This document provides an overview of techniques for identifying Advanced Persistent Threats (APTs). It discusses 5 styles of techniques: network traffic analysis, network forensics, payload analysis, endpoint behavior analysis, and endpoint forensics. For each style, it provides examples of specific techniques. It emphasizes that effective APT protection requires combining techniques from different styles and approaches. The information is intended to be informative but does not constitute an explicit recommendation of any product or approach.

1. Yuval Sinay - CISSP, MVP Enterprise Security
DC9723, 20.05.2014 Meeting
Blog: http://blogs.microsoft.co.il/yuval14/
LinkedIn: http://il.linkedin.com/in/yuval14/
e-mail: yuval14@Hotmail.com

2. COPYRIGHT 2014 YUVAL SINAY. (“YS”). ALL RIGHTS RESERVED. PLEASE REFER TO THE LEGAL NOTICE BELOW FOR
TERMS OF USE.
INFORMATION PROVIDED IN THIS POWER POINT PRESENTATION IS PROVIDED “AS IS” WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
NEITHER TNCI NOR ANY PARTY INVOLVED IN CREATING, PRODUCING OR DELIVERING THIS SITE SHALL BE LIABLE
FOR ANY DIRECT, INCIDENTAL, CONSEQUENTIAL, INDIRECT OR PUNITIVE DAMAGES NOR ANY DAMAGES
WHATSOEVER ARISING OUT OF YOUR ACCESS, USE OR INABILITY TO USE THIS SITE OR ON ANY OTHER
HYPERLINKED WEB SITE, OR ANY ERRORS OR OMISSIONS IN THE CONTENT THEREOF.
IN ADDITON, THE INFORAMTION IN THIS POWER POINT PRESENTATION IS INTENTED TO BE USE FOR NON
BUSNIESS USE ONLY. MOREVER, USING THE INFORAMTION IN THIS POWER POINT PRESENTATION FOR NON
BUSNIESS USE IS ALLOWED ONLY BY ADDING REFERING TO THE AUTOR NAME AND BY UPDATING THE AUTOR
BEFORE PUBLISHING THE INFORAMTION TO THE GENERAL AUDIANCE.
PLEASE NOTE THAT SOME OF THE INFORMATION IN THIS POWER POINT PRESENTATION IS UNDER THE RIGHTS
OF THIRD PARTY ORGINIZATIONS.

3. 1. What is Advanced Persistent Threat (APT)?
2. Common Goals of APTs
3. What is a Botnet?
4. What is Advanced Evasion Techniques (AET)?
5. The Relationship Between APT, AET and Botnet
6. APT Basic Architecture
7. Real Life Example - STUXNET Architecture (SCADA APT)
8. APT Intrusion Paths
9. Common Techniques To Identify APT
10. Real Life Example 1 - Traditional Technics
11. Real Life Example 2 - eMail Sandbox
12. Real Life Example 3 - Real-time Polymorphism
13. Real Life Example 4 - Anomaly and User Behavior Detection
14. Summary
15. Questions ?
16. Bibliography

4. I would like to thank Dr. Gabi Siboni (Retired colonel), the head of Cyber research department at the National
Institute for National Security Studies (INSS) for his assistant to obtain information on Cyber impact on Israel
Homeland Security. In addition, I would like to thank Mr. Nigel Willson, Chief Architect, Researcher, Author: Nige
the Security Guy Blog for his assistant to obtain a background information on Advanced Persistent Threat (APT).
Moreover, I would like to thank to Guy Mizrahi, CEO at Cyberia and Mr. Doron Ofek for providing a useful
feedbacks on the presentation content.

5. 1. Please note that the information that includes in this Power Point Presentation doesn’t cover all the
Known Techniques that can be used to Identify Advanced Persistent Threat (APT).
2. To simplicity, the information in this Point Presentation doesn’t provides a deep dive on Advanced
Persistent Threat (APT) and the common Techniques To Identify Advanced Persistent Threat (APT).
3. Please note that terms, like Cyberwar doesn’t have single and full definition. Due this, you may find
out that the terminology in the Power Point Presentation may vary from other resource/s.
4. The products included in this presentation are for illustrative only and should not state an opinion on
one way or another or about their suitability to the needs of any organization, and should not be the
mention to express an opinion about the quality.
5. The information and views presented during this presentation concerning software or hardware does
not in any way constitute a recommendation or an official opinion. All information presented here is
meant to be strictly informative. Do not use the tools or techniques described here unless you are
legally authorized to do so.
6. All product logos and names used in this presentation are the property of their respective owners. I
have no claim for ownership on those. I am merely using them as examples of such products.

