Advanced Persistent Threat (APT)

A Buzzword or an Imminent Threat?

By ASHIT DALAL, PCI-DSS QSA, CRISC, CGEIT, CISA, CISM, CSSA, CPEA
Managing Consultant & Vice President -Enterprise
Risk Advisory Services
eDelta Consulting, NY , USA
EMAIL: adalal@edeltaconsulting.com /
ashitdalal@yahoo.com

Las Vegas, NV
November 14, 2012
 DISCLAIMER
• The slides in the presentation are my personal
views and experience and based on the
publicly available information and not the
views of or binding on my organization in any
way….
• The presentation is purely for education,
awareness and training through ISACA.
• Background and Introduction to Advanced Persistent
Threat (APT)
• Security Concerns of APT
• Current Trends in APT Attacks
• Brief overview of key APT Vectors
• APT Lifecycle
• Defense Strategy to combat APT
•. Case Studies Discussion &
Lessons Learnt
• Summary & Q & A.

3
 5 Hot Security worries (RSA Conference
2012)
1. Securing Employees’ Smart phones & Tablets.
2. Stopping Advanced Persistent Threats
3. Curbing Social Animal Attacks
4. Securing Big Data
5. Getting better at stopping Hactivists (like
Anonymous etc.)
 Advance Malware attacks on rise…
• FBI warns of millions lost in fraudulent transfers to China.
• Sony PlayStation Network hacked, data on millions at risk.
• DOE-funded lab was victim to an APT attack.
• “Stars” worm targets systems in Iran.
• New reports finds that most applications do not pass
Security Testing. (Source: www.scmagazines.com dated 04/26/2011)

Industry analysts estimate that on an average about 50 to 100

PCS are compromised every year all over the world. This clearly
indicates that today’s network defenses are grossly inadequate
against the Advance Malware attacks.
(Source: www.arstechnica.com )
The Term "Advanced Persistent Threat" (APT) was first coined by the US Air
Force in 2006 to describe the complex (i.e. “Advanced’) cyber attacks against
specific targets over a longer period of time (i.e. “persistent”).

It refers to advanced and normally clandestine means to gain continual, persistent

intelligence on an individual, or group of individuals such as a foreign nation or
state government.

A recent breach at RSA is the classic case of APT perpetrated with razor sharp
accuracy with specific intention and target.

Why should you care?

Advanced – The adversary is well funded and well organized.

Persistent – Constant stream of attacks (unabated)
Threat – The threat to information assets in the digital age is real

6
 Why APT?
• Advanced means the adversary can operate in the full spectrum of computer
intrusion. They can use the most pedestrian publicly available exploit against a well-
known vulnerability, or they can elevate their game to research new vulnerabilities
and develop custom exploits, depending on the target’s posture.
• Persistent means the adversary is formally tasked to accomplish a mission. They are
not opportunistic intruders. Like an intelligence unit they receive directives and work
to satisfy their masters. Persistent does not necessarily mean they need to constantly
execute malicious code on victim computers. Rather, they maintain the level of
interaction needed to execute their objectives.
• Threat means the adversary is not a piece of mindless code. This point is crucial.
Some people throw around the term “threat” with reference to malware. If malware
had no human attached to it (someone to control the victim, read the stolen data,
etc.), then most malware would be of little worry (as long as it didn’t degrade or
deny data). Rather, the adversary here is a threat because it is organized and funded
and motivated. Some people speak of multiple “groups” consisting of dedicated
“crews” with various missions.

