Advanced persistent threats(APT)

ADVANCED PERSISTENT
THREATS – MITIGATION
SERVICES & SOLUTIONS

From

With all the buzz surrounding the term Advanced Persistent Threats (APTs), we
decided to de-mystify the jargon and present the view from the trenches.

Advanced Persistent Threats

Document Tracker
Author Version Summary of Changes

Manasdeep November 2012 Document Created

Confidential  Network Intelligence (India) Pvt. Ltd. Page 2 of 19


NOTICE
This document contains information which is the intellectual property of Network Intelligence. This
document is received in confidence and its contents cannot be disclosed or copied without the prior
written consent of Network Intelligence.

Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied.
Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including
but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual
property or other rights of any third party or of Network Intelligence; indemnity; and all others. The
reader is advised that third parties can have intellectual property rights that can be relevant to this
document and the technologies discussed herein, and is advised to seek the advice of competent
legal counsel, without obligation of Network Intelligence.

Network Intelligence retains the right to make changes to this document at any time without notice.
Network Intelligence makes no warranty for the use of this document and assumes no responsibility
for any errors that can appear in the document nor does it make a commitment to update the
information contained herein.

Copyright
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.
NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt.
Ltd.

Trademarks
Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners' benefit, without intent to infringe.

NII CONTACT DETAILS
Network Intelligence India Pvt. Ltd.
204 Ecospace,Old Nagardas Road,Near Andheri Subway, Andheri (E),
Mumbai 400 069, India
Tel: +91-22-2839-2628
+91-22-4005-2628
Fax: +91-22-2837-5454
Email: info@niiconsulting.com



Contents
1. Introduction .............................................................................................................................. 5
2. Spear Phishing ........................................................................................................................... 7
3. Advanced Persistent Threat Life Cycle:....................................................................................... 8
a. Preparation............................................................................................................................ 8
b. Initial intrusion....................................................................................................................... 8
c. Expansion .............................................................................................................................. 8
d. Persistence ............................................................................................................................ 8
e. Search and Exfiltration ........................................................................................................... 8
f. Cleanup ................................................................................................................................. 9
4. Case Study Analysis: RSA SecureID hack ................................................................................... 10
5. Case Study Analysis: Operation Aurora .................................................................................... 13
6. Mitigation and early detection of an APT ................................................................................. 16
7. Security solutions to protect from APT ..................................................................................... 17
8. How can we help your organization ......................................................................................... 18
9. References............................................................................................................................... 19



1. I NTRODUCTION
Advanced Persistent Threats (APTs) are a serious concern as they represent a threat to
an organization’s intellectual property, financial assets and reputation. In some cases,
these threats target critical infrastructure and government institutions, thereby
threatening the country’s national security itself. The defensive tools and other controls
are frequently rendered ineffective because the actors behind the intrusion are focused
on a specific target and quickly adapt their ways to predict and circumvent security
controls and standard incident response practices. As a result, an effective and efficient
defence strategy requires good situational awareness and understanding.

What are Advance Persistent Threats?[2]
Advanced Persistent Threat (APT) refers to a long-term pattern of targeted hacking
attacks using subversive and stealthy means to gain continual, persistent exfiltration of
intellectual capital. The entry point for espionage activities is often the unsuspecting end-
user or weak perimeter security. Extensive research is done using social media sites,
public available documents on organization, its processes, its technology and its people
prior to craft an APT attack.

The defence doctrine in the case of APTs must change from “keeping attackers out” to
“sometimes attackers are going to get in; detect them as early as possible and minimize
the damage.”

Why the term Advanced Persistent Threats? [2]
Advanced – Attackers have a full spectrum of intelligence-gathering techniques at their
disposal. These may include computer intrusion technologies and techniques, but also
extend to conventional intelligence-gathering techniques. They often combine multiple
targeting methods, tools, and techniques in order to reach and compromise their target and
maintain access to it.

Persistent – Attackers give priority to a specific task, rather than seeking information for
financial or other gain. If the attacker loses access, they reattempt access; often
successfully. One of the attacker’s goals is to maintain long-term access to the target, in
contrast to threats that only need access to execute a specific task.

Threat – APTs are a threat because they have both capability and intent. APT attacks are
executed by coordinated human actions, rather than by mindless and automated pieces
of code. The attackers have a specific objective and are skilled, motivated, organized and
well-funded.

What makes APT's so dangerous?
 APT attacks concentrate on people first and not on infrastructure details directly.
Since people are the weakest link in the organizational security, there are more
chances of data breaches than the traditional methods used by hackers
 A simple "voluntary action" done by innocent employee by biting socially
engineered bait will bypass all the protection methods put forward by
technology.