6. “In 2006, the United States Air Force (USAF) analysts coined the term advanced persistent threat
(APT) to facilitate discussion of intrusion activities with their uncleared civilian counterparts. Thus,
the military teams could discuss the attack characteristics yet without revealing classified identities.
[Bejtlich, 2007]
Bejtlich explains the components of the terminology.
 Advanced means the adversary is conversant with computer intrusion tools and techniques and
is capable of developing custom exploits.
 Persistent means the adversary intends to accomplish a mission. They receive directives and
work towards specific goals.
 Threat means the adversary is organized, funded and motivated.”
Source: A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec
Reading Room, 2011

7. Source: Advanced Persistent Threat (APT), Mike Shinn, U.S. NRC, 2013

8.  A common mistake is the assumption that APT based on software only. However, in practice APT
can be based on software, hardware, social engineering or some combinations of the three.
 “APT can change it self while moving, in a way similar to the mutation that change it self-according
to the theory of Darwin. In other words, APT is like a Bacteria that can adapt itself to
modern antibiotics in a short time”
Yuval Sinay, 2014

9. 1. Theft – Intellectual Property and Industrial Espionage.
2. Fraud.
3. DDoS and Sabotage.
4. Criminals Action (e.g. Money Theft, Fraud, Cyber-Extortion, Spam, etc.)
5. Impact on the decision-making process (e.g. Integrity Violation, Data Manipulation, etc.)
6. Deterrence and Intimidation.
7. Economic Apocalypse.
8. Political Act (e.g. Hacktivism, Creating social awareness, etc.)
9. Cyberwar (e.g. Terror, Camouflaging attack, SIGINT, Creating conflict and or increasing conflict
exists between countries/organizations, etc.)
10. Display capabilities.
11. Just For Fun.
12. Waiting For a New Tasks (e.g. backdoor).
"War is merely the continuation of policy by other means", Carl von Clausewitz

10. 1. How much time its take to create APT?
2. How many APT/s may exist in an average organization today?
3. How many organization would publicly report a security breach?
4. In average, how much time it takes to an organization to discover a data breach?

11. “The term bot is short for robot. Criminals distribute malicious software (also known as malware)
that can turn your computer into a bot (also known as a zombie). When this occurs, your computer
can perform automated tasks over the Internet, without you knowing it.
Criminals typically use bots to infect large numbers of computers. These computers form a network,
or a botnet.
Criminals use botnets to send out spam email messages, spread viruses, attack computers and
servers, and commit other kinds of crime and fraud. If your computer becomes part of a botnet,
your computer might slow down and you might inadvertently be helping criminals.”
Source: Microsoft

12. "An advanced evasion technique (AET) is a type of network attack that combines several different
known evasion methods to create a new technique that's delivered over several layers of the
network simultaneously. The code in the AET itself is not necessarily malicious; the danger is that it
provides the attacker with undetectable access to the network.
There are currently about 200 known evasion techniques that are recognized by vendor products.
An AET can create literally millions of "new" evasion techniques from just a couple of combinations -
- none of which would be recognized by current intrusion detection system (IDS) vendor products. If
all 200 were used, the permutations would be unlimited.
Here is a very simplified explanation for how an AET works:
Let's say that the words "attack" and "intrude" represent two strings of known malicious code.
When an IDS identifies those strings in a request, the system intervenes and denies entry.
…

13. If, however, "kaarindtuettcr" and "tittnrrakdeuac" were part of a request, the system wouldn't
recognize the code as simply being the well-known malicious strings "attack" and "intrude"
combined and rearranged in a new way. The IDS would not intervene and entry would be allowed. “
Source: Whatis
Please note that according to the current MacAfee research, there are more than 800 million AETs
and the list is growing…

14. Softstone demonstrates how AETs work in this short video: Anti-evasion Demo

15. AET – Intrusion technic that provides a higher rate of success. In other words, this technic that can
be used to “By Pass” most of the security protections layers that exits today in most of the
organizations.
Botnet – A common attack tool that is used by attacker to implement the attack in practice. As
previously noted above, AET technic may be used to inject the Botnet in a “stealth mode” into the
target organization.
APT's using a sophistic technics, like AET to inject hacking tools, like Botnet's into the target
organization. However, please note that APTs can be inject into the target organization by using
other methods, like scanned documents, telephony commands, and more.
Source: 2014 THREAT REPORT, Mandiant, A FireEye Company

16. Source: A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading Room, 2011

17. - SCADA (Supervisory Control and Data Acquisition)
- PLC (Programmable logic controller) - connect to sensors and converting sensor signals to digital data.