Source : Richard Bejtlich’s Blog

 Key Characteristics of an APT
• Targeted (to specific organizations, individuals, states, nations
etc.)
– Aurora / Google attack - Source Code targeted.
– Sony Attack- PII
– RSA Attack- IPR
• Persistent – Not one time but over a longer period.
• Evasive- can easily camouflage the traditional security products.
• Complex – APT comprises a complex mix of attack methods
targeting multiple vulnerabilities.
• Longer a stealthy attacker sits undetected in the enterprise
network and its endpoints, the more damage he can do.
 APT’s Objectives
• Political
– Includes suppression of their own population for stability
• Business / Economic
– Theft of IP, to gain competitive advantage
• Technical
– Obtain source code for further exploit development
• Military
– Identifying weaknesses that allow inferior military forces to
defeat superior military forces
 APTs are normally low & slow…
• Attackers constantly monitor the Social Networking Sites
for information they can get to gain an upper hand.
• In one case, attackers compromised their target’s trusted
third-party software provider, inserted a Trojan code into
the software update server, and waited for the software
provider to auto-update the Trojan onto the target’s
network.
• Chinese hackers enjoyed untrammeled access to the
corporate network of Nortel for over a decade, using
passwords stolen from top executives to download
company’s IPR.
 ESG Survey (12/2011)on US vulnerability to APT
A) Organization’s preparedness for an APT Attack
• Most prepared for APT – 21%
• Somewhat prepared for APT – 43%
• Poorly prepared for APT- 36%
B) Familiarity with APT
• Very familiar – 58%
• Familiar- 42%
C) Impact of APT on National Security
• Extremely concerned – 38%
• Concerned – 55%
• Neutral – 7% Source: www.esg-global.com
The e-mail message addressed to a Booz Allen Hamilton
executive was mundane—a shopping list sent over by the
Pentagon of weaponry India wanted to buy. But the message
turned out to be a brilliant fake.

Lurking beneath the description of aircraft, engines, and radar

equipment was an insidious piece of computer code known as
"Poison Ivy" designed to suck sensitive data out of the $4 billion
consulting firm's computer network.

The Pentagon hadn't sent the e-mail at all. Its origin is unknown,
but the message traveled through Korea on its way to Booz Allen.

Source: Infosec Institute

12
Incursions on the military's networks were up 55% last
year, says Lt. Gen. Charles E. Croom, head of the Pentagon's
Joint Task Force for Global Network Operations.

Private targets like Booz Allen are just as vulnerable and

pose just as much potential security risk. "They have our
information on their networks. They're building our weapon
systems. You wouldn't want that in enemy hands," Croom
says.

Cyber attackers "are not denying, disrupting, or destroying

operations—yet. But that doesn't mean they don't have the
capability."

13
Adding to Washington's anxiety, current and former U.S.
government officials say many of the new attackers are trained
professionals backed by foreign governments.

"The new breed of threat that has evolved is nation-state-

sponsored stuff," says Amit Yoran, a former director of Homeland
Security's National Cyber Security Div.

Adds one of the nation's most senior military officers: "We've got
to figure out how to get at it before our regrets exceed our ability
to react."

14
Because the Web allows digital spies and thieves to mask their
identities, conceal their physical locations, and bounce malicious
code to and fro, it's frequently impossible to pinpoint specific
attackers.

Network security professionals call this digital masquerade ball

"the attribution problem.”

The e-mail aimed at Booz Allen, obtained by Business Week and

traced back to an Internet address in China, paints a vivid picture of
the alarming new capabilities of America's cyber enemies.

15
The analysis also shows the code—known as
"malware," for malicious software—tracks keystrokes
on the computers of people who open it.

A separate program disables security measures such

as password protection on Microsoft database
servers.

16
Poison Ivy is part of a new type of digital intruder
rendering traditional defenses—firewalls and updated
antivirus software—virtually useless.
Sophisticated hackers, say Pentagon officials, are developing
new ways to creep into computer networks sometimes
before those vulnerabilities are known. "The offense has a
big advantage over the defense right now," says Colonel
Ward E. Heinke, director of the Air Force Network Operations
Center at Barksdale Air Force Base.
Only 11 of the top 34 antivirus software programs
identified Poison Ivy when it was first tested.

17
The attacks targeted sensitive information on the networks of at least
seven agencies—the Defense, State, Energy, Commerce, Health & Human
Services, Agriculture, and Treasury departments—and also Defense
Contractors Boeing (BA), Lockheed Martin, General Electric (GE),
Raytheon (RTW), and General Dynamics (GD), as per several security
experts.

18
Remote administration tool, or RAT, it gives the attacker
control over the "host" PC, capturing screen shots and perusing
files.

It lurks in the background of Microsoft Internet Explorer browsers

while users surf the Web.

Then it phones home to its "master" at an Internet address

currently registered under ... cybersyndrome.3322.org...

19
"Phishing," one technique used in many attacks, allows cyber
spies to steal information by posing as a trustworthy entity in an
online communication.
The e-mail attacks on government agencies and defense
contractors, called “Spear-phish" because they target specific
individuals, are the Web version of laser-guided missiles.
Spear-phish creators gather information about people's jobs and
social networks, often from publicly available information and data
stolen from other infected computers, and then trick them into
opening an e-mail.

