Advanced Persistent Threats (APT)


Dec 21st, 2014

One of the big themes of InfoSec 2013 was APT’s. A number of talks specifically targeted (excuse the pun) this topic. The perception is that APT’s are state sponsored attacks, this perception is driven by the cost and resources required to implement this type of attack. The reality is however that if you have digital assets that are worth going after, you are at risk of this type of attacks.

For those not in the specific anti-malware/anti-virus industry the definition of an Advanced Persistent Threat is not entirely clear. From the name you would assume that it was an on-going attack from outside the organisation using advanced techniques, that is to say, not off the shelf scripts such as Metasploit, but a piece of custom written code or a rehash of existing code that would ensure it would bypass current virus scanning technologies.

In reality most experts would consider an APT as an attack that has specifically targeted an organisation. The attackers; it could be a foreign government, or foreign government sponsored group, or a group of hacktivists, want in and they are targeting that organisation for compromised. A failed break-in will not stop them, they will just find another way in, you have been targeted.

Most network compromises are not via an APT, most are spray and pray attacks where hacktivists have emailed a huge spam list with a recompiled Trojan link or attachment, counting on a certain number of users to either open an attachment or click the URL to download and execute a file. They may only have a 2%-5% click though rate, but when you email a million users, that is a lot of compromised networks.

An Advanced Persistent Threat is unlikely to use the spray and pray attack vector, it will be targeted at the specific organisation or individuals within the organisation. It is most likely the attack will use unpublished zero day vulnerabilities, custom written attack code and wide methods of distribution, including utilising your supply chain as an access method.

The attacks follow a common path, stage one, the initial reconnaissance where the attack group will collect as much information about the organisation as they can. This will include scanning search engines for email addresses, organisational charts, and key company personnel. LinkedIn is a goldmine for this stage of the attack as is the IP Number databases such as ARIN or RIPE.

First pass scans of perimeter networks will allow you to identify what are the internet facing hosts from the target organisation and you are ready to move to stage two.

Stage two goals are to compromise the target network as quietly as possible, early on this could be an extension of the reconnaissance phase where you want to gather network topology diagrams, security polices and password spreadsheets. The trick is to not get caught too early, make sure you understand the network so that in the future if you get found out you have a way back in.

The third stage is to establish a foothold. You still don’t want to be stealing too much data, in case you set off internal or perimeter monitoring systems. You should be rolling out your back doors, most likely the custom code you have written specifically to talk back to your command and control systems. If you lose one compromised machine it is not the end of the world because you have multiple other entry points established. This should include compromised hosts outside of the control of the target organisation, for example a system integrator or contractor that is onsite at the target organisation on a regular basis, the logic being that any clean-up of the target organisation is unlikely to include their business partners and contractors.

Stage four, time to get busy, if you have already identified the target data as part of the initial reconnaissance and can get access to it, start the download. More than likely you are going to need to escalate your privileges to access the data or complete a phase of internal reconnaissance to find the data. Once you have the data you were after, happy days. But your job is not over.

You have gone to all that trouble to compromise the network, yes you have your data, however you might want some more data somewhere down the line. Time to put your compromise in to sustain mode. First off, you don’t want your communication to flag up any alerts, so services go in to sleep mode, checking in with the command and control at a random time every day or every few days.

Best to have only one internal system acting as an internal command and control for all the compromised machines, that way only one host needs to communicate out and risk setting off perimeter alerts, obviously there should be backup internal command and controls and configurations to reach out externally if you lose all internal command and control communication.

Best practice would be to patch the compromised system, you don’t want those amateurs over at Anonymous finding their way in to the network and stomping all over it making a lot of noise that would kick off an internal investigation at the compromised organisation, that would likely result in your stuff being found out also.

Now check out if you are a Target for an Advanced Persistent Threats or Targeted Attack.

Leave a Reply

© 2006-2017 Security Magazine.