18. Source: The Real Story of Stuxnet

20. 1. Prebuild in the system – BIOS, Firmware, OEM OS. etc.
2. SMTP – Execute File, URL that points the end user to download execute file (e.g. Direct
Download, XSS, etc.), File / embedded content (e.g. HTML Code, SMTP Headers, etc.),
Zero-Day Exploit, Multipart file build itself on the endpoint, Worm, etc.
- It is common for attackers to use “Social Engineering” techniques to convince the end
user that the obtained email is legitimated email.
3. Web - URL that point the end user to download execute file (e.g. Direct Download, XSS, etc.),
Zero-Day Exploit, Execute File injection to a web site, etc.
- It is common for attackers to use “Social Engineering” techniques to convince the end
user that the obtained email is legitimated email.
4. Mobile Devices – Communication channels (e.g. Bluetooth, QR, etc.).
5. Source Code that obtained from un-trusted source (even “legitimated” trusted source code that
becomes contaminated can lead to expose.
6. Application/s Installed by end users.
7. Automatic Update Systems like OS patch management systems, Antivirus, etc.
8. Application and/or Network Protocol vulnerability / Weakness.

21. 8. Computer Equipment (e.g. Mouse, Keyboard, Printer, Disk On Key, etc.)
9. Sound.

22. Source: How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013

23. “Style 1 — Network Traffic Analysis
This style includes a broad range of techniques for Network Traffic Analysis. For example, anomalous
DNS traffic patterns are a strong indication of botnet activity. NetFlow records (and other flow record
types) provide the ability to establish baselines of normal traffic patterns and to highlight anomalous
patterns that represent a compromised environment. Some tools combine protocol analysis and content
analysis.
Style 2 — Network Forensics
Network Forensics tools provide full-packet capture and storage of network traffic, and provide analytics
and reporting tools for supporting incident response, investigative and advanced threat analysis needs.
The ability of these tools to extract and retain metadata differentiates these security-focused solutions
from the packet capture tools aimed at the network operations buyer.

24. Style 3 — Payload Analysis
Using a sandbox environment, the Payload Analysis technique is used to detect malware and targeted
attacks on a near-real-time basis. Payload Analysis solutions provide detailed reports about malware
behavior, but they do not enable a postcompromise ability to track endpoint behavior over a period of
days, weeks or months. Enterprises that seek that capability will need to use the incident response
features of the solutions in Style 5 (Endpoint Forensics). The sandbox environment can reside on-premises
or in the cloud.
Style 4 — Endpoint Behavior Analysis
There is more than one approach to Endpoint Behavior Analysis to defend against targeted attacks.
Several vendors focus on the concept of application containment to protect endpoints by isolating
applications and files in virtual containers. Other innovations in this style include system configuration,
memory and process monitoring to block attacks, and techniques to assist with real time incident
response. An entirely different strategy for ATA defense is to restrict application execution to only known
good applications, also known as "whitelisting".

25. Style 5 — Endpoint Forensics
Endpoint Forensics serves as a tool for incident response teams. Endpoint agents collect data from
the hosts they monitor. These solutions are helpful for pinpointing which computers have been
compromised by malware, and highlighting specific behavior of the malware.
Because of the challenges in combating targeted attacks and malware, security-conscious
organizations should plan on implementing at least two styles from this framework. The framework
is useful for highlighting which combinations of styles are the most complementary. Effective
protection comes from combining technologies from different rows (for example: network/payload,
payload/endpoint or network/endpoint). The same logic applies to mixing styles from different
columns (different time horizons). The most effective approach is to combine styles diagonally
through the framework.”
Source: How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013

26. 1. Signature Based Detection (e.g. File Name, File Size, File Type MIME Type, File Extensions,
Message Digest, Header Information, Archiving Type, etc.). It’s common to see the use of Yara
rules in this filed.
2. Content Decoding (Data Pattern).
3. Firewall ACL (Access List).
4. IP / Domain /DNS Records - Repudiation Black Lists (SIGINT).
5. Geo.
6. Threshold Limits.
7. Application Whitelist.
8. Embedded Objects (e.g. Java Script, etc.).
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

27. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

28. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

29. From FortiSandbox-3000D-Gen2 Datasheet:
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

30. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

31. Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack:
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

