This document summarizes a presentation on Advanced Persistent Threats (APTs) given by Aryeh Goretsky, a Distinguished Researcher at ESET. The presentation defines APTs as determined adversaries who conduct cyber attacks in phases, including reconnaissance of targets, analysis of vulnerabilities, development of tools to exploit vulnerabilities, trial runs of attacks, and implantation of attacks on targets. It discusses techniques used in APTs, such as rootkits, command and control servers, custom file systems and partitions, evasion methods, firmware attacks, and programming languages. The presentation aims to explain how to think like a determined adversary conducting a cyber attack campaign.
2. Aryeh Goretsky
Distinguished Researcher
Aryeh is ESET’s Distinguished Researcher and
has been with the company for over nine years.
A twenty-five year veteran of fighting viruses,
today he is responsible for threatscape
monitoring, investigations and working with
researchers in and outside of ESET globally.
He was the first employee at McAfee and is a
veteran of several software and networking
startups. He has received industry awards from
Microsoft, Lenovo and Securing our eCity for his
efforts to help make computing safer.
3. Agenda
What exactly is an APT?
Why I hate the term ‘APT’
Thinking like a Determined Adversary
Phases I-V
Commonly seen mechanisms
actions and technologies seen in some APTs
Defensive Technologies
modern, layered approach to malware detection
leveraging the cloud; cloud-based techniques
security beyond anti-malware
SOeC Cyber Boot Camp 2015 • Monday, June 22, 2015
4. Not on the Agenda
This is not an overview of any particular APT family
visit We Live Security for information on specific APT campaigns
This is not a deep dive
I’m here to talk about how to shoot, not make bullets
SOeC Cyber Boot Camp 2015 • Monday, June 22, 2015
5. But before we begin…
Pop quiz later…
Vocabulary Lesson
7. GLOSSARY
Exploit (n.) – Program (or sequence of
instructions) which takes advantage of a
vulnerability. Of interest when it allows the
execution of code or elevation of privilege.
Or both.
8. GLOSSARY
Virus (n.) – A computer program that modifies
other computer programs to include a copy of
itself.
9. GLOSSARY
Worm (n.) – A computer program that spreads
copies of itself. It may do so over networks,
online services, removable media and other
channels.
10. GLOSSARY
Trojan horse (n.) – A computer program that
purports to do something useful, but instead
contains malicious code. A trojan horse does
not replicate or spread itself.
11. GLOSSARY
Computer viruses, worms, trojan horses and
other threatening programs are called
malicious software, or malware, for short.
16. What exactly is an APT?
APTs
APT is short for Advanced Persistent Threat
But what does that mean? Here’s one definition:
Advanced: the attacker was smarter than us
Persistent: the attacker was successful
Threat: we accepted risk of being attacked
(credit to Paco Hope, Cigital)
17. So, what exactly is an APT?
APTs
There is no formal definition of APT.
The term gets abused by:
• Security companies that are trying to scare you into
buying something from them.
• Companies trying to escape blame for not having
proper security controls.
18. Really, what is an APT?
APTs
Instead of APTs, I would like you to think of
Determined Adversaries
The determined adversary is the entity behind
the APT.
The APT is merely the point of the spear.
19. Thinking like a Determined Adversary
CAMPAIGN
(or how to run your attack campaign)
Phase I Reconnaissance
Phase II Analysis
Phase III R&D
Phase IV Trial Run
Phase V Implantation of Target
20. Thinking Like a Determined Adversary
CAMPAIGN
Phase I: Target Reconnaissance
• Build a map of the people and of the organization
• Identify and describe public-facing network infrastructure
• Identify tools and vendors used for network management,
infrastructure and security
But where do you get this information from?
• Company web site: press releases, job descriptions
• Social media: employees on LinkedIn, FaceBook, Twitter
• Vendor press releases, support web sites
• Organizations that the company/employees belong to
• Network tools and public databases (whois, dig)
21. Thinking Like a Determined Adversary
CAMPAIGN
Phase II: Target analysis (victim selection)
• Identify vulnerabilities in people
– candidate targets for spearphishing
– weaknesses in outside vendor/organizations infrastructure
• Identify vulnerabilities in network infrastructure
– old or outdated networking gear used?
• Identify vulnerabilities in OS & apps used by target
– there’s usually something old and vulnerable… somewhere
– If not, install a vulnerable program and exploit it
• Identify vulnerabilities in security infrastructure
– old or outdated security tools used?
– hardened perimeter, but no internal controls
22. Thinking Like a Determined Adversary
CAMPAIGN
Phase III: Vulnerability R&D
• Design tools (the “APT chain”) to insert into target
organization
– build it yourself (most expensive & time-consuming)
– buy it (0-day brokers, black security companies, also expensive)
– partner with related attackers*
• The more parties you involve, the greater the risk of
attribution.
23. Thinking Like a Determined Adversary
CAMPAIGN
Phase IV: Trial Run
• Simulate target company network, test attack prototypes
– look at data
– post-mortem analysis
– refine attacks
• Refine attack chain until confidence level reaches desired
level for given attack scenario(s) (lather, rinse, repeat)
• Conduct some probes of real target to see how they are
handled using separate (and burnable) attack infrastructure
– modified copies of existing spam, regular malware, etc.
– attack fatigue on their part may increase success of novel attack
24. Thinking Like a Determined Adversary
CAMPAIGN
Phase V: Implantation of Target/Victim
• In you go!
• Slow and steady, move laterally through org
• Check constantly for signs of detection by target/victim
• Continuously gather data which allows to refine attack
campaign
25. Advanced Persistent Techniques
TECHNIQUES
So, what are the tools of the trade used by determined
adversaries to run APT campaigns?
