Advanced Persistent Threat (APT) is a series of continuous cyber-attacks often orchestrated by organized cyber criminals targeted towards a specific entity with certain core objectives. The likely targets of Advanced Persistent Threat are core assets of large businesses, organizations of sensitive nature and government bodies that are attempted to be compromised for political or business gains. The sophistication of attack requires that the attacker has substantial means both in terms of niche skills and finances. Therefore, majority of these attacks are attributed to sophisticated hacktivist networks and governments.
As opposed to a general attack normally associated with an opportunistic script kiddies domain, APT attacks require highly coordinated specialized skillset, and warrant of sufficient resources with specific target in mind. They usually are a combination of a number of techniques involving stealth activities with the aim of maintaining a very low and unnoticeable profile in the victim’s network over a period of time.
The sophisticated nature of an APT attack makes it characteristically difficult to detect, remove, and attribute. Once the target is breached, back doors are often created to provide the attacker with ongoing access to the compromised system. An APT is persistent because the attacker can spend months gathering intelligence about the target and use that intelligence to launch multiple attacks over an extended period of time. It is threatening because perpetrators are often after highly swensitive information.
Bodmer, Kilger, Carpenter and Jones defined the following criteria for elaborating the nature of Advance Persistent Attacks. These characteristics make APTs stand out from the ordinary attack and also serve as a basis of criteria to apply for their detection:
- Objectives: As opposed to the standard attacks, the end goal of an APT and the adversary is focused.
- Timeliness: The time spent in research to probe and access your system is usually more.
- Resources: Access to the level of knowledge and tools used in the event are more substantial than ordinary attacks.
- Risk tolerance: These attacks have low risk tolerance. The perpetrators of these attacks heavily invest in keeping a low profile and also removing traces of any information that can link the attack back to them.
- Skills and methods: As opposed to standard attacks, APTs are more likely to use a diverse set of tools and techniques throughout the event.
- Actions: Attacks are executed through precise actions of a single threat or numerous threats all aimed at one specific goal.
- Attack origination points: With a very low window of opportunity, APTs carefully manage the number of points where the event originated.
- Knowledge source: Differentiation of these attacks through discerning information regarding any of the specific threats through online research.
APT activities are sophisticated and hard to detect; the command and control network traffic associated with APT can be detected at the network layer level. Deep log analyses along with correlation from various sources can be useful in detecting APT activities. Agents can be used to collect packets and logs (TCP and UDP) directly from assets into a centralized system. Then a sophisticated Security Information and Event Management (SIEM) and a Deep Packet Inspection (DPI) tool can correlate and analyze logs. While it is challenging to separate noises from legitimate traffic, a good correlation tool can facilitated in filtering out the legitimate traffic, so security analysts can focus on the valid noise.
Incident Handling Stages
Implement proactive measures to improve threat preparedness
- Download and Install software from trusted vendors with verifiable digitally signing. Verify MD5 hash of files for additional assurance.
- Use benchmarks for building systems on the network including servers, end point systems and network devices (example: cisecurity.org)
- Use group policy to distribute enterprise wide measures to end points by disabling external media access including USB drives, CD ROM and auto play features.
- Remove admin privileges from all end user systems and servers.
- Systems that require admin privileges must be identified in CMDB as high value target.
- Leverage SIEM and DPI tool to correlate data from multiple sources consisting of network and defense tools. Use data to identify potential compromise such as blocked emails, code execution in browser, and probable large data in HTML, outgoing traffic to specific IP’s on unusual ports, abnormal DNS requests, (see threats indicators for a comprehensive list).
- Identify all high value targets (Assets, People & Data) and baseline network activity to enable anomaly detection
- Identify and block all grey-listed domains
- Enable detailed logging for key systems and configure correlation in SIEM
- Leverage Nexthink for identification of hashes, executables and unwanted programs
- Use proxies to inspect bi-directional traffic on ALL the internal network links, including links between secondary application tiers;
- Collect detailed behavioral profiles on all the data and functions handled by each application
- Enforce fine-grained policy rules, by selectively blocking and/or rewriting any suspicious application traffic;
- Decrypt and re-encrypt confidential traffic through applications or some other encryption utilities, wherever possible
- Build and populate a Configuration Management Database (CMDB) detailing assets, software and data present to better understand the organization.
- Follow the hardening guidelines for all the Operating Systems
- Enable appropriate logging on all the network devices
- Identify, create and constantly update a list of all IPs known to be associated with insider and external threats
- Identify, create and constantly update a list of all IPs that are known to be associated with malware command and control.
- Setup procedures in place to support direct external notification to entities such as law enforcement and/or business partners.
- Setup procedures for external notification through contributing to Open Source Intelligence.
Identification & Verification
Correctly identify the threat by monitoring and verification techniques
- Identification of same email from public domain to significant number of users or C-level employees.
