This document summarizes a presentation on Advanced Persistent Threats (APTs) given by Aryeh Goretsky, a Distinguished Researcher at ESET. The presentation defines APTs as determined adversaries who conduct cyber attacks in phases, including reconnaissance of targets, analysis of vulnerabilities, development of tools to exploit vulnerabilities, trial runs of attacks, and implantation of attacks on targets. It discusses techniques used in APTs, such as rootkits, command and control servers, custom file systems and partitions, evasion methods, firmware attacks, and programming languages. The presentation aims to explain how to think like a determined adversary conducting a cyber attack campaign.

1. Advanced Persistent Threats
Aryeh Goretsky, Distinguished Researcher
SOeC Cyber Boot Camp 2015 • Monday, June 22, 2015

2. Aryeh Goretsky
Distinguished Researcher
Aryeh is ESET’s Distinguished Researcher and
has been with the company for over nine years.
A twenty-five year veteran of fighting viruses,
today he is responsible for threatscape
monitoring, investigations and working with
researchers in and outside of ESET globally.
He was the first employee at McAfee and is a
veteran of several software and networking
startups. He has received industry awards from
Microsoft, Lenovo and Securing our eCity for his
efforts to help make computing safer.

3. Agenda
What exactly is an APT?
Why I hate the term ‘APT’
Thinking like a Determined Adversary
Phases I-V
Commonly seen mechanisms
actions and technologies seen in some APTs
Defensive Technologies
modern, layered approach to malware detection
leveraging the cloud; cloud-based techniques
security beyond anti-malware
SOeC Cyber Boot Camp 2015 • Monday, June 22, 2015

4. Not on the Agenda
This is not an overview of any particular APT family
visit We Live Security for information on specific APT campaigns
This is not a deep dive
I’m here to talk about how to shoot, not make bullets
SOeC Cyber Boot Camp 2015 • Monday, June 22, 2015

5. But before we begin…
Pop quiz later…
Vocabulary Lesson

6. GLOSSARY
Vulnerability (n.) – A flaw in a computer
program which exposes it to compromise

7. GLOSSARY
Exploit (n.) – Program (or sequence of
instructions) which takes advantage of a
vulnerability. Of interest when it allows the
execution of code or elevation of privilege.
Or both.

8. GLOSSARY
Virus (n.) – A computer program that modifies
other computer programs to include a copy of
itself.

9. GLOSSARY
Worm (n.) – A computer program that spreads
copies of itself. It may do so over networks,
online services, removable media and other
channels.

10. GLOSSARY
Trojan horse (n.) – A computer program that
purports to do something useful, but instead
contains malicious code. A trojan horse does
not replicate or spread itself.

11. GLOSSARY
Computer viruses, worms, trojan horses and
other threatening programs are called
malicious software, or malware, for short.

12. GLOSSARY
• Adware
• Agents
• Backdoor
• Bootkits
• Bots
• Botnets
• C&C servers
• DDoS
• Dialers
• Downloaders
• Droppers
• Exploit Kits
• Hoaxes
• Keyloggers
• Packers
• Phishes
• PUAs
• Ransomware
• Remote Access Tools
• Rootkits
• Spyware
• Trojans
• Viruses
• Web Injects
• Worms
• Zero-days
• Zombies

13. GLOSSARY
• Adware
• Agents
• Backdoor
• Bootkits
• Bots
• Botnets
• C&C servers
• DDoS
• Dialers
• Downloaders
• Droppers
• Exploit Kits
• Hoaxes
• Keyloggers
• Packers
• Phishes
• PUAs
• Ransomware
• Remote Access Tools
• Rootkits
• Spyware
• Trojans
• Viruses
• Web Injects
• Worms
• Zero-days
• Zombies

14. What exactly is malware?
Put simply:
“Malware is software that, if you
knew what it did, you wouldn’t
want it on your computer.”

15. Advanced Persistent Threats
APTs

16. What exactly is an APT?
APTs
APT is short for Advanced Persistent Threat
But what does that mean? Here’s one definition:
Advanced: the attacker was smarter than us
Persistent: the attacker was successful
Threat: we accepted risk of being attacked
(credit to Paco Hope, Cigital)

17. So, what exactly is an APT?
APTs
There is no formal definition of APT.
The term gets abused by:
• Security companies that are trying to scare you into
buying something from them.
• Companies trying to escape blame for not having
proper security controls.

18. Really, what is an APT?
APTs
Instead of APTs, I would like you to think of
Determined Adversaries
The determined adversary is the entity behind
the APT.
The APT is merely the point of the spear.

