APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

Here in part four of my APT series, we’re looking at how to detect Advanced Persistent Threats in your network. The key is to know what to look for and how to spot it.

Look for patterns of behavior that are unusual from a historical standpoint. Some things to look for are unusual patterns of session activity. Port scanning and the use of discovery methods should be monitored as well. Look for unusual TCP connections, particularly lateral or outbound encrypted connections.

Remember that there is a theory to all types of intrusion. An attacker needs to compromise the perimeter. Unless the attacker is very lucky, they will not be where they need or want to be. This means that a series of lateral and northbound moves will be required to establish a foothold. In order for any information to leave your organization there has to be an outbound exfiltration channel. This is another area where APTs have to diverge from the normal behavior of a user.

Here’s what to look for:

  • Logon Activity:

    Logons to new or unusual systems can be a flag. New or unusual session types are also a flag to watch for, particularly outbound encrypted sessions or unusual time of day or location. Watch for jumps in activity or velocity.

  • Program execution:

    Look for new or unusual program executions at unusual times of the day or from unusual locations. Execution of the program from a privileged account status rather than a normal user account should also be alarming.

  • File access:

    Look for unusually high volume access to file servers or unusual file access patterns. Also be sure to monitor cloud-based sharing uploads as these are a very good way to hide in the flurry of other activity.

  • Network activity:

    New IP addresses or secondary addresses can be a flag. Unusual DNS queries should be looked into, particularly those with a bad or no reputation. Look for the correlation between the above points and new or unusual network connection activity. Many C2 channels are established in this fashion.

  • Database access:

    Most users do not have access to the database directly. But also look for manipulated applications calls doing sensitive table access, modifications or deletions. Be sure to lock down the database environment by disabling many of the added options that most modern databases provide. An application proxy service should be implemented to prevent direct access in a general fashion.

     

    The goal is to arrive at a risk score based on the aggregate of the above. This involves the session serialization of hosts as they access resources. The problem with us as humans is this: if we’re barraged with tons of data and forced to do the picking out of significant data, we are woefully inefficient. First of all, we have a propensity for missing certain data sets. How often have you heard the saying, “Another set of eyes”? Never manually analyze data alone, always have another set of eyes go over it.

     

    At Avaya we’ve developed a shortest path bridging networking fabric we refer to as SDN Fx™ Architecture that is based on three basic self-complimentary security principles:

    • Hyper-segmentation: This is a new term that we’ve coined to indicate the primary deltas of this new approach to traditional network micro-segmentation. First, hyper-segments are extremely dynamic and lend themselves well to automation and dynamic service chaining, as is often required with software-defined networks. Second, they are not based on IP routing and therefore do not require traditional route policies or access control lists to constrict access to the micro-segment. These two traits create a service that is well suited for security automation.
    • Stealth: Due to the fact that SDN Fx is not based on IP, it is dark from an IP discovery perspective. Many of the topological aspects to the network, which are of key importance to APTs, simply cannot be discovered by traditional port scanning and discovery techniques. So the hyper-segment holds the user or intruder in a narrow and dark community that has little or no communications capability with the outside world, except through well-defined security analytic inspection points.
    • Elasticity: Because we are not dependent on IP routing to establish service paths, we can extend or retract certain secure hyper-segments based on authentication and proper authorization. Just as easily however, SDN FX can retract a hyper-segment, perhaps based on an alert from security analytics that something is amiss with the suspect system. There may even be the desire to redirect them into Honey pot environments where a whole network can be replicated in SDN Fx for little or no cost from a networking perspective.

In the End

Hardly a day goes by without hearing about a data breach somewhere in the world. To combat these breaches, it’s imperative to understand how APTs work and how you can detect them. Remember—prevention is ideal, but detection is a must!

With this blog series, I hope I’ve helped you see how to limit the impact of APTs on your enterprise. If you missed a blog post, here’s the whole series:

APTs Part 1: Protection Against Advanced Persistent Threats to Your Data

APTs Part 2: How the Advanced Persistent Threat Works

APTs Part 3: Prevention is Ideal, But Detection is a Must

APTs Part 4: How Do You Detect an Advanced Persistent Threat in Your Network?

Related Articles:

APTs Part 3: Prevention is Ideal, But Detection is a Must

In my last blog I spoke about the first steps in the kill chain. Now that the Advanced Persistent Threat (APT) has gained residence, it’s time to get to work. To refresh your memory, here’s our illustration of a kill chain:
APT2a

Execution

In this step there is some method established for the final phase, which is either data exfiltration or complete command and control (C2). Note that execution is a process that will have a multitude of methods ranging from complete encryption (ransomware) to simple probes or port and keyboard mappers to gain further intelligence.

