To Catch An APT

To Catch An APT

It's not about prosecuting the nameless, faceless attackers behind these relentless targeted attacks -- it's about minimizing the damage they incur

Sep 08, 2011 | 09:37 PM | 0 Comments

By Kelly Jackson Higgins
Dark Reading

This is the second installment of a two-part series on security in the "Age Of The APT." Part one is here.

An advanced persistent threat (APT) attacker probably already has infiltrated your network: That's the new normal in security. But what can you do about it?

It's a matter of moving beyond the traditional mindset of thinking purely in terms of prevention. "We're trying to help people to think beyond intrusion prevention to post-infection detection and mitigation," says Will Irace, director of research for Fidelis.

Accepting the premise that the attackers are already inside can be unsettling -- even shocking -- to some organizations, but the reality is that these cyberespionage attacks have evolved from a military/Defense Department problem to one plaguing various corners of the commercial world as well. "Previously, it was the military, then it was government actors, then it was the Defense industrial base. We've seen the same actors continue to expand the number of their targets" to commercial firms in oil and gas, pharmaceuticals, and other areas, says Richard Bejtlich, CSO and vice president of managed services for Mandiant. "That to me is pretty amazing -- that they target so many different victims now."

Bejtlich says despite the ongoing and recurrent nature of these attacks, victim organizations eventually get better at staving them off. "The first time anyone deals with this, it's like nothing they’ve ever had to deal with before. That there is somebody out there after you, and they will not give up and will always keep trying to get back into your organization, is new for most people" to face, he says. "It may take [as long as] a couple of years, but we [ultimately] do see improvement" in how victim organizations defend against these targeted attacks.

Few of these attacks ever see the light of day in terms of public disclosure. A widespread cyberespionage attack targeting high-level officials at multiple civilian federal government agencies has been under way and under investigation for months now. The attackers used sophisticated malware and an SSL-encrypted connection for siphoning information from the targeted agencies, sending it back to their home servers.

The goal is to detect these types of attacks as quickly as possible, and to minimize the amount of exposure or loss of your intellectual property or trade secrets, for example. "How do you reduce the window of opportunity you have so they are not in your organization for weeks or months ... so you can detect them in a time frame of hours or days?" says Eddie Schwartz, CSO, at RSA Security. "That requires having access to all potential data related to the security problem."

Schwartz says unlike a traditional security event, with an APT-type attack you can't make a decision based on a single log or firewall event. "An end user account banging away at a system it normally doesn’t have access to," for instance, is just one piece of the targeted attack, he says.

"With an advanced attack, you have to ask, 'Is this part of something that has 10 to 12 other moving parts you need to track down and chase in the entire chain until we start killing it off [fully]?'" he says.

But these type of attacks are difficult to detect, and many organizations are still relying solely on prevention-oriented tools, such as signature-based technology and firewalls. APT attackers tend to favor zero-day vulnerabilities, or exploiting gaping holes within the targeted firm's infrastructure. The first step in most cases is to social-engineer an unsuspecting user, often with an email message purporting to be from someone he knows, or within his industry, and it carries its payload of a malicious attachment or URL that, when opened, gives the attacker a foot in the door.

The ideal defense against an APT attacker, security experts say, is a combination of the traditional preventative tools plus real-time monitoring of their networks and systems. But many tools today are looking at different pieces of the infrastructure, and making sense of all of the events and logs is often a painstakingly manual job. That just gives the attacker more time and opportunity to burrow further into the victim organization, often getting layers deep such that it's difficult to root them out.

Bottom line: There's no silver bullet today to defend and mitigate against these targeted attacks, experts says.

"Most of the monitoring tools historically deployed by enterprises lack the ability to get into the weeds and present meaningful information about the relationship between content and context. Was the file Alice posted to an image-sharing site really an image, or was it an exfiltration: an encrypted blob of data posing as an image? Is there malicious VBscript in the Microsoft Office file three layers down in a Zip archive that was mailed to my HR department?" Fidelis' Irace says. "It's not enough to discover such a thing 10 days after an infection through post-hoc forensic packet analysis: We need technologies that are able to spot and kill that stuff in real-time."

Network behavioral-anomaly detection tools can help, he says, but not with content. Intrusion-prevention systems can catch some things, but don't look at the payloads, he says. "Moreover, they're optimized for defending against packet-based attacks on servers, not payload-based attacks on clients. Sandboxing technologies are helpful after the fact, but they don't provide real-time awareness or protection," Irace says.

And packet-capture tools are good for postmortem investigation. "But like sandboxing technologies, [they] can't help enterprises get into the APT fight in real-time," Irace says.

PAGE 2: Blacklisting and whitelisting defenses.