 If people are not properly educated or trained to combat social engineering, it is
very difficult to contain the attack in the first place.
 APT's are silent, highly sophisticated, well-crafted attack paradigms which
frequently use a customized code, combination of many 0day exploits and
extensive research done on both the employees targets and the asset to be
compromised along with well-planned method to clean up all evidences of its
activities after its objective has been achieved.
 Attackers carrying out the APT are highly skilled hackers, with large resources at
their disposal to find out various ways to enter into given organization.
 Frequently, these attackers are endorsed by massive scale funding, research and
even government level support in some countries.
 The focus in APT is to obtain very specific information about the prized asset or
to perform a very specific action when it is able to reach that resource.
 This makes an APT a very stealthy attack leaving a very small forensic digital
footprint on compromised machines as it refrains from making any unwanted
"noisy" activity on the network.
 Quite difficult to detect and trace back to their original sources.
 An APT may lie dormant on compromised systems for many months or even few
years activating only when a specific action or at certain time takes place.



2. S PEAR P HISHING
Spear phishing is a deceptive communication technique in which a victim is lured via e-
mail, text or tweet by an attacker to click or download a malicious link or file. The
common objective of this technique is to compromise the victim machine by stealthily
inserting a backdoor which seeks to obtain unauthorized access to confidential data
remotely. These attempts are more likely to be conducted by attackers seeking financial
gain, trade secrets or sensitive information. Spear phishing is a popular technique used
in cyber espionage and constitutes a vital part in Advanced Persistent Threat Life Cycle.



3. A DVANCED P ERSISTENT T HREAT L IFE C YCLE [5]
a. Preparation
The “Preparation” phase includes the following aspects of the lifecycle:
 Define Target
 Find and organize accomplices
 Build or acquire tools
 Research target/infrastructure/employees
 Test for detection

APT attack and exploitation operations typically involve a high degree of preparation.
Additional assets and data may be needed before plans can be carried out. Highly
complex operations may be required before executing the exploitation plan against the
primary target(s).
b. Initia l intrusion
The “Initial Intrusion” phase includes the following aspects of the lifecycle:
 Deployment
 Initial intrusion
 Outbound connection initiated

After the attacker completes preparations, the next step is an attempt to gain a foothold
in the target’s environment. An extremely common entry tactic is the use of spear
phishing emails containing a web link or attachment.
c. Expansion
The “Expansion” phase includes the following aspects of the lifecycle:
 Expand access and obtain credentials
 Strengthen foothold

The objective of this phase is to gain access to additional systems and authentication
material that will allow access to further systems
d. Persistence

The “Persistence” phase spans numerous aspects of the lifecycle.
Overcoming a target’s perimeter defenses and establishing a foothold inside the
network can require substantial effort. Between the times APT actors establish a
foothold and the time when there is no further use for the assets or existing and future
data, APT actors employ various strategies to maintain access.
e. Search and Exfiltrati on
The “Search and Exfiltration” phase includes the following aspects.
 Exfiltrate data



The ultimate target of network exploitation is generally a resource that can be used for
future exploit(s) or documents and data that have financial or other perceived worth to
the intruder. A popular approach to search and exfiltration is to take everything from
the network that might be of interest.

Some frequently examined locations include the infected user’s documents folder,
shared drives located on file servers, the user’s local email file and email from the
central email server.

f. Cleanup
The “Cleanup” phase includes the following aspects of the lifecycle.
 Cover tracks and remain undetected
Cleanup efforts during an intrusion are focused on avoiding detection, removing
evidence of the intrusion and what was targeted and eliminating evidence of who was
behind the event. The better the APT actors are at covering their tracks, the harder it
will be for victims to assess the impact of the intrusion.



4. C ASE S TUDY A NALYSIS : RSA S ECURE ID HACK [ 3][4]
a. Brief Summary
Around March 2011, RSA SecureID system was attacked by using a sophisticated APT
attack paradigm. A series of spear-phishing emails titled "2011 Recruitment Plan" were
sent to small groups of low-profile RSA employees. Although they landed in Junk
folders, the email title was interesting enough to persuade an RSA employee to open the
Excel spreadsheet attachment.

The excel sheet was infected with (now patched) Adobe Flash zero day flaw CVE
20110609. With one Trojan compromised machine, the attackers then started
harvesting credentials and made their way up the RSA hierarchy ultimately gaining
privileged access to the targeted system. The targeted data and files were stolen, and
sent to an external compromised machine at a hosting provider.

