An Advanced Persistent Threat Reality Check

Most victims of targeted attacks that originate from so-called advanced persistent threat (APT) attackers have been under siege for so long by the time they discover it that forensics investigators can't even trace the original machine that was infected.

The majority of the 120 victim organizations that enlisted the help of Mandiant in the past 18 months were first hit by the targeted attack two years before, according to Kevin Mandia, founder and CEO of Mandiant, which today published its annual report on APT, "MTrends: When Prevention Fails."

And there's the danger of making it harder to track or contain the perpetrators if the victim organization shares its malware sample with its antivirus company too soon. "If you're good at this, you don't share with vendors, only with your industry brethren," Mandia says, like the defense industry typically does. "Malware has a shelf life. If you share it [with too many parties], people take action and it changes the tools of the bad guy."

That's because once a signature is released for a piece of malware, the bad guys quickly reinvent it with a new variant via the backdoors they typically place in the victim organization that keeps their foothold strong. "All you've done by sharing is change the fingerprint and made the problem worse," Mandia says. Their response is just that fast, he says.

At one Fortune 50 company that Mandiant was working with in the wake of a targeted attack, around 100 people gathered one Sunday to remediate the network. But the company's antivirus vendor updated one piece of the malware, which then "destroyed" the remediation drill altogether, Mandia says. "The attackers were responding to the AV update," he says.

Eddie Schwartz, chief security officer at NetWitness, concurs that you shouldn't hand off malware samples until your breach investigation is completed. "Submitting to AV vendors early takes the control of the incident out of your hands because of how the APT operates, commonly activating secondary systems when primary ones are discovered," Schwartz says. And a virus definition update would wipe out the malware you were analyzing, thus requiring you start your investigation all over again.

It's not about preventing a targeted attack from the ATP adversary, which typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can. It's more like a game of chess, where businesses and government agencies have to assume the ATP perpetrators are inside and focus on predicting, detecting, and responding to their moves, according to Mandiant's report.

The biggest shift during the past year is the volume of these attacks and the wider scope of industries being targeted. Mandia says he believes these attacks mostly go under the radar screen; his firm sees only about 2 percent of them. In the past 18 months, 42 percent of these victims were commercial firms, with law firms surprisingly representing 10 percent of that sector. "Law firms are getting absolutely hammered," he says, but no one knows for sure why.

It's possible these firms have become collateral damage from other hacks that resulted in access to the firm's email addresses or other information, according to Mandia. "We haven't seen a pattern" to explain it, he says.

And the initial attack vector for most of the cases Mandiant investigated were either email-borne or from improperly remediated cases where the attackers were still inside even though the victim had thought it had eradicated them.

"We see a number of APT attacks in our work with customers," NetWitness' Schwartz says. "The volume of victims has gone up across the board, as well as the number of platform-independent vectors for exploitation, which is far more worrisome. The public hears about very few of the actual compromises of organizations."

And even more disconcerting is that victim organizations aren't likely to be able to discern everything the victims stole or accessed by APT actors. "We don't see them doing keyword searches, so we can't tell that they are searching for this or that," Mandia says. These attackers typically are cagier about what they are actually after: It appears they are rewarded by the volume of information they grab, he says.

"A real APT never really damages anything. They tweak a log file here and there ... They are stealing stuff, but you still have your copy. You never see them taint it," he says.

Mandiant has witnessed APT attackers stealing PKI credentials and even hacking smartcard readers to grab credentials to various systems.

"We have seen cybercriminals successfully bypass two-factor authentication in banking systems for years. Likewise, a common activity for Zeus is to steal any local PKI certs it finds," NetWitness' Schwartz says. "A great example [is] the Kneber Zeus botnet we reported on in 2010. There also have been multiple pieces of malware in the recent past that have been legitimately signed, which points to the theft and use of software certs: Stuxnet is a great example here."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.