Exfiltration and C2

Exfiltration and Command & Control (C2) go hand in hand. C2 is required for exfiltration. It turns out that both require a common trait: two way outbound traffic. At this point if the APT wants to pull data out of the target it must establish outbound communication. This is sometimes referred to as a call back. These channels are covert. They are typically encrypted and mixed within the profile of normal data.

Remember, while there are well known ports assigned (to which we all should comply), an individual with even limited skills can generate a payload with counterfeit port mappings. DNS, ICMP and SMTP are three common protocols for this type of behavior. It’s key to look for anomalies in behavior at these levels. The APT needs systems to communicate in order for the tools to work for them. This means that they need to leave some sort of footprint as they look to establish outbound channels. (We will come back to this in my next blog.)

Remember, unlike the typical traditional threat, which you probably are well prepared for, the APT will look to establish a permanent outbound set of channels. These may jump sessions, and port behaviors or even whole transit nodes, if the APT is deep enough into your network. If the APT has compromised a series of systems it has a choice on how to establish outbound behaviors. Below is a representation of established exfiltration channels.

APT-part3b

The larger the footprint the APT has, the better it can adjust and randomize its outbound behaviors, which makes it more difficult to tease out. So catching the APT early is of key importance. Otherwise it’s very much like trying to stamp out a fire that’s quickly growing out of control.

The Overall Pattern

Due to its advanced and persistent nature (hence the APT name) the threat cannot be absolutely eliminated. To do so would make systems totally isolated. And while this might be desired to a certain level for certain systems, we have to expose ourselves to the external Internet if we wish to have any public presence. The intent of the APT is long-term residence and preferably total stealth. The figure below shows a different way to view these decision trees.

APT-part3c

The goal is to establish a network of pivot points that can allow for better exposure of the target. The series of decision trees all fall inward toward the target; this will be the footprint of its web within the target. It is always looking to expand and extend, but not at the cost of losing secrecy. Its major strength lies in its invisibility.

So the concept of a linear flow to the attack has to go out the window. Again, this is the key to persistence. This is very cyclic is the way it evolves over time. The OODA loop comes to mind. Typically taught to military pilots and quick response forces, the OODA loop stands for Orient, Observe, Decide, Access. The logic that the APT uses is very similar. This is because it is raw constructive logic. Note how everything revolves around that center set of goals. If you are starting to see a strategy of mitigation then my hat’s off to you. If not, then I have a clue for you … It’s all about the data!

Now that we have uncovered the methods of the APT it should be obvious that they are extremely difficult to catch. Their whole goal is to remain under the surface even during and after an attack. They want to be able to come back. In short, if an APT has targeted you it’s unlikely that you will prevent compromises from it. They will get in if they work long enough. The question is: How far can they get and how much damage can they do before they’re detected? I will close with a new security motto that we all should memorize. “Prevention is an ideal, BUT detection is an absolute MUST!” In my next blog we’ll talk about detection and the methods that you can incorporate into your security practice to limit your exposure, containing any compromises that are bound to occur over time.

 

APTs Part 2: How the Advanced Persistent Threat Works

In my last blog I introduced the concept of Advanced Persistent Threats (APT) and provided some background on what these groups are about. APTs want to be invisible in your network. They want to become residents and remain for the long term. Given this, it is of key importance to detect their presence. But before we can do that, we need to look at the methods that APTs use to compromise network security and remain hidden within the flurry of day-to-day data. This will be the focus of this second blog: how do APTs go about their nefarious activities?

So What are the Methods?

Copious amounts of research exist on the methods that APTs will use. Due to the fact that this is largely driven by humans, the range can be wide and dynamic. Basically it all boils down to extending the traditional kill chain. This concept was first devised by Lockheed Martin to footprint a typical cyber-attack. This is shown in the illustration below.

APT2a

The concept of infiltration needs to occur in a certain fashion. An attacker can’t just willy-nilly their way into a network. Depending on the type of technology, the chain might be rather long. As an example, an open core network will be much easier to compromise than an implementation with strong hyper-segmentation. There are many degrees of delta in the complexity of the two methods.

Reconnaissance

In the past, this was treated lightly at best by security solutions. Even now with highlighted interest in this area by security solutions, it tends to be the extended main avenue of knowledge acquisition. The reason for this is that much of this intelligence gathering can take place off line. There is no need to inject probes or pivots at this point. Instead the method is to gain as much intelligence about the targets as possible. This may go on for months or even years, and it continues as the next steps occur. Note how I say “targets.” This notes that the target network, when analyzed, will result in a series of potential target systems. APTs are more interested in the users or edge devices. These devices are typically more mobile with a wider degree of access media type. Additionally they have you or me at the interface. We are gullible—and we also can make rash decisions.

Infiltration

Once the attacker feels that there is enough to move forward the next step is to try to establish a beach head into the target.