Fortunately, RSA saw the attack and using its implementation of NetWitness, stopped it
before more damage could be done.

b. What went wrong?
Even though the SPAM filters did their job by directing the mail to Junk Folders, the
interestingly titled email was enough to entice one employee to deliberately pull out the
mail and open the attachment. This was the typical first stage of APT attack; social
engineering done via spear-phishing. The attackers collected intelligence on the
organizations’ people, not infrastructure. Then they used spear phishing email to the
employees of interest.

The 0-day installs a backdoor through Adobe Flash vulnerability (CVE-2011-0609)
which was prevalent in older versions of Adobe. Typically, Adobe Reader is seen only as
PDF file opener software and hence not patched very often as compared to mainstream
updates rolled by Microsoft Windows and Oracle which are typically licensed by the
firms.

Hence, the attackers had now found a way to sneak inside the RSA network by
vulnerabilities present in the end-point to access users’ PCs. Once inside, privilege
escalation attacks were carried out by constantly updating the Trojan remotely. When
you look at the list of users that were targeted, you don’t see any glaring insights;
nothing that spells high profile or high value targets.

c. What made the atta cks difficu lt to detect ?
The rationale of a remote administration tool is simply to allow external control of the
PC or server, are set up in a reverse-connect mode: this means they pull commands
from the central command & control servers, then execute the commands, rather than
getting commands remotely. This connectivity method makes them more difficult to



detect, as the PC reaches out to the command and control rather than the other way
around.

Since the attacks use a combination of social engineering with vulnerabilities in the end-
point to access users’ PCs. they are difficult to detect because they are activated by
"volunteering" action taken by victim and not done forcefully. Once inside the network,
they just have find our way to the intended target using privilege escalation attacks by
remotely updating and improving the trojan remotely.

d. Spreading of atta ck
Once inside the RSA network, the APT moved laterally inside the network. Still they
need users with more access, more admin rights to relevant services and servers, etc.
This was done very patiently as the attacks knew that any kind of fast and "noisy"
activity will attract attention from network monitoring tools.

The second stage comprised of attackers’ first harvesting access credentials from the
compromised users (user, domain admin, and service accounts). They performed
privilege escalation on non-administrative users in the targeted systems, and then
moved on to gain access to key high value targets, which included process experts and
IT and Non-IT specific server administrators.

When attackers think they run the risk of being detected, they move much faster and
generate much "noisy" phase of attack. Since RSA detected this attack in progress, it is
likely the attacker had to move very quickly to accomplish anything in this phase.

e. Carrying ou t the attack
In the last stage of an APT, the goal is to extract what you can. The attacker in the RSA
case established access to staging servers at key aggregation points; this was done to get
ready for extraction. Then they went into the servers of interest, removed data and
moved it to internal staging servers where the data was aggregated, compressed and
encrypted for extraction.

The attacker then used FTP to transfer many password protected RAR files from the
RSA file server to an outside staging server at an external, compromised machine at a
hosting provider. The files were subsequently pulled by the attacker and removed from
the external compromised host to remove any traces of the attack.

f. Lessons learnt
 Although, technological controls like spam filters did their job, employee
awareness about social engineering attacks was not widespread.
 Importance of securing end-point security, hardening and patch management
cycle is the most crucial factor to prevent APT from spreading.



 Network monitoring and logging policies must leave a log trail which can trace
back the activities for analysis at a later date.



5. C ASE S TUDY A NALYSIS : O PERATION A URORA [1]
a. Brief Summary
Operation Aurora was a cyber attack which began first publicly disclosed by Google on
January 12, 2010, in a blog post. In the blog post, Google said the attack originated in
China. The attacks demonstrated high degree of sophistication, with strong indications
of well resourced and consistent advanced persistent threat attack. The attack was
aimed at well placed MNC's such as Adobe Systems, Juniper Networks, Yahoo, Symantec,
Northrop Grumman, Morgan Stanley etc.

As a result of the attack, Google stated in its blog that it plans to operate a completely
uncensored version of its search engine in China "within the law, if at all". If not
possible, it may leave China and close its Chinese offices.

Research by McAfee Labs discovered that “Aurora” was part of the file path on the
attacker’s machine that was included in two of the malware binaries. The primary goal
of the attack was to gain access to and potentially modify source code repositories at
these high tech, security and defense contractor companies.

