Signs of an advanced persistent threat attack
26 April 2018 | 0
Advanced persistent threat (APT) hackers and malware are more prevalent and sophisticated than ever. APTs are usually driven by professional hackers, working either for their government or relevant industries, whose full-time job is to hack specific companies and targets. They perform actions relevant to their sponsor’s interests, which can include accessing confidential information, planting destructive code, or placing hidden backdoor programs that allow them to sneak back into the target network or computer at-will.
APT hackers are very skilled and have the huge operational advantage in that they will never be arrested. Imagine how much more successful and persistent any other thief might be if they could get the same guarantee.
Still, they do not want their activities to be immediately noticed by their targets, because it would complicate their mission. A successful APT breaks into networks and computers, gets what they need, and slips out unnoticed. They prefer to be “slow and low.” They do not want to generate a lot of strange-looking auditable events, error messages, or traffic congestion, or to cause service disruptions.
Most APTs use custom code to do their activities, but prefer, at least at first, to use publicly known vulnerabilities to do their dirty work. That way, if their activities are noticed, it is harder for the victim to realise that it’s an APT versus the regular, less serious, hacker or malware program.
With that said, how can you recognise something that’s meant to be silent and unnoticed?
Recognising an APT
Because APT hackers use different techniques from ordinary hackers, they leave behind different signs. Over the past two decades, the following five signs are most have emerged to indicate that your company has been compromised by an APT. Each could be part of legitimate actions within the business, but their unexpected nature or the volume of activity may bear witness to an APT exploit.
- Increase in elevated log-ons late at night: APTs rapidly escalate from compromising a single computer to taking over multiple computers or the whole environment in just a few hours. They do this by reading an authentication database, stealing credentials, and reusing them. They learn which user (or service) accounts have elevated privileges and permissions, then go through those accounts to compromise assets within the environment. Often, a high volume of elevated log-ons occur at night because the attackers live on the other side of the world. If you suddenly notice a high volume of elevated log-ons across multiple servers or high-value individual computers while the legitimate work crew is at home, start to worry.
- Widespread backdoor Trojans: APT hackers often install backdoor Trojan programs on compromised computers within the exploited environment. They do this to ensure they can always get back in, even if the captured log-on credentials are changed when the victim gets a clue. Another related trait: once discovered, APT hackers do not go away like normal attackers. Why should they? They own computers in your environment, and you aren’t likely to see them in a court of law.These days, Trojans deployed through social engineering provide the avenue through which most companies are exploited. They are fairly common in every environment, and they proliferate in APT attacks.
- Unexpected information flows: Look for large, unexpected flows of data from internal origination points to other internal computers or to external computers. It could be server to server, server to client, or network to network.Those data flows might also be limited, but targeted, such as someone picking up email from a foreign country. It would be good if every email client had the ability to show where the latest user logged in to pick up email and where the last message was accessed. Gmail and some other cloud email systems already offer this.
This has become harder to perform because so much of today’s information flows are protected by VPNs, usually including TLS over HTTP (HTTPS). Although this used to be rare, many companies now block or intercept all previously undefined and unapproved HTTPS traffic using a security inspection device chokepoint. The device “unwraps” the HTTPS traffic by substituting its own TLS digital and acts as a proxy pretending to be the other side of the communication’s transaction to both the source and destination target. It unwraps and inspects the traffic, and then re-encrypts the data before sending it onto the original communicating targets. If you’re not doing something like this, you’re going to miss the exfiltrated data leak.
Of course, to detect a possible APT, you have to understand what your data flows look like before your environment is compromised. Start now and learn your baselines.
- Unexpected data bundles: APTs often aggregate stolen data to internal collection points before moving it outside. Look for large (gigabytes, not megabytes) chunks of data appearing in places where that data should not be, especially if compressed in archive formats not normally used by your company.
- Focused spear-fishing campaigns: Perhaps one of the best indicators is around focused spear-phishing email campaigns against a company’s employees using document files (e.g., Adobe Acrobat PDFs, Microsoft Office Word, Microsoft Office Excel XLS, or Microsoft Office PowerPoint PPTs) containing executable code or malicious URL links. This is the original causative agent in the vast majority of APT attacks.The most important sign is that the attacker’s phish email is not sent to everyone in the company, but instead to a more selective target of high-value individuals (e.g., CEO, CFO, CISO, project leaders, or technology leaders) within the company, often using information that could only have been learned by intruders that had already previously compromised other team members.
The emails might be fake, but they contain keywords referring to real internal, currently ongoing projects and subjects. Instead of some generic, “Hey, read this!” phishing subject, they contain something very relevant to your ongoing project and come from another team member on the project. If you have ever seen one of these very specific, targeted phishing emails, you will usually end up shuddering a bit because you will question yourself about whether you could have avoided it. They are usually that good.
If you hear of a focused spear-phishing attack, especially if a few executives have reported being duped into clicking on a file attachment, start looking for the other four signs and symptoms. It may be your canary in the coal mine.
That said, the hope is that you never have to face cleaning up from an APT attack. It is one of the hardest things you and your enterprise can do. Prevention and early detection will reduce your suffering.
IDG News Service