The end user is typically the target. No one is immune. In the past a phishing attempt was easier to see. This has changed recently in that many times these attempts will be launched from a disguised email or other correspondence with an urgent request. There are also methods to create watering holes, which is basically an infiltration of websites that are known to be popular or required with the target. Cross site scripting is a very common set of methods to make this jump. In the past this would have been felt immediately. Now you might not feel anything at all. But APTs are now inside your network. They’re wreaking no damage, yet. They remain invisible.

Exploitation

If APTs are successful in their exploitation, you won’t know it. It’s a scary point to note that most APT infiltrations are only pointed out after the fact to the target by a third party such as a service provider or law enforcement. This is concerning. It means that both the infiltration and exploitation capabilities of the APT are extremely high.

How is this accomplished? The reality is that each phase in the chain will yield information and the need to make decisions as to the next best steps in the attack. The truth is that this is the next step in the tree. As shown in the figure below, there are multiple possible exploits and further infiltrations that could be leveraged off of the initial vector. It is in reality a series of decisions that will take the intruder closer and closer to its target.

Advanced Persistent Threat

What the APT finds will dictate how it moves its strategy forward and how it will adapt and optimize over time. It will morph to your environment in a very specific and targeted way. While many may think that initial exploitation is it, it’s really not. The exploitation phase is used to further implant into the network.

Join me in my next blog where we’ll look at the final steps in the kill chain and how they’re used by APTs.

 

APTs Part 1: Protection Against Advanced Persistent Threats to Your Data

Hardly a day goes by without hearing about a data breach somewhere in the world. So it’s timely that we launch this new blog series about Security. To kick the series off, we’ll take a look at some of the alarming trends in the development of Advanced Persistent Threats (APTs). We’ll explore what they are and how they operate. Along the way, we’ll provide simple advice to help you limit their impact on your enterprise.

In the old days, we mainly dealt with fly-by automated attacks. We all recall worms and Trojans and the other little beasts in the menagerie of malware. They were fairly simple at first but as time moved forward, the degree of sophistication and stealthy behavior of this code has drastically increased. There are a couple of reasons for this. First, code naturally evolves as multiple individuals contribute to its evolution, growing in feature set or reliability. Even malicious code benefits from collaborative development. Second, the design goal has changed from doing immediate damage to remaining hidden. This is the goal of the APT.

  • APTs are advanced.

    Typically, they come from a sizable group of individuals who are well-funded and equipped. Many people will automatically think APTs come from China and Russia, but the reality is they can be and are anywhere. The U.K. is one of the leading nations and there are plenty in the U.S. as well. They are also given a set of targets or perhaps even a single target.

  • APTs are persistent.

    This is a group that owes its whole existence to penetrating the assigned target. Many times, there are handsome bonuses for success. They will persist for months and even years, if necessary, waiting for the right moment.

  • And while they do not seek to do immediate damage, they most definitely are a threat.

    Their goal is to penetrate and access sensitive information, and establish command and control points within the network with devastating results. The recent data breach at Yahoo is the latest, with roughly 400 million records stolen. Let’s also not forget that the NSA itself was breached with the result being the exfiltration of sensitive cyberattack tools.

While many will still say “not in my network,” research indicates the attacker in most breaches is resident in the network for an average of 256 days without being discovered. Further, about 81% of those breached did not identify it themselves. They were notified by third parties such as banks, credit card vendors, or law enforcement—and though we can’t tell exactly, it’s suspected that up to 94% don’t know they’ve been hacked until long afterward.

Now don’t get me wrong, we still have plenty of malware out there and it’s growing in volume every day. As an example, there are 25 million new instances of malware that cannot be blocked by traditional antivirus solutions. The added venom to the mix, however, is that now there are well-equipped teams using malware in a tightly orchestrated fashion. It’s reported that 70% of known breaches involved the use of malware, but the breaches are done in a well-thought-out orchestrated manner. The rules have changed so we had better up our game. In my next blog, we’ll take a closer look at a typical method of APT operations and the concepts of kill chains and attack trees, as well as how they go about getting into your enterprise.

You’re likely wondering what you can do to protect yourself. Well, the NSA recommends implementing highly granular microsegments. This prevents lateral movement, which is critical to the attackers’ ability to escalate privilege into the environment. They also recommend creating stealth or black networks that yield little or no information to scans and probes. Finally, these secure microsegments should ideally be ships in the night with no or at least very constricted communications capability to other segments.

Avaya has embraced this philosophy in our recent security launch. Hyper-segmentation provides for high granular segmentation, stealth provides for the black network environment, and elasticity provides for strong perimeter protection, allowing access to users and devices only once they have been vetted, established as trusted, and authenticated. We’ll go much deeper into this in the third installment of this series on APTs. Until then, don’t be afraid. Be prepared.