19. Thinking like a Determined Adversary
CAMPAIGN
(or how to run your attack campaign)
Phase I Reconnaissance
Phase II Analysis
Phase III R&D
Phase IV Trial Run
Phase V Implantation of Target

20. Thinking Like a Determined Adversary
CAMPAIGN
Phase I: Target Reconnaissance
• Build a map of the people and of the organization
• Identify and describe public-facing network infrastructure
• Identify tools and vendors used for network management,
infrastructure and security
But where do you get this information from?
• Company web site: press releases, job descriptions
• Social media: employees on LinkedIn, FaceBook, Twitter
• Vendor press releases, support web sites
• Organizations that the company/employees belong to
• Network tools and public databases (whois, dig)

21. Thinking Like a Determined Adversary
CAMPAIGN
Phase II: Target analysis (victim selection)
• Identify vulnerabilities in people
– candidate targets for spearphishing
– weaknesses in outside vendor/organizations infrastructure
• Identify vulnerabilities in network infrastructure
– old or outdated networking gear used?
• Identify vulnerabilities in OS & apps used by target
– there’s usually something old and vulnerable… somewhere
– If not, install a vulnerable program and exploit it
• Identify vulnerabilities in security infrastructure
– old or outdated security tools used?
– hardened perimeter, but no internal controls

22. Thinking Like a Determined Adversary
CAMPAIGN
Phase III: Vulnerability R&D
• Design tools (the “APT chain”) to insert into target
organization
– build it yourself (most expensive & time-consuming)
– buy it (0-day brokers, black security companies, also expensive)
– partner with related attackers*
• The more parties you involve, the greater the risk of
attribution.

23. Thinking Like a Determined Adversary
CAMPAIGN
Phase IV: Trial Run
• Simulate target company network, test attack prototypes
– look at data
– post-mortem analysis
– refine attacks
• Refine attack chain until confidence level reaches desired
level for given attack scenario(s) (lather, rinse, repeat)
• Conduct some probes of real target to see how they are
handled using separate (and burnable) attack infrastructure
– modified copies of existing spam, regular malware, etc.
– attack fatigue on their part may increase success of novel attack

24. Thinking Like a Determined Adversary
CAMPAIGN
Phase V: Implantation of Target/Victim
• In you go!
• Slow and steady, move laterally through org
• Check constantly for signs of detection by target/victim
• Continuously gather data which allows to refine attack
campaign

25. Advanced Persistent Techniques
TECHNIQUES
So, what are the tools of the trade used by determined
adversaries to run APT campaigns?
• Rootkits
• Control + Exfiltration logic (Command & Control servers)
• Custom partitions and file system
• Evasion
• Firmware
• Programming languages

26. Rootkits
Rootkits & Bootkits
• Program(s) designed to allow the attacker to bypass security
and maintain persistent access to a system
• Runs as early as possible, often as a low-level “helper”
programs such as services (Windows), daemons (*NIX), kernel
extensions (OS X), device drivers (various) etc.
• Bootkit: runs before the operating system is loaded
– Replace MBR (BIOS partitioned disk) or VBR (GPT partitioned disk)
with their own code
– Actually not commonly seen with APTs (great for persistence, but
easily discovered)

27. Connected or air-gapped
C&C / Data Exfiltration
• Command & Control for Internet-connected
– multiple domains registered in multiple geographies
– or use compromised infrastructure
– use of common protocols to avoid detection
• And for air-gapped targets
– could be autonomous
• perform pre-programmed actions w/no outside control
– exfiltrate data via other mechanisms
• (hardware implants, USB flash drives, etc.)

28. Storage techniques for code and data
Custom partitions and file systems
• Custom partition
– add new partition
– resize existing partition(s) – use raw area of disk
– mark a portion of existing file system as bad
• Custom file system
– can be custom format; can be compressed or encrypted
– storage of stolen data
– additional attack code
– doesn‘t have to be in a file or file system…
• Windows Registry

29. Evasion
Getting in and staying undetected
• Packers
– use commercial or open source (either as-is or modify)
– obtain custom packer from private market
– create your own
• Encryption
– use commercial or open source (either as-is or modify)
– obtain custom packer from private market
– create your own
• Avoidance Engineering
– identify tools used at target
– develop specific countermeasure to bypass

30. Firmware
Firmware
• Code residing on a chip embedded in hardware
• Required to allow computer to initialize/make use of
features not support directly by processor/motherboard
• Located in many kinds of peripherals and devices
– video card
– network card
– storage controller
– storage devices (internal and removable)
– motherboards (their own + for on-board devices)

31. Coding & Deployment
Programing Language & File Formats
• Can be any language, really.
– popular programming languages (assembly, C, C++, C#, .NET CLR)
• or unpopular (AutoLISP, LUA…)
– scripted languages (Flash, Java, JavaScript, HTML, PDF…)
• For file-based deployments
– use same file formats as those at victim (PDF, Office, SWF…)
– digitally-signed, if possible/applicable
– metadata removed (or altered) to increase difficulty of forensics
– obscured using custom packers or encryption

32. Q+A Discussion

33. Thank You
WWW.ESET.COM
WWW.WELIVESECURITY.COM
aryeh.goretsky@eset.com
@goretsky (personal) / @esetna / @welivesecurity
/u/goretsky
fb.com/goretsky