20
Spear-phish tap into a cyber espionage tactic that security experts
call "Net reconnaissance."
In the attempted attack on Booz Allen, attackers had plenty of
information about Moree: his full name, title (Northeast Asia Branch
Chief), job responsibilities, and e-mail address. Net reconnaissance
can be surprisingly simple, often starting with a Google search.
The information is woven into a fake e-mail with a link to an infected
Web site or containing an attached document.
Once the e-mail is opened, intruders are automatically ushered
inside the walled perimeter of computer networks—and malicious
code such as Poison Ivy can take over.

21
The adversary has previously developed a ZERO -Day exploit for
Adobe Reader. What is a Zero- Day?

A Zero-day attack tries to exploit computer application

vulnerabilities that are unknown to others or undisclosed to the
software developer. Zero-day exploits (actual code that can use a
security hole to carry out an attack) are used or shared by
attackers before the software developer knows about the
vulnerability.

A “Zero day" attack occurs on or before the first or “Zeroth" day

of developer awareness, meaning the developer has not had any
opportunity to distribute a security fix to users of the software.
Adobe Reader is a juicy target for attackers:

•It is installed uniformly everywhere - ~80%

market share
•Takes effort to keep it up to date
• Several Zero-day vulnerabilities
•People don’t realize the opening a pdf can allow
an attacker to take control of your computer. Its
not an exe after all….

23
 Stages of an APT Attack
3 main Stages
1) Reconnaissance, Launch and Infect – The attacker
performs the reconnaissance, identifies
vulnerabilities, launches attack to infect the host.
2) Control, Update, Discover, Persist- The attacker
controls infected hosts, updates code, spreads to
other machines or systems and discovers & collects
target data.
3) Extract & take Action- The attacker extracts data
and takes action (e.g. selling data, cyber extortion
etc.)
 Stages of an APT Attack
Step 1
• Reconnaissance

Step 2
• Initial Intrusion into the Network (e.g. Spear Phishing)

Step 3
• Establish a Backdoor into the Network

Step 4a
• Obtain User Credentials

Step 4b
• Install Various Utilities

Step 5
• Privilege Escalation / Lateral Movement / Data Exfiltration

Step 6
• Maintain Persistence
 TYPICAL APT LIFECYCLE
PHASE ACTIVITY DETAILS

Phase-1 Reconnaissance Determine whom to target and how

Phase-2 Spear-phishing attack Send crafted email with malicious attachment

to target victim
Phase-3 Establish presence Install backdoor presence by exploiting
network vulnerabilities, obtain user credentials,
install attack tools etc.
Phase-4 Exploration & Pivoting Perform network exploration & process
mapping, extend infection and control to other
systems.
Phase-5 Data Extraction Encrypt, compress and transfer data out of the
network
Phase-6 Maintaining Analyze data, update and develop attack tools,
Persistence infect additional machines / systems.
 Defense against APT
A sound “Defense-in-Depth” approach is required, which
in turn is a Three Pronged approach:
1) Content-aware: As APT can easily penetrate network firewall
defenses by embedding exploits, APT defense solution require
deep content awareness.
2) Context-aware: Since most APTs use custom-developed code and
/or exploit zero day vulnerabilities, APT defense requires
combination of Preventive, Detective and Corrective Controls
and use of plethora of “less indicative” indicators.
3) Data-aware: As APT targets sensitive data, an organization with
the proper Data Identification methodology and use of “ Data
Loss Prevention (DLP)” technology can strengthen its Defenses
against APT.
 Defense against APT
A sound “Defense-in-Depth” technique needs to monitor inbound
& outbound traffic for content, context and data, preferably for both
email and web communications. Specifically, the defense layer
should monitor outbound communication for Data Leakage or Data
Incidents and inbound traffic for Threat analytics.

A few examples of malicious outbound behavior include:

• Requests to Dynamic DNS hosts
• Requests to access known bad or suspicious websites
• Movement of sensitive files that should never be sent outside
(e.g. SAM Database).

