APTs Part 3: Prevention is Ideal, But Detection is a Must
In my last blog I spoke about the first steps in the kill chain. Now that the Advanced Persistent Threat (APT) has gained residence, it’s time to get to work. To refresh your memory, here’s our illustration of a kill chain:
In this step there is some method established for the final phase, which is either data exfiltration or complete command and control (C2). Note that execution is a process that will have a multitude of methods ranging from complete encryption (ransomware) to simple probes or port and keyboard mappers to gain further intelligence.
Exfiltration and C2
Exfiltration and Command & Control (C2) go hand in hand. C2 is required for exfiltration. It turns out that both require a common trait: two way outbound traffic. At this point if the APT wants to pull data out of the target it must establish outbound communication. This is sometimes referred to as a call back. These channels are covert. They are typically encrypted and mixed within the profile of normal data.
Remember, while there are well known ports assigned (to which we all should comply), an individual with even limited skills can generate a payload with counterfeit port mappings. DNS, ICMP and SMTP are three common protocols for this type of behavior. It’s key to look for anomalies in behavior at these levels. The APT needs systems to communicate in order for the tools to work for them. This means that they need to leave some sort of footprint as they look to establish outbound channels. (We will come back to this in my next blog.)
Remember, unlike the typical traditional threat, which you probably are well prepared for, the APT will look to establish a permanent outbound set of channels. These may jump sessions, and port behaviors or even whole transit nodes, if the APT is deep enough into your network. If the APT has compromised a series of systems it has a choice on how to establish outbound behaviors. Below is a representation of established exfiltration channels.
The larger the footprint the APT has, the better it can adjust and randomize its outbound behaviors, which makes it more difficult to tease out. So catching the APT early is of key importance. Otherwise it’s very much like trying to stamp out a fire that’s quickly growing out of control.
The Overall Pattern
Due to its advanced and persistent nature (hence the APT name) the threat cannot be absolutely eliminated. To do so would make systems totally isolated. And while this might be desired to a certain level for certain systems, we have to expose ourselves to the external Internet if we wish to have any public presence. The intent of the APT is long-term residence and preferably total stealth. The figure below shows a different way to view these decision trees.
The goal is to establish a network of pivot points that can allow for better exposure of the target. The series of decision trees all fall inward toward the target; this will be the footprint of its web within the target. It is always looking to expand and extend, but not at the cost of losing secrecy. Its major strength lies in its invisibility.
So the concept of a linear flow to the attack has to go out the window. Again, this is the key to persistence. This is very cyclic is the way it evolves over time. The OODA loop comes to mind. Typically taught to military pilots and quick response forces, the OODA loop stands for Orient, Observe, Decide, Access. The logic that the APT uses is very similar. This is because it is raw constructive logic. Note how everything revolves around that center set of goals. If you are starting to see a strategy of mitigation then my hat’s off to you. If not, then I have a clue for you … It’s all about the data!
Now that we have uncovered the methods of the APT it should be obvious that they are extremely difficult to catch. Their whole goal is to remain under the surface even during and after an attack. They want to be able to come back. In short, if an APT has targeted you it’s unlikely that you will prevent compromises from it. They will get in if they work long enough. The question is: How far can they get and how much damage can they do before they’re detected? I will close with a new security motto that we all should memorize. “Prevention is an ideal, BUT detection is an absolute MUST!” In my next blog we’ll talk about detection and the methods that you can incorporate into your security practice to limit your exposure, containing any compromises that are bound to occur over time.