32. Invincea Solution: A DFIR Analysis of a Word Document Spear-Phish Attack:
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

33. Shapesecurity.com solution- rewrite a site’s code:
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

34. “1. Statistical Methods. Statistical methods monitor the user or system behavior by measuring
certain variables over time (e.g. login and logout time of each session in intrusion detection
domain). The basic models keep averages of these variables and detect whether thresholds are
exceeded based on the standard deviation of the variable. More advanced statistical models also
compare profiles of long-term and short-term user activities.
2. Distance based Methods. Distance based approaches attempt to overcome limitations of
statistical outlier detection approaches and they detect outliers by computing distances among
points. Several distance based outlier detection algorithms have been recently proposed for
detecting anomalies in network traffic. These techniques are based on computing the full
dimensional distances of points from one another using all the available features, and on computing
the densities of local neighborhoods.
Source: Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

35. 3. Rule based systems. Rule based systems used in anomaly detection characterize normal behavior
of users, networks and/or computer systems by a set of rules.
4. Profiling Methods. In profiling methods, profiles of normal behavior are built for different types
of network traffic, users, programs etc., and deviations from them are considered as intrusions.
Profiling methods vary greatly ranging from different data mining techniques to various heuristic-based
approaches. In this section, we provide an overview of several distinguished profiling
methods for anomaly detection.
5. Model based approaches. Many researchers have used different types of models to characterize
the normal behavior of the monitored system. In the model-based approaches, anomalies are
detected as deviations for the model that represents the normal behavior. Very often, researchers
have used data mining based predictive models such as replicator neural networks or unsupervised
support vector machines.”
Source: Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

36. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

37. Tenable SecurityCenter CV:
Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

38. Disclaimer: The information expressed here is meant only to be informative and does not imply a recommendation

39. • We covered the basic APT architecture and its operation.
• Currently, APTs becomes a real threat for most organizations.
• The use of APT allow to a single attacker / a small group of attackers to
achieve high offensive capability.
• We covered a few techniques that can be used to Identify APTs.
However, there is no silver bullet solution when it comes to Cyber
security.

40. Source: APT Detection Indicators – Part 3, Nige the Security Guy Blog

41. Questions?

42. מאמרים
2013 ,Digital Whisper , יובל סיני ,Web 3.0 Security- 1. מבוא ל
2. מרחב הסייבר והביטחון הלאומי מבחר מאמרים, גבי סיבוני, המכון למחקרי ביטחון לאומי )חל"צ(, 2013
3. מרחב הסייבר והביטחון הלאומי מבחר מאמרים – קובץ שני, גבי סיבוני, המכון למחקרי ביטחון לאומי
)חל"צ(, 2013
4. לוחמה במרחב הקיברנטי מושגים, מגמות ומשמעויות לישראל שמואל אבן ודוד סימן־טוב, המכון למחקרי
ביטחון לאומי )חל"צ(, 2011
2011 ,Digital Whisper , אנומליות, איתור ומניעה, קיריל לשצ'יבר Domain Name System - .5
6. אלגוריתמים אבולוציוניים, מבוא למדעי המחשב, תשס"ט, אוניברסיטת בן גוריון
See Security ,APT - Advanced Persistent Threat 7. התקפת

43. Books
1. The Practice of Network Security Monitoring: Understanding Incident Detection and Response,
Richard Bejtlich, No Starch Press, 2013
2. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization,
Eric Cole, Syngress, 2012
3. Reverse Deception: Organized Cyber Threat Counter-Exploitation, Sean Bodmer, Dr. Max Kilger,
Gregory Carpenter, Jade Jones, McGraw-Hill Osborne Media, 2012
4. SuperCooperators: Altruism, Evolution, and Why We Need Each Other to Succeed, Martin
Nowak, Roger Highfield, Free Press, 2012
5. Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats, Will Gragido, John
Pirc, Syngress, 2011
6. High-Throughput Next Generation Sequencing, Young Min, Ricke, Steven C. Humana Press, 2011