•
 Defense against APT
PHASE ACTIVITY DEFENSE STRATEGY

Phase-1 Reconnaissance BYOD & Social Networking policy, awareness &

training for likely targets and so on.
Phase-2 Spear-phishing attack Email policy, awareness & training , gateway and
desktop-AV, Reporting procedure for suspected
emails.
Phase-3 Establish presence OS hardening, Change Management Processes,
robust patch management processes for servers
and desktops, host-based monitoring, application
whitelists, IDs and extended logging.
Phase-4 Exploration & Pivoting Logging and analysis of internal network traffic,
strong password policy, strong trust domains
Phase-5 Data Extraction Logging and analysis of internal network traffic,
strong password policy, strong trust domains &
robust DLP protection.
Phase-6 Maintaining Persistence Security Incident Reporting, Implementing Digital
Forensic Capabilities and policies
 Detection is the Key in an APT Attack…..
• While protection & prevention efforts should not be
neglected, the true measure of an organization’s APT
Defences is its ability to quickly detect breaches and
thoroughly research the extent and impact of those
breaches.
• Security Intelligence along with SMART Data Collection
& Analysis (e.g. Logs, Events, Network flows etc.)
capabilities is a key Defense to combat an APT Attack.
• Last but not the least, an Organization also needs high
quality Forensic & Intelligent Response capabilities to
effectively deal with an APT Attack.
Source: IBM X Force Report (1H-2012)
 Anomaly detection - Key Arsenal to combat an APT Attack
• Since advanced adversaries use creative & targeted attack strategies,
often in combination with zero-day exploits, traditional signature-
based defences are often insufficient.
• Anomaly detection capabilities for monitoring those activities that falls
outside of “normal” behaviour (as measured in real-time against the
baseline), should be the part of Defence strategy.
• Modern Day Anomaly detection technologies provide real-time
capabilities for both Network Flow and Log Analysis.
• Some examples of Anomaly behavior that needs detection:
– Outbound traffic is sent to a country in which the company does not do business and to
which no Traffic should be sent (e.g. Nigeria)
– FTP traffic is observed in the Finance department when Finance has never had FTP traffic
before
– A self-propagating worm outbreak occurs
– A known application (such as IRC chat) is using a non-standard port (such as port 80)
– A host system changes roles—e.g. an external-facing DNS server is changed to be the SMTP
relay as well.
 Best Practices for Anomaly Detection
• Monitor user activity, especially for privileged users.
• Monitor access to sensitive data.
• Combine data access monitoring with user activity monitoring
for more accurate threat detection.
• Monitor outbound traffic to prevent data exfiltration (to say
unknown or dynamic- ranged IP Addresses).
• Monitor geographic access and traffic.
• Leverage threat intelligence with anomaly detection (e.g. IBM X -
Force, Fire eye, Verizon, McAfee, Symentec etc.)
• Collect & Analyse Network flows for greater insight especially
Layer 7 data with content visibility.
ESG Survey: 12/2011 - Organization’s Response to APT
• Increased Spending on security training, services and
Technologies - 77%
• Executive Management Support & Action- 47%
• Additional Training for Security Staff- 41%
• Additional Training for Non-IT Staff- 32%
• Changes in Processes / Adding new processes – 40%
• Purchased new Security Technologies – 39%
• Investment in Technologies and Tools:
a) Network Management Tools – 68%
b) Log File Analysis – 51%
c) SIEM Tools – 41%
d) Help Desk & CMDB Tools- 41%
e) IDS / IPS Alerts – 43%
f) Managed Security Service Providers – 32% Source: www.esg-global.com
 Intelligent Response to APT
• Combating the APT is a protracted event, requiring a sustained effort to rid
your networks & IT Systems of the threat. Therefore, the APT requires the
victim organization to perform the following tasks more rapidly, efficiently,
and effectively:
– Detect
• Compromised Systems
– Collect
• Evidence
– Analyze
• Data
– Remediate
• Threats
• Intelligent & effective response to an APT needs strong combination of
Preventive, Detective and Corrective Controls.
 APT
Case Studies Discussion
 An Anatomy of RSA Attack
• The attackers spoofed the e-mail to make it appear to come from a "web master" at
Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one
line of text: "I forward this file to you for review. Please open and view it." This was
apparently enough to get the intruders the keys to RSAs kingdom.
• An Excel spreadsheet opened, which was completely blank except for an "X" that
