This is the third of four blogs about advanced persistent threats (APTs). In my first blog, I discussed the APT concept - stealthy threat actors who gain unauthorized access to a computer network and remain undetected for an extended period. In the second blog, I wrote about the first steps used in the kill chain process. We left off discussing the exploitation phase, which APTs use to further implant themselves into the network over an extended period of time. I will now take you through the final steps in the kill chain process and how they are used.
Execution is a process that will use a multitude of methods ranging from complete encryption (ransomware) to simple probes or port and keyboard mappers to gain even further intelligence. In many instances, this will be on the target system, but not always. Pivot systems can often be established to facilitate the resiliency and persistence of the APT in the network, which then sets the stage for the final phases.
Exfiltration and command & control (C2) go hand in hand. C2 is required for exfiltration. It turns out that both require a common trait; two-way outbound traffic. If the APT wants to pull data out of the target, it must establish outbound communication. This is sometimes referred to as a callback. These channels are covert. They are typically encrypted and mixed within the profile of normal data. Remember, while there are well-known ports assigned that we all should comply with, an individual with even limited skills can generate a payload with counterfeit port mappings. DNS, ICMP, and SMTP are three common protocols for this type of behavior. It’s critical to look for anomalies in behavior at these levels. The APT needs systems to communicate in order for the tools to work for them. They need to leave some sort of footprint as they look to establish outbound channels. We will come back to this in the next blog.
Contrary to a more traditional threat, for which you probably have prepared measures, an APT will attempt to establish a set of permanent outbound channels. The APT may jump sessions, port behaviors, or even whole transit nodes if the APT is deep enough into your network. As shown in Figure 1, if the APT has compromised a series of systems, multiple choices are available to establish outbound behaviors.
Figure 1 - Established exfiltration channels
The larger the footprint the APT has, the more it can adjust and randomize its outbound behavior, making it more difficult to detect. The importance of catching the APT early cannot be overstated. Otherwise, it's very much like trying to stamp out a fire that is growing out of control.
Since the threat is advanced and persistent (hence the APT acronym), it cannot be eliminated completely. To do so would make systems totally isolated. Although this may be desired to a certain extent for specific systems such as IoT, we must expose ourselves to the public if we wish to have any presence. The intent of the APT is long-term residence and preferably total stealth. Figure 2 depicts a different way to view these decision trees.
Figure 2 -Set of scoped and defined decision trees
In this case, the goal is to establish a network of pivot points that will enable the target to be better exposed. The series of decision trees all fall inward towards the target, which will be its woven footprint within the target. It is always looking to expand and extend it but not at the cost of losing secrecy. Its major strength lies in its invisibility.
So the concept of a linear flow to the attack has to go out the window to some degree. Again, the key term is persistence. The attack is very cyclic in the way it evolves over time. The observe, orient, decide, access(OODA) loop is a tactic typically taught to military pilots and quick-response forces. The logic of APT is very similar to that of OODA. Note how everything revolves around that center set of goals. If you are starting to see a mitigation strategy, then my hat is off to you. If not, then I have a clue for you… it’s all about the data!
Now that we have uncovered the methods of the advanced persistent threat, it should be evident that they are very difficult to catch. Their goal is to remain under the surface even during and after an attack if they can get away with it. They want to be able to come back. In short, if an APT has targeted you, it is unlikely that you will prevent compromises from it. They will get in if they work long enough. The question is how far they can get and how much damage they can do before they are detected. I will close with a new security motto we all should memorize: “Prevention is ideal, but detection is an absolute must.”
Also, remember that APTs target you for a purpose. APT’s do not hit randomly in a general sense. It may be an ongoing effort like industrial espionage or something that waits for critical mass and then strikes like ransomware. Either way, it is very much targeted. individual personalities start to emerge and become more significant in APT groups. Personality refers to the tools and methods they use. These groups even have quaint names or labels such as Cozy Bear, Fancy Bear or the more cryptic Lazarus Group. The first two groups are generally associated with Russia and Ukraine, while the third group is most associated with North Korea. It is important to realize that the motives and rationales for their operation are totally different. The tools and methods may have commonalities or be vastly different. The APT group personality leaves a signature of sorts. By analyzing that signature against your network or given threat, you can gain insight into who it might be as well as the tools and methods that you can expect. Obviously, this information is of immense value to our security operations teams. It gives us a degree of proactive capabilities and takes us out of reactionary mode.
I will discuss these and other groups in my next blog as well as methods and tools that you can include in your security practice to limit your exposure and contain any compromises that are bound to occur.