To Catch An APT

It's not about prosecuting the nameless, faceless attackers behind these relentless targeted attacks -- it's about minimizing the damage they incur
This is the second installment of a two-part series on security in the "Age Of The APT." Part one is here.

An advanced persistent threat (APT) attacker probably already has infiltrated your network: That's the new normal in security. But what can you do about it?

It's a matter of moving beyond the traditional mindset of thinking purely in terms of prevention. "We're trying to help people to think beyond intrusion prevention to post-infection detection and mitigation," says Will Irace, director of research for Fidelis.

Accepting the premise that the attackers are already inside can be unsettling -- even shocking -- to some organizations, but the reality is that these cyberespionage attacks have evolved from a military/Defense Department problem to one plaguing various corners of the commercial world as well. "Previously, it was the military, then it was government actors, then it was the Defense industrial base. We've seen the same actors continue to expand the number of their targets" to commercial firms in oil and gas, pharmaceuticals, and other areas, says Richard Bejtlich, CSO and vice president of managed services for Mandiant. "That to me is pretty amazing -- that they target so many different victims now."

Bejtlich says despite the ongoing and recurrent nature of these attacks, victim organizations eventually get better at staving them off. "The first time anyone deals with this, it's like nothing they’ve ever had to deal with before. That there is somebody out there after you, and they will not give up and will always keep trying to get back into your organization, is new for most people" to face, he says. "It may take [as long as] a couple of years, but we [ultimately] do see improvement" in how victim organizations defend against these targeted attacks.

Few of these attacks ever see the light of day in terms of public disclosure. A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now. The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the targeted agencies, sending it back to their home servers.

The goal is to detect these types of attacks as quickly as possible, and to minimize the amount of exposure or loss of your intellectual property or trade secrets, for example. "How do you reduce the window of opportunity you have so they are not in your organization for weeks or months ... so you can detect them in a time frame of hours or days?" says Eddie Schwartz, CSO, at RSA Security. "That requires having access to all potential data related to the security problem."

Schwartz says unlike a traditional security event, with an APT-type attack you can't make a decision based on a single log or firewall event. "An end user account banging away at a system it normally doesn’t have access to," for instance, is just one piece of the targeted attack, he says.

"With an advanced attack, you have to ask, 'Is this part of something that has 10 to 12 other moving parts you need to track down and chase in the entire chain until we start killing it off [fully]?'" he says.

But these type of attacks are difficult to detect, and many organizations are still relying solely on prevention-oriented tools, such as signature-based technology and firewalls. APT attackers tend to favor zero-day vulnerabilities, or exploiting gaping holes within the targeted firm's infrastructure. The first step in most cases is to social-engineer an unsuspecting user, often with an email message purporting to be from someone he knows, or within his industry, and it carries its payload of a malicious attachment or URL that, when opened, gives the attacker a foot in the door.

The ideal defense against an APT attacker, security experts say, is a combination of the traditional preventative tools plus real-time monitoring of their networks and systems. But many tools today are looking at different pieces of the infrastructure, and making sense of all of the events and logs is often a painstakingly manual job. That just gives the attacker more time and opportunity to burrow further into the victim organization, often getting layers deep such that it's difficult to root them out.

Bottom line: There's no silver bullet today to defend and mitigate against these targeted attacks, experts says.

"Most of the monitoring tools historically deployed by enterprises lack the ability to get into the weeds and present meaningful information about the relationship between content and context. Was the file Alice posted to an image-sharing site really an image, or was it an exfiltration: an encrypted blob of data posing as an image? Is there malicious VBscript in the Microsoft Office file three layers down in a Zip archive that was mailed to my HR department?" Fidelis' Irace says. "It's not enough to discover such a thing 10 days after an infection through post-hoc forensic packet analysis: We need technologies that are able to spot and kill that stuff in real-time."

Network behavioral-anomaly detection tools can help, he says, but not with content. Intrusion-prevention systems can catch some things, but don't look at the payloads, he says. "Moreover, they're optimized for defending against packet-based attacks on servers, not payload-based attacks on clients. Sandboxing technologies are helpful after the fact, but they don't provide real-time awareness or protection," Irace says.

And packet-capture tools are good for postmortem investigation. "But like sandboxing technologies, [they] can't help enterprises get into the APT fight in real-time," Irace says.

PAGE 2: Blacklisting and whitelisting defenses. Blacklisting known or recently identified command-and-control domains can go a long way to help catch an APT-born attack. "The No. 1 fastest-growing thing is beaconing detection, which IPS and IDS can use," says Richard Stiennon, chief research analyst at IT-Harvest. "But the scary ones are the ones you're not able to detect with beaconing detection, [such as when] an attacker sets up a new IP address and a new server that has never been used before ... when they get in with a zero-day and exfiltrate to [that server], he says.

"The biggest concern is that 1 percent that's extremely targeted that you're not going to detect," Stiennon says.

Whitelisting can help quell targeted attacks, he says. One criticism of whitelisting has been that many organizations don't necessarily know all of the applications that run on their systems. But newer generations of whitelisting products are able to identify those apps, he says.

Bill Boni, CISO for T-Mobile, says security professionals have to be realistic about the threat. That means assessing how to manage their exposure and how to contain such an attack, he says. "[It] represents a threat vector that any organization that is Internet-connected needs to assess," he says.

And just because you detect an APT infiltration doesn't mean you'll ever get to the real attacker or attackers, or that you will always find all of their tentacles of the breach. "What are our most important resources? How do we make sure we have access control, logging and monitoring, and controls over exfiltration?" he says.

"We know security has always been a bit of an arms race. The challenge is to make sure your organization is in the race," Boni says. "What was necessary and sufficient five years ago -- firewall, antivirus, and IDS -- is still necessary but no longer sufficient to deal with the kinds of attacks now being used against organizations. You need to [always] upgrade your tools to keep pace with the new threats."

And even if you pull together the best combination of security and monitoring tools, never underestimate the APT attacker. It's typically a well-funded, nation-state group hell-bent on getting as much information as it can siphoned out of its victim, for monetary or competitive gain. "You're not going to know how an attacker is going to circumvent [your] defenses," RSA's Schwartz says. "You have to assume they have resources equivalent to yours, and they certainly have the creativity and know-how."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.