• Rootkits
• Control + Exfiltration logic (Command & Control servers)
• Custom partitions and file system
• Evasion
• Firmware
• Programming languages
26. Rootkits
Rootkits & Bootkits
• Program(s) designed to allow the attacker to bypass security
and maintain persistent access to a system
• Runs as early as possible, often as a low-level “helper”
programs such as services (Windows), daemons (*NIX), kernel
extensions (OS X), device drivers (various) etc.
• Bootkit: runs before the operating system is loaded
– Replace MBR (BIOS partitioned disk) or VBR (GPT partitioned disk)
with their own code
– Actually not commonly seen with APTs (great for persistence, but
easily discovered)
27. Connected or air-gapped
C&C / Data Exfiltration
• Command & Control for Internet-connected
– multiple domains registered in multiple geographies
– or use compromised infrastructure
– use of common protocols to avoid detection
• And for air-gapped targets
– could be autonomous
• perform pre-programmed actions w/no outside control
– exfiltrate data via other mechanisms
• (hardware implants, USB flash drives, etc.)
28. Storage techniques for code and data
Custom partitions and file systems
• Custom partition
– add new partition
– resize existing partition(s) – use raw area of disk
– mark a portion of existing file system as bad
• Custom file system
– can be custom format; can be compressed or encrypted
– storage of stolen data
– additional attack code
– doesn‘t have to be in a file or file system…
• Windows Registry
29. Evasion
Getting in and staying undetected
• Packers
– use commercial or open source (either as-is or modify)
– obtain custom packer from private market
– create your own
• Encryption
– use commercial or open source (either as-is or modify)
– obtain custom packer from private market
– create your own
• Avoidance Engineering
– identify tools used at target
– develop specific countermeasure to bypass
30. Firmware
Firmware
• Code residing on a chip embedded in hardware
• Required to allow computer to initialize/make use of
features not support directly by processor/motherboard
• Located in many kinds of peripherals and devices
– video card
– network card
– storage controller
– storage devices (internal and removable)
– motherboards (their own + for on-board devices)
31. Coding & Deployment
Programing Language & File Formats
• Can be any language, really.
– popular programming languages (assembly, C, C++, C#, .NET CLR)
• or unpopular (AutoLISP, LUA…)
– scripted languages (Flash, Java, JavaScript, HTML, PDF…)
• For file-based deployments
– use same file formats as those at victim (PDF, Office, SWF…)
– digitally-signed, if possible/applicable
– metadata removed (or altered) to increase difficulty of forensics
– obscured using custom packers or encryption
It’s an initialism
Source for quote: https://twitter.com/pacohope/status/563247237472747521
Basically, APT has become the 21st century corporate version of “The dog ate my homework.”
And those are the five fingers of death.
Looking for weaknesses
Executives, secretaries, non-technical people who might be running software that requires admin access (legacy accounting apps, anyone?)
Remember, Target malware came in through HVAC contractor…
Also watering hole attack
HEARTBLEED attack, anyone?
(crunchy on the outside, soft and chewy inside)
You can build everything yourself, as a certain attacker might have done to inject malware into another’s nuclear production facilities.
*not really an option for non-government/non-government sanctioned attackers, but it is for some if the DA is gov-based/supposed.
Go through a process of continuous product refinement until you have an attack chain that meets your criterial for success
Take your time, carefully mapping not just infrastructure, but whom your victim typically communicates with
Don’t immediately start running nmap or hammering attacks against domain controllers, that kind of stuff gets you noticed
A rootkit is a program whose purpose is two-fold:
allow an attacker backdoor access to a system
Allow an attacker to maintain that access
Often using stealthy mechanisms to avoid detection (disk and file I/O redirection, log alterations, etc.)
A real good example of this was from the Windigo Campaign, which went through various techniques to ensure site operators didn’t realize their websites were compromised.
If a Determined Adversary can get their code to run before or in conjunction with the operating system loading, they can control what gets loaded—or seen--subsequently.
The boot loader on an operating system is the first piece of code which runs from disk after the hardware has initialized. On PC ISA architecture, that means the Master Boot Record when dealing with BIOS-based systems, or more recently, the Volume Boot Record for GPT/UEFI-based systems,
This is not actually a file, but rather executable code stored in the beginning sectors of a disk, whose job is to run the first file, which then loads the rest of the OS.
Bootkits often seek to disable anti-tamper mechanisms such as checks by the OS for digitally-signed code, or putting the OS into debug mode in order to allow unsigned drivers to load and so forth. This allows the bootkit to perform more complex actions at various points as the operating system loads by loading drivers, services, modifying processes in memory, etc.
Bootkits may also be responsible for stealth mechanisms, custom partition/file system initialization, and persistence (i.e., ensuring re-execution on reboot)
For C&C’s, it’s best to use lots of old (ideally 3-5+ years), unobtrusive-sounding domains that were registered a long time ago (years prior to campaign) with little or regular churn on whois data.
Having the domains registered and hosted in as many different locations is best, as it complicates research and forensics into them.
Or, use compromised infrastructure, especially on some smaller, random ISP or web host which has difficulty handling security.
It’s best to use communications protocols common to the attacker, whether its HTTP, IRC, Twitter, same as company’s IM app, etc.
It’s much harder to look for a needle in a haystack when the needle looks like every other piece of straw.
Air-gapped meaning no physical connection to networks (also applies to wireless LANs, these days)
Some of the bots used to attack Estonian network infrastructure in 2007 didn’t have C&C servers, just built-in target lists and timers for when to hit them.
If the goal is just to perform a fixed set of operations, or just do damage (spin centrifuges, wipe HDDs, etc.), though, it may not need any further commands.
File system formats often tend to be FAT-like, or simple (flat-file) database structures
This is probably the one everyone’s freaking out about.
Look at Xeno Kovah’s work at MITRE….