Some people refer to Advanced Persistent Threats (or APTs for short) as a form of malware or a virus. They are so wrong.
Advanced Persistent Threat usually translates to a “your internal corporate infrastructure has already been compromised and the bad guys are evading your security controls and countermeasures while we speak” attack which is very difficult to fight because there is nothing programmatic about them. The vectors used in APTs are unpredictable, imaginatively ingenious, behaviorally structured: aka like a human.
But how did they get there…
The metrics clearly show that when an APT is planned and executed, but nearly always is launched via a spear-phishing (targeted) campaign against a company’s employees. Alternatively, I have seen bad guys scatter volumes of USB thumb drives throughout the company’s parking lot, with the expectation that at least one or many persons will plug a thumb drive into an internal computer: then it’s game on.
If you hear a few executives report that they have been duped into clicking an email attachment (namely PDF or Word document), you’d be wise to begin looking for the other symptoms of an APT.
First, understand the Advanced Persistent Threat
Hackers that devise and carry out APTs are well organized and work for a professional team. Recognizing the capabilities, structure, and goals of an enemy is crucial to fending them off. Note, being respectful of their capabilities is not the same as respecting them. You needn’t respect them: I don’t. But, I respect their formidability and coordination in order that I may beat them.
Their goal, typically, is to steal valuable intellectual property, such as confidential business plans, financial projections, patent ideas and descriptions, contracts, as well as sensitive information including personal data, credit card data, access credentials (to sell on the dark-net), and potentially your customers’ data and access credentials. It’s an unending list.
Once a beachhead has been established inside your environment, the objective of the APT is to remain unnoticed, gain intelligence, plan the mission, then execute the mission – whatever that is.
Key Signals that an APT is underway
Stockpiles of large compressed file archives (types .gz or .7z are most common).
- Bad guys will scour your file repositories and produce collections of sensitive data (some more uniform than others) at various collection points before exfiltration. Keep an eye on rapid increases in file storage totals. For example, if your enterprise storage of 100 TB sits typically at 40% and jumps up to 60% without reasons – be very concerned.
Reconnaissance and pass-the-hash tools left behind.
- Strange enough, bad guys are not very good at cleaning up after themselves. While they understand that these remnants can tip off the security staff, they either forget to delete these tools or they don’t care about them.
- Bad guys will most commonly install backdoor Trojan programs on many compromised systems within the exploited environment so they have optional paths to regain entry, even after the attack is discovered.
Increases in late night privileged user (and service account) authentications.
- Once the bad guy steals the user account of a normal, low privilege user, they immediately need to find a way to elevate their privilege to a high-level of permissions and access. Most bad guys are not hacking your network to play hell with your low privilege users. Rather, they are using them as a temporary means for establishing their beachhead – that’s it.
- Bad guys know that most normal users won’t know the origin or meaning of automated alerts or re-authentication notifications which can be triggered as a result of brute force or attempting access to unauthorized applications or data. The user will likely ignore these messages because they don’t know their meaning. The bad guys know this, and it affords them a long amount of time within the compromised normal user account to explore and attempt elevation. Make sure all of your users know what these messages mean so that they will report suspicious activity notifications quickly.
- Bad guys know the normal business hours of the target company they are attacking, so they attack when the victims are asleep (literally). Some will say that the reason for late night attacks is because the bad guys are located in other countries scubas Russia or China. While plausible, this is not always the case as these or other attackers work at any hours that provide the best window of work-time. If your defenses are down because your employees are asleep, then the bad guys will work at that time. Bad guys exist in every country, and the US bears a significant portion of the bad-guy population. Bad guys are strategic – they will attack you when you are asleep (literally and figuratively).
Understand your data flows (norms and abnormal).
One of the sure-fire methods for detecting an in-process attack (APT or otherwise) is being able to detect large, abnormal flows of data from internal computer to another internal computer (2) or to an external computer(s). This includes data flow from server to server, server to workstation, or network to network.
To understand “abnormal data flow” you first have to understand what is normal data flows. A core compliance requirement for PCI, GDPR, HIPAA and other regulations and standards focused on sensitive data (credit cards, personally identifiable information, and protected health information, respectively) all require that you should know where this data flows throughout your processes. So once you know that, you can tell where these data are not supposed to flow.
Below are some very concrete steps that you can take to unhook APT and similar attacks
- Implement multi-factor authentication (2-step auth to some) – this quashes approximately 80% of identity compromises.
- Restrict the general user population’s ability (permissions) to install and run unwanted software applications. This sometimes involves removing local-admin privilege from desktop and laptop users. Sometimes it involves putting end-user devices (laptops, tablets, smartphones) under Mobile Device Management control to allow sanctioned and prevent unsanctioned apps from being installed and run.
- Limit remote desktop services (e.g, RDP) to only those users and systems that really need it.
- Patch systems quickly and consistently, especially critical security patches. The bad-guys exploit vulnerabilities found most commonly in unpatched (under-patched) systems.
- Consider implementing Office 365 Exchange Online Protection (EOP is available with any Office 365 subscription) and Advanced Threat Protection (ATP is available as a standalone service or within Office 365 E5). Microsoft Office 365 enables some very impressive protection against impersonation, spoof, and phish content and internal phish emails sent from compromised accounts. Microsoft analyzes 6.5 trillion signals, and each month analyzes 400 billion emails while also detonating 1 billion items in their sandbox.
- Do more than just annual employee security awareness training. While annual training is good (and required by most regulations and standards), you should strive to ensure that your employees remain vigilant and aware of security risks – so they can be part of the solution rather than part of the problem. Bad guys are constantly adapting their attack playbooks (and your employees are the target) so the better you can prepare your employees on emerging security issues and trends, the more successful you will be. Tools are cool, but your employees are an effective line of defense, if properly prepared. And, build your training programs in plain language. Simply put: make security training easy to understand for everyone in the organization.
The six steps (above) will go a long way towards reducing the success that a bad-actor can have to steal all your data, disrupt your operations, or hold your data and systems for ransom.
Till next time,