Security experts immediately noted the sophistication of the attack. Two days after the
attack became public, It was reported that attackers had exploited purported zero-day
vulnerabilities (unfixed and previously unknown to the target system developers) in
Internet Explorer. After a week, Microsoft issued a fix. Additional vulnerabilities were
found in Perforce, the source code revision software used by Google to manage their
source code.

b. Attack Ra tiona le
Corporate and state secrets espionage activity becomes bolder over time with little
public acknowledgement or response from governments.

According to a diplomatic cable from the U.S. Embassy in Beijing, a Chinese source
reported that the Chinese Politburo directed the intrusion into Google's computer
systems. The cable suggested that the attack was part of a coordinated campaign
executed by "government operatives, public security experts and Internet outlaws
recruited by the Chinese government."

The report suggested that it was part of an ongoing campaign in which attackers have
"broken into American government computers and those of Western allies, the Dalai
Lama and American businesses since 2002." Operation Aurora was largely an attack
used to gain political power and influence over western countries by Chinese
government.



c. "Operation Aurora " Working
Once a victim's system was compromised, a backdoor connection that masqueraded as
an SSL connection made connections to command and control servers running in
Illinois, Texas, and Taiwan, including machines that were running under stolen
Rackspace customer accounts. The victim's machine then began exploring the protected
corporate intranet that it was a part of, searching for other vulnerable systems as well
as sources of intellectual property, specifically the contents of source code repositories.

d. Deciphering the code: Atta ck Analysis
Operation Aurora name was coined after virus analysts found unique strings in some of
the malware involved in the attack. These strings are debug symbol file paths in source
code that has apparently been custom-written for these attacks.

The code behind Operation Aurora known samples of the main backdoor trojan appear
to be no older than 2009. It appears that development of Aurora has been in the works
for quite some time – some of the custom modules in the Aurora codebase have
compiler timestamps dating back to May 2006.

The compiler component does use a resource section, but the author was careful to
either compile the code on an English-language system, or they edited the language
code in the binary after-the-fact. So outside of the fact that PRC IP addresses have been
used as control servers in the attacks, there is no "hard evidence" of involvement of the
PRC or any agents thereof.

However, one interesting clue in the binary points back to mainland China.

The first thing that is unusual about the embedded CRC algorithm is the size of the table
of constants (the incrementing values in the left pane of the assembly listing). Most 16
or 32-bit CRC algorithms use a hard-coded table of 256 constants. The CRC algorithm
here uses a table of only 16 constants; basically a truncated version of the typical 256-
value table.

The most interesting aspect of this source code sample is that it is of Chinese origin,
released as part of a Chinese-language paper on optimizing CRC algorithms for use in
microcontrollers. The full paper was published in simplified Chinese characters, and all
existing references and publications of the sample source code seem to be exclusively
on Chinese websites. This CRC-16 implementation seems to be virtually unknown
outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]".
At the time of this writing, almost every page with meaningful content concerning the
algorithm is Chinese.

This again gives a strong indicator that Operation Aurora was orchestred and funded by
the backing of federal government of China.



e. Attack’s Aftermath
The attacks were thought to have definitively ended on Jan 4 when the command and
control servers were taken down, although it is not known at this point whether or not
the attackers intentionally shut them down.

Security researchers have continued to investigate the attacks. HBGary, a security firm,
recently released a report in which they claim to have found some significant markers
that might help identify the code developer. The firm also said that the code was
Chinese language based but could not be specifically tied to any government entity.

On February 19, 2010, a security expert investigating the cyber-attack on Google, has
claimed that the people behind the attack were also responsible for the cyber-attacks
made on several Fortune 100 companies in the past one and a half years. They have also
tracked the attack back to its point of origin, which seems to be two Chinese schools,
Shanghai Jiao Tong University and Lanxiang Vocational School. As highlighted by The
New York Times, both of these schools have ties with the Chinese search engine Baidu, a
rival of Google China.

f. Lessons Learnt
 APT's are not just traditional "Malware". They are well defined, fully supported
by large organizations or governments with strong backing of well compensated
highly skilled programmers and hackers.
 The aim or an APT is to gain power, create imbalance in market by paralyzing
governments or rival corporate organizations.
 Industrial and government sponsored espionage to keep the vested interests of
competing corporate and states well satisfied.



