditiousness, then they’re just asking to have someone to come along and take advantage of those holes.”
Henderson notes that while these deployments take time—an IT department must run quality assurance testing on the patches before rolling them out—these updates should be a priority. “We’re not saying you should, on patch Tuesday, deploy all these patches to desktops, but companies need to do a much better job than they’re doing now on getting these patches out as quickly as they can,” he says.
Henderson adds that two-factor authentication is an easily employed solution. “Some of these APT-type attacks are literally trying to steal credentials, logins, and passwords to be able to get into a network that way, so by implementing two-factor authentication you totally close that avenue of attack,” he says.
Cobb adds that the most routine security practices are absolutely critical in the process of guarding against APTs. “You should be doing things like making sure temporary passwords do expire and are in fact temporary, and that when people leave the company their access is ended, and so on, because one of the things that the APT strategy uses is to masquerade as a legitimate user in the system,” he notes. “So they will try and find accounts that are dormant or haven’t been used but actually have credentials on the system and use those.”
The attacks are likely to grow in sophistication, aiding their ability to be persistent. Companies must be equally tenacious in building layered defenses that include constant network monitoring, training staff, and following good basic security hygiene.
Holly Gilbert is an assistant editor at Security Management.