- Identification of emails sent to high value targets from unknown domains and / or addresses.
- Identify unusual traffic volumes to multiple ports or IP addresses
- Identify extensive packet loss
- Examine abnormal services on known ports and abnormal ports for well-known services
- Verify the reputation score of the IPs
- Nexthink alerts for installation of software which does not match the hash or standard software with multiple hash values
- Nexthink alert for executables and Web-washer alert for script injections or malicious traffic to blacklisted domains.
- HIPS / Host based malware alerts for local script execution
- Botnet filter alerts for traffic to blacklisted domains
- Email / SPAM filter misbehavior/ maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations.
- Detect and report any deviations from the collected behavioral profiles
- Interpret monitor and correlate all of the application protocols in use, not just HTTP/S, FTP and SMTP
- Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C+C) traffic, outbound custom encrypted communications, covert communication channels with external entities, etc.
- Host-based IDS/IPS alert of an unexpected system call, data access, port open
- Analyze logs from network monitoring tools, firewalls, IDS/IPS, anti-malware, data loss prevention (DLP), email servers, and other systems, to identify frequent connections/data sent to a suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours.
- Check packet reconstruction to identify the stolen data and identify the attack vector.
- Use packet capturing utilities to replay old (or malicious) traffic to identify additionally infected systems
- Examine if any data breach has occurred.
- Check to see is any malware, phishing or ‘vishing’ incidents have been reported in the past.
- Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic.
Limit the damage caused
- Take the infected system into separate VLAN
- Examine the system to identify any lateral movement made within the enterprise by the attacker and perform the same checks on affected systems.
- If an attack is ongoing, resist immediate disconnection of infected computers, and understand how attackers are controlling them before disconnecting.
- Preserve information and artefacts associated with the incident.
- Communicate details of the incident with those that need to know based on the RASCI chart.
- Update the firewall / anti-malware blacklist to block attackers IPs and monitor them in detail including communication protocol
- Remove sensitive data from unsecured and unnecessary locations.
- Alert related key users on possible attacks and limit system & user privileges to copy, modify and delete secondary data/ information.
- Alert law enforcement and other authorities such as QCERT, if required.
- Notify internal users and affected departments/ systems owners.
Investigate how the attack happened and detect its origin
- In case of spear phishing, verify the links clicked and the destination URL
- Investigate the information provided or data uploaded on the phished site
- Identify suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks on the infected system
- Identify for new account with high privileges or permission changes
- Identify DNS requests
- Verify Host Intrusion Prevention System (HIPS) and alerts for the execution of scripts or malicious code
- Extractandidentifycharacteristicsofadversary with other affected systems; this may be achieved by using correlation rules to search for identified characteristics of attacks such as:
- System calls
- IP addresses
- Use file system and memory analysis and look for a malware/ code specific entity in Memory (process information, running service information)
- Analyze changes in the registry for unexpected registry keys.
- Investigate further to Identify all:
- Active (beaconing) and passive (listening) backdoors
- Other entry points like web servers, mail servers, VPN, etc.
Remove vulnerabilities and eliminate all causes
- Reset all affected systems, users and service passwords
- Remove backdoors by running an updated anti-malware tool, use vendor-supplied stringers as necessary for eradication and clean up
- Fix vulnerable systems they’re exploiting for access with updated patches
- Run registry cleaners and scan for memory-resident malicious codes and clean up with alternate boot mediums.
- Develop or update antivirus and/or security devices (IPS/IDS) signatures.
- Re-engineer the system or the systems to prevent re-infection.
- Segment critical data to more restricted areas and implement auditing for critical data access
- Enable block mode for sensitive data on data loss prevention tool.
Recover from the attack and resume normal operations
- Clean all traces like infected files, binaries, infected code and data.
- Clean browsing history, registry and memory. Preferable post taking all snapshots, install with clean image
- Update all antivirus / anti-malware programs with new signatures and patches
- Scan the infected system with latest antivirus and anti-malware programs
- Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems.
- Perform System integrity checks for all the infected systems.
- Restoring all systems for which integrity has affected due to the attack, from last know good backup.
- Confirming all systems and services restored to normal operations.
Conduct post-incident activities
- Perform forensics to identify the source of attack and motivation like state sponsors
- Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector
- Identify if the attackers had insider assistance
- Identify if the attackers had physical access to the facilities or network
- Collect evidence from packet captures /networkinformation, logs and infected system browsing history and malicious code and its reverse engineering
- Reverse-engineer binaries to help identify attack methods, communication protocols, and attack servers.
- Create images of hard drives from infected hosts.
- Ensure preservation of evidence besides maintaining chain of custody as required by legal authorities.
- Perform communications (internal/external user groups, public media etc.)