6. M ITIGATION AND EARLY DETECTION OF AN APT
Here are some practical ways by which we can develop a proactive way to mitigate
and prevent the further spread of APT in our organization:
 Make sure that you have encryption and password features enabled on your
smart phones and other mobile devices.
 Use strong passwords, ones that combine upper and lower case letters, numbers,
and special characters, and do not share them with anyone.
 Use a separate password for every account.
 Properly configure and patch operating systems, browsers, and other software
programs.
 Use and regularly update firewalls, anti-virus, and anti-spyware programs.
 Don't use work e-mail address as a "User Name" on non-work related sites.
 Use common sense when communicating with users you DO and DO NOT know.
Do not open e-mail or related attachments from un-trusted sources.
 Don't reveal too much information about yourself on social media websites.
 Verify Location Services settings on mobile devices.
 Allow access to systems and data only by those who need it and protect those
access credentials.
 Follow your organization's cyber security policies and report violations and
issues immediately.
 Learn to recognize a phishing website. Visit https://www.phish-no-phish.com to
learn the ways to identify the same



7. S ECURITY SOLUTIONS TO PROTECT FROM APT
There are many security solutions available that address your need for protection from
APT’s. Some of the popularly used are mentioned as follows:

a. EMET
EMET it is a free utility that helps prevent vulnerabilities in software from being
successfully exploited for code execution. It does so by opt-ing in software to the latest
security mitigation technologies. The result is that a wide variety of software is made
significantly more resistant to exploitation – even against zero day vulnerabilities and
vulnerabilities for which an update has not yet been applied.

EMET Highlights
 Making configuration easy
 Enterprise deployment via Group Policy and SCCM
 Reporting capability via the new EMET Notifier feature
 Configuration

EMET 3.0 comes with three default "Protection Profiles". Protection Profiles are XML
files that contain pre-configured EMET settings for common Microsoft and third-party
applications.

b. Bit9 Parity Suite
This solution provides an extensive list of features for protection against APT’s:

Features of Bit9:
 Application Control/White-listing
 Software Reputation Service
 File Integrity Monitoring
 Threat Identification
 Device Control
 File Integrity Monitoring
 Registry Protection
 Memory Protection



8. H OW CAN WE HELP YOUR ORGANIZATION
a. Drafti ng Privileged ID Management P oli cy & Procedures
It is easy to observe that privileged IDs represent the highest risk for data leakage in the
organization. Such IDs are numerous due to the large number of systems and devices in
any network. Managing the access of these IDs and monitoring their activities is of
crucial importance for the prevention of APT Attacks. Technology solutions such as
Privileged Identity Management make this task easier. But this needs to be combined
with the right policy framework and comprehensive procedures

We can guide your organization to draft Privileged ID Management Policy & Procedures
 Privileged ID allocation – process of the approval mechanism for it
 Privileged ID periodic review – procedure for this
 Monitoring of privileged ID activities – mechanisms, and procedures for logging
and monitoring privileged IDs
 Revocation of a privileged ID – what happens when an Administrator leaves the
organization?
 How are vendor-supplied user IDs managed
 Managing shared/generic privileged IDs

b. Conducting Penetrati on 2 .0 Exercises
We engage in conducting Social Engineering exercises to demonstrate the effect that
how big an impact can be on your organization information assets data leakage. Our
Spear Phishing testing methodology will test your organization's preparedness against
social engineering attacks. Since social engineering form a vital part in APT's Life Cycle,
the results from this exercise are important indicator for your preparedness level
against an APT attack.

c. Conducting U ser Awareness Workshops
We also engage in conducting user awareness workshops to train users about the
pitfalls of getting trapped in social engineering attacks. Rather than just presenting the
theoretical concepts, we stimulate practical exercises to infuse the impact of social
engineering which can bypass all the state of art technological controls in an
organization.

d. Endpoint Securi ty Solu tions
Network Intelligence has partnered with CyberArk, Seclore, Impervia and Boole Server
to manage the privilege ID management, and achieve Confidentiality, Integrity and
Availability of files and folders present in the network. Using these state-of-art
endpoint solutions offer a peace of mind in addressing your security needs.



9. R EFERENCES
1. http://en.wikipedia.org/wiki/Operation_Aurora
2. http://en.wikipedia.org/wiki/Advanced_Persistent_Threat
3. https://blogs.rsa.com/anatomy-of-an-attack/
4. https://blogs.rsa.com/it-security-in-the-age-of-apts/
5. http://www.secureworks.com/assets/pdf-store/articles/Lifecycle_of_an_APT_G.pdf
6. http://www.issa-
sac.org/info_resources/ISSA_20100219_HBGary_Advanced_Persistent_Threat.pdf
7. http://www.ngsecurityeu.com/media/whitepapers/2012/ANRC_AdvancedPersistentT
hreats.pdf


Advanced persistent threats(APT)

More Related Content

What's hot

Similar to Advanced persistent threats(APT)

More from Network Intelligence India

Recently uploaded

Advanced persistent threats(APT)