44. Articles
1. Real-time Polymorphism, A new category of advanced security defenses, Shapesecurity, 2014
2. 2014 THREAT REPORT, Mandiant, A FireEye Company
3. Risk and responsibility in a hyperconnected world: Implications for enterprises, David Chinn,
James Kaplan, and Allen Weinberg, McKinsey, 2014
4. 2013-2014 DDoS Threat Landscape Report, Incapsula, 2014
5. Protect Against Advanced Evasion Techniques Essential design principles Olli-Pekka Niemi,
McAfee, 2014
6. Framework for Improving Critical Infrastructure Cybersecurity Version 1.0, NIST, 2014
7. What are Advanced Evasion Techniques? Don't expect CIOs to know, says McAfee, John E Dunn,
Techworld, 2014
8. Network Security Redefined Vectra’s cybersecurity thinking machine detects and anticipates
attacks in real time, Vectra Networks, Inc., 2014
9. An Agent-Based Framework for Dynamical Understanding of DNS Events (DUDE), H. Van Dyke
Parunak, Alex Nickels, Richard Frederiksen, Soar Technology, Inc., 2014

45. Articles - Continue
10. AlienVault Finds Only Two Percent of Companies Would Publicly Report a Security Breach, 2014
11. ThreatConnect: Indicator for Suspicious Behavior and Malware, Paul Asadoorian, 2014
12. A DFIR Analysis of a Word Document Spear-Phish Attack, Armon Bakhshi, Invincea, 2014
13. A “Kill Chain” Analysis of the 2013 Target Data Breach, COMMITTEE ON COMMERCE, SCIENCE,
AND TRANSPORTATION, MAJORITY STAFF REPORT FOR CHAIRMAN ROCKEFELLER MARCH 26,
2014
14. 2014 DATA BREACH INVESTIGATIONS REPORT, Verizon
15. Best Practices for Mitigating Advanced Persistent Threats (G00256438), Lawrence Pingree, Neil
MacDonald, Peter Firstbrook, Gartner, 2013
16. Evading Deep Inspection for Fun and Shell, Olli-Pekka Niemi, Antti Levomäki, Stonesoft
Corporation Helsinki, Finland, 2013
17. Gartner: 'Five Styles of Advanced Threat Defense' can protect enterprise from targeted attacks,
Ellen Messmer, Network World, 2013
18. Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective
Intelligence (G00252476), Neil MacDonald, Gartner, 2013

46. Articles - Continue
19. Threats on the Horizon: The Rise of the Advanced Persistent Threat, Fortinet, 2013
20. How To Deploy the Most Effective Advanced Persistent Threat Solutions, Gartner, 2013
21. Advanced Persistent Threat (APT), Mike Shinn, U.S. NRC, 2013
22. The Real Story of Stuxnet, David Kushner, IEEE Spectrum, 2013
23. CHALLENGES IN SECURING CRITICAL MARITIME INFRASTRUCTURE, Oded Blatman, 2013
24. Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats, Paul Giura, Wei
Wang, AT&T Security Research Center, New York, 2012
25. Protection against Advanced Evasion Techniques in Stonesoft IPS, Stonesoft, 2012
26. A Detailed Analysis of an Advanced Persistent Threat Malware, SANS Institute InfoSec Reading
Room, 2011
27. Advanced Evasion Techniques Cybercriminals Up The Ante, Amit Klein, General Information,
2011
28. Deep Visibility over Applications, Content and Threats: How Deep Session Inspection® Can Help
You See, Study, and Stop Advanced Threats, May 2011
29. Fidelis XPS™ Tech Talk: Preventing Cyber Attacks With Real-Time Threat Intelligence, 2010

47. Articles - Continue
30. What Is the Difference: Viruses, Worms, Trojans, and Bots?, Cisco
31. Anomaly Detection / Outlier Detection in Security Applications, Aleksandar Lazarevic
32. Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances,
Steven Noel, Eric Robertson, Sushil Jajodia Center for Secure Information Systems, George
Mason University
33. Constructing Attack Scenarios through Correlation of Intrusion Alerts Peng Ning, Yun Cui,
Douglas S. Reeves, Department of Computer Science NC State University
34. USING SECURITY ATTACK SCENARIOS TO ANALYSE SECURITY DURING INFORMATION SYSTEMS
DESIGN, Haralambos Mouratidis, Paolo Giorgini, Gordon Manson, Department of Computer
Science, University of Sheffield, England

48. Video
1. Anti-evasion Demo por Mark Boltz, Stonesoft em Português
Websites
1. APT Strategy Series
2. Advanced evasion technique (AET)
3. What is a botnet? Microsoft
4. http://www.spylogic.net/
5. http://www.vectranetworks.com/blog.html
6. YARA in a nutshell
7. FortiSandbox-1000D/3000D DataSheet
8. http://www.tenable.com
9. http://threatstream.com/
10. Security-onion
11. Cyvera TRAPS™

49. Websites - Continue
12. http://www.npulsetech.com/
13. http://www.cyber-ta.org/

50. Thank you!