Anatomy Of A Targeted, Persistent Attack

A new report published today sheds light on the steps ultra-sophisticated attackers take to gain a foothold inside governments and company networks and remain entrenched in order to steal intellectual property and other data. The bad news is these attacks -- including the recent ones on Google, Adobe, and other companies -- almost always are successful and undetectable until it's too late.

The so-called advanced persistent threat (APT) attack model and case studies outlined in the report from forensics firm Mandiant are based on real-world attacks Mandiant has probed during the past seven years in the government and private industries. Though the report describes the brand of attack that hit Google, Adobe, and 20 to 30 other organizations, Mandiant wouldn't comment on whether its forensics experts are involved in the so-called Aurora attack that allegedly came out of China.

Most of the APT attack cases that Mandiant has worked on for the past few years have had ties to China: "The vast majority of APT activity observed by MANDIANT has been linked to China," the report says. And existing security tools are no match for these attacks -- only 24 percent of the malware used in the attacks Mandiant has investigated were detected by security software, the report says.

"The fact that there is more activity around this [threat] in the past two to three weeks is good. Hopefully, this continues and gets people talking about being aware of it," says Michael Malin, executive vice president at Mandiant. "The APT is a reality; it's out there ... it's not just a government or defense issue. We're seeing it at the commercial level, as well."

As a matter of fact, Mandiant has worked with 10 percent of Fortune 100 companies on APT attacks in their organizations, according to Malin. "And we've responded to computer security incidents at 20 percent of Fortune 100 [companies]," including APT and payment card attacks.

It's not that these attacks are anything new. A published report in the Christian Science Monitor this week revealed a wave of APT attacks that occurred in 2008 against the oil industry, including Marathon Oil, ExxonMobil, and ConocoPhillips, all of which didn't realize the extent of the damage until 2009, when the FBI told them "proprietary" data had been siphoned from their computers. It's more that regulatory -- business pressures are now forcing companies like Google to own up to their victimization, security experts say.

Mandiant's Malin says APT attacks are waged by teams of hackers who go after different levels of the infrastructure: "They are going after the network level, or the host-based level," he says. "There's a lot of coordination."

And sometimes the teams don't even know the other is already inside the victim's network. Even so, they typically are working for the same cause, usually espionage, he says. And once they are in, they don't need to hack through again; they set up camp with a longer-term presence that allows them to move about the company freely and typically undetected.

"From a security point of view, there's no magic bullet" to these attacks, says Alan Shimel, CEO of The CISO Group. "Nothing is going to make you immune."

The most effective way to shut down such an attack, however, is to uncover and block the command and control (C&C) conduit between the compromised systems and the attackers, says Gunter Ollmann, vice president of research for Damballa. "Then they have to go to their backup systems and reinfect the host," Ollmann says. "The Achilles' heel is their C&C. They require interactive access to the systems to control them and to target and extricate information ... by detecting and denying that, you've muted the attack."

APT attacks typically have a correlation between political or business activity or events, Mandiant's Malin says. And they often are waged as a campaign for a specific type of information or intelligence. For example, in one series of attacks on local, state, and federal agencies that Mandiant worked on, which was featured in the report, the attackers were after counter-terrorism intelligence.

Malware used in APT attacks is basically hidden in plain sight, in a low-profile, camouflaged manner. Mandiant says the average file size is a relatively diminutive 121.85 kilobytes, and that only 10 percent of any of these backdoor programs were "packed," a technique that can be easily spotted. But more advanced attackers do pack their malware in. Among the most common file names for the malware: svchost.exe, iexplore.exe, iprinp.dll, and winzf32.dll -- all of which wouldn't raise any red flags and could easily be overlooked. Most of these attackers evade anomaly detection by using outbound HTTP connections, as well as process injection.

Mandiant's report also drew some connections between these attacks and China: The attackers mostly work during daytime hours in China, which is nighttime in the U.S., the report says. "APT-associated activity typically occurs on any given weeknight except for foreign and major U.S. holidays," the report says. "This indicates the attackers know when new information may be available for exfiltration."