appeared in the first box of the spreadsheet. The "X" was the only visible sign that
carried an embedded Flash exploit in the spreadsheet. When the spreadsheet
opened, Excel triggered the Flash exploit to activate, which then dropped the
backdoor -- in this case a backdoor known as Poison Ivy -- onto the system.
• Poison Ivy would then reach out to a command-and-control server that the
attackers controlled at good.mincesur.com, a domain that was possibly used in
other espionage attacks, giving the attackers remote access to the infected
computer at EMC. From there, they were able to reach the systems and data of
Customers such as Lockheed Marteen they were ultimately after.
• While it is believed that neither the phishing e-mail nor the backdoor it dropped
onto systems were advanced, but the zero-day Flash exploit it used to drop the
backdoor was advanced.
• http://advanced-persistent-threat.com/2011/09/19/technical-details-about-the-rsa-hack
 Operation Aurora- An APT Attack
• On Jan. 12, 2010, Google publicly disclosed that it had been a victim of an ATP attack
(along with 20 other companies across different Industries).
• These attacks (later known as “Operation Aurora”) started in December 2009,
leveraging a “Zero-day” IE 6.0 vulnerability.
• Once the system was compromised, the attackers installed a Trojan, which in turn
would communicate back to the attacker’s “Command & Control” server that had the
ability to issue a variety of different commands.
• This would then enable attackers to gain additional access to compromised or
victimized companies’ Networks and IT Systems.
• The 1st stage of the attack was to entice the users into clicking on a rogue website line
that would direct the user’s Web browser to the attacker’s Web server, bypassing
entire user defense of Firewall, IDS/IPS, AV System etc.
• In the 2nd stage using Zero day vulnerability found in IE 6.0 of the user, the attacker
could plant and run the malicious code / malware bypassing entire defense
mechanism of the user which was unable to detect such Zero day vulnerability.
• Attackers then used this malware to access whatever they needed across all 20
companies whose system were compromised and defense technology failed. This was
considered a highly coordinated, sophisticated persistent and targeted attack .
Effective Security Strategy against an APT Attack
• Develop & implement Risk Based & Defense-in-Depth approach.
• Implement Preventive, Detective & Corrective Security Controls
using best practices based on ISO 27001: 2005 and COBIT.
• Provide an on- going user awareness and training (invest
heavily) for both Security/ IT & Non-IT staff.
• Invest in Security Intelligence, Monitoring, Correlation and Data
Analysis and Digital Forensic Technologies such as SIEM, Log
Analysis, DLP, WAFW etc.
• Implement an Intelligent and near Real-time Incident /
Emergency Response Process backed up by highly trained
Incident Response & Forensic professionals.
 Key Lessons Learnt…
• Invest in Smarter Technologies & Human capital.
• Expect unexpected.
• Stay Alert all the time.
• Protect what matters and not everything.
• You cannot fight battle alone.
• Golden Mantra that would always win in the end……
“Security is everyone’s Business & is a Business
Issue and not an IT issue.”
 Summary
• APT is here to stay and is very difficult to get rid off. (It is like a genetic
Coronary Heart disease).
• Risk from an APT attack can be surely minimized with the Risk- based
Defense-in-depth approach, by judicious deployment & Investment in
People, Process and Technology.
• On-going training and awareness is one of the most effective ways of
dealing with APT.
• Implementation of the best practices like NIST 800-53, ISO 27001: 2005,
CoBIT etc. can certainly help mitigate the risk of APT but cannot eliminate
the same.
• Deployment of combination of Preventive, Detective and Corrective
Security Controls will be more effective in dealing with APT than just
Prevention measures.
• Effective Detection, Security Intelligence, Data Analytics, Forensics and
Intelligent Incident Response form key Pillars of “Defense-in-depth”
strategy against an APT Attack.
 Use Bruce Lee like Defense against APT

“The highest technique is to have no

technique. My technique is a result
of your technique; my movement is a
result of your movement.”
- Bruce Lee
Thank You

Questions?
 Contact :
ASHIT DALAL, PCI-DSS QSA, CRISC, CGEIT, CISM, CISA,CPEA,CSSA SSBB
Certified SCADA Security Architect
Managing Consultant & Vice President – Enterprise Risk
Advisory Services
e Delta Consulting, NJ, USA
T.NO: +91-98191-18590 (India)
609-606-2357 (USA)
Email: adalal@edeltaconsulting.com / ashitdalal@yahoo.com

44