September 29, 2010

Is There Really Someone Out to Get You?

 

Many times hackers are just scanning systems looking for a vulnerable running service or sending out malicious links in emails to unsuspecting victims. They are just looking for any way to get into any network. This would be the shotgun approach to network attacks. Another, more dangerous attacker has you in his crosshairs and he is determined to identify your weakest point and do with you what he will.
As an analogy, the thief that goes around rattling door knobs to find one that is not locked is not half as dangerous as the one who will watch you day in and day out to learn your activity patterns, where you work, what type of car you drive, find out who your family is, and patiently wait for your most vulnerable moment to ensure a successful and devastating attack.
In the computing world, we call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is becoming more of a battleground – this term is more relevant each and every day.
How APTs differ from the regular old vanilla attacker is that it is commonly a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The ‘advanced’ aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The persistent component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded – which makes it the biggest threat of all.
A virus is not an APT, a worm is not an APT, a bot is not an APT. An APT is commonly custom developed malicious code that is built specifically for its target, has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different ‘anchors’ so eradicating it is difficult if it is discovered. Once the code is installed, it commonly sets up a covert back channel (as regular bots do) so that it can be remotely controlled by the attacker himself. The remote control functionality allows the attacker to transverse the network with the goal of gaining continuous access to critical assets.
APT infiltrations are usually very hard to detect with host-based solutions because the attacker puts the code through a barrage of tests against the most up-to-date detection applications on the market. A common way to detect these types of threats is through network traffic changes. When there is a new
IRC connection from a host that is a good indication that the system has a bot communicating to its command center. Since there are several technologies that are used in environments today to detect just type of traffic, the APT may have multiple control centers to communicate with so that if one connection get detected and removed – it still has an active channel to use. The APT may implement some type of VPN connection so that its data that is in transmission cannot be inspected.
The ways of getting into a network are basically endless (exploit a web service, email links and attachments to users, gain access through remote maintenance accounts, exploiting os and application vulnerabilities, compromise connections from home users, etc.) Each of these vulnerabilities has their own fixes (patches, proper configuration, awareness, proper credential practices, encryption, etc.). It is not only these fixes that need to be put in place, we need to move to a more effective situational awareness model. We need to have better capabilities of what is happening throughout our network in near to real time so that our defenses can react quickly and precisely.
Our battlefield landscape is changing from ‘smash-and-grab’ attacks to ‘slow-and-determined’ attacks. Just like military offensive practices evolve and morph as the target does the same, so must we as an indusIs There Really Someone Out to Get You? – by Shon Harristry.

Many times hackers are just scanning systems looking for a vulnerable running service or sending out malicious links in emails to unsuspecting victims. They are just looking for any way to get into any network. This would be the shotgun approach to network attacks. Another, more dangerous attacker has you in his crosshairs and he is determined to identify your weakest point and do with you what he will.

As an analogy, the thief that goes around rattling door knobs to find one that is not locked is not half as dangerous as the one who will watch you day in and day out to learn your activity patterns, where you work, what type of car you drive, find out who your family is, and patiently wait for your most vulnerable moment to ensure a successful and devastating attack.

In the computing world, we call this second type of attacker an advanced persistent threat (APT). This is a military term that has been around for ages, but since the digital world is becoming more of a battleground – this term is more relevant each and every day.

How APTs differ from the regular old vanilla attacker is that it is commonly a group of attackers, not just one hacker, who combines its knowledge and abilities to carry out whatever exploit that will get them into the environment they are seeking. The APT is very focused and motivated to aggressively and successfully penetrate a network with variously different attack methods and then clandestinely hide its presence while achieving a well-developed, multi-level foothold in the environment. The ‘advanced’ aspect of this term pertains to the expansive knowledge, capabilities, and skill base of the APT. The persistent component has to do with the fact that the attacker is not in a hurry to launch and attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed. This is what we refer to as a “low-and-slow” attack. This type of attack is coordinated by human involvement, rather than just a virus type of threat that goes through automated steps to inject its payload. The APT has specific objectives and goals and is commonly highly organized and well-funded – which makes it the biggest threat of all.

A virus is not an APT, a worm is not an APT, a bot is not an APT. An APT is commonly custom developed malicious code that is built specifically for its target, has multiple ways of hiding itself once it infiltrates the environment, may be able to polymorph itself in replication capabilities, and has several different ‘anchors’ so eradicating it is difficult if it is discovered. Once the code is installed, it commonly sets up a covert back channel (as regular bots do) so that it can be remotely controlled by the attacker himself. The remote control functionality allows the attacker to transverse the network with the goal of gaining continuous access to critical assets.

APT infiltrations are usually very hard to detect with host-based solutions because the attacker puts the code through a barrage of tests against the most up-to-date detection applications on the market. A common way to detect these types of threats is through network traffic changes. When there is a new

IRC connection from a host that is a good indication that the system has a bot communicating to its command center. Since there are several technologies that are used in environments today to detect just type of traffic, the APT may have multiple control centers to communicate with so that if one connection get detected and removed – it still has an active channel to use. The APT may implement some type of VPN connection so that its data that is in transmission cannot be inspected.

The ways of getting into a network are basically endless (exploit a web service, email links and attachments to users, gain access through remote maintenance accounts, exploiting os and application vulnerabilities, compromise connections from home users, etc.) Each of these vulnerabilities has their own fixes (patches, proper configuration, awareness, proper credential practices, encryption, etc.). It is not only these fixes that need to be put in place, we need to move to a more effective situational awareness model. We need to have better capabilities of what is happening throughout our network in near to real time so that our defenses can react quickly and precisely.

Our battlefield landscape is changing from ‘smash-and-grab’ attacks to ‘slow-and-determined’ attacks. Just like military offensive practices evolve and morph as the target does the same, so must we as an industry.

Other Information:

Certified Information Systems Security Professional (CISSP)

Filed under Information Security, Information Technology Security by admin

Permalink • Print