Advanced Persistent Threats

Transcription

1 White Paper INTRODUCTION Although most business leaders and IT managers believe their security technologies adequately defend against low-level threats, instances of (APTs) have increased. APTs, which are combined, sustained attacks on an organization s computer systems, have infiltrated several major IT companies, including Google, Adobe and Juniper, demonstrating the effectiveness of these methods. Ask yourself: What would your employees do if they found a USB stick in the parking lot? How susceptible would they be to clicking on a link in a Phishing message? Would they approve the installation or update of a third-party browser plug-in? How frequently do you update all your desktop applications for vulnerability fixes? All of these methods have been used in the initial stages of APT attacks on organizations. APTs pose serious new security concerns to organizations, especially if the tools and kits used to create them become commercialized similarly to attack toolkits. This paper will outline the evolution of APTs, explain the motivation behind them, and determine best practices for defending against these threats. CONTENTS About...2 Definition...2 Anatomy of an APT...2 Stages of an APT Attack...3 Case Study of an APT: Operation Aurora...4 Remediation: Protecting Against...5 Best Practices...5 Layer Security Technologies...5 Be Proactive...5 Protect the Initial Attack Point (Blended Threats)...5 Cover the Major Threat Vector, the Web Gateway...6 Correlate Threat Information between & and the Web...6 Set Network Activity Baselines...7 Additional Preventative Steps...7 About M86 Security...8 m86security.com

2 ABOUT ADVANCED PERSISTENT THREATS Definition The term refers to a series of low-level attacks that were previously seen individually, but are now used collectively to launch highly-targeted, prolonged attacks. The goal is to gain maximum access and control into an organization. Anatomy of an APT An APT attack tries to penetrate an organization using any method available both technical and physical. Examples of the individual attack components include: Blended threats These attacks spoof known addresses and/or domains. messages are well-formatted with no attachments, so they pass through spam and anti-virus scanner defenses running at the gateway. These s include embedded URLs that link to an infected Web page. They typically use social engineering techniques to encourage users to click through. Legitimate websites hosting malware These sites are usually linked from blended threats s. Typically, employees visit the legitimate site regularly for business-related tasks, and infections of the site may be limited to specific blocks of time all to limit the possibility of detection. Cross-site scripting attacks and stolen FTP credentials are just two ways cybercriminals infect legitimate websites. Combination of malware tools Back-door downloaders, key loggers, network scanners and password stealers may be combined for the purposes of installing malware. Malware used in an APT is low-level in terms of activity and is designed to escape detection. In addition, this dynamically-created malware evades anti-virus scanners by being the first/only example ever created or by using polymorphic viruses which constantly change to escape signature-based detection technologies. Infected workstations (bots) These are the infected workstations inside the organization s network. Once the malware is inside the trusted network, infiltrating or compromising additional information such as credentials or confidential data is easier. Command & Control servers Operated by the attacker, these remote servers communicate with bots, or infected workstations. They can be used as a collection point to which compromised data is uploaded or to control the workstation s actions. Most APT activity occurs outside of the normal U.S. workday, again to evade detection. Outbound communication between the bot and these C&C servers is called the C&C communication channel. Previously, this has been easy to spot because attackers used protocols such as RPC, but recently, this has become more complex through use of diverse methods such as Google Groups or Tweets. Today s C&C networks are highly resilient and very difficult to track. The Internet makes it easy to host servers in other countries, routing data through them to avoid detection. Attack management console This user interface is used to control all aspects of the APT process, and multiple attackers can work on the same target. The management console enables the attackers to control the actions of the infected bots through the C&C servers, install new malware on the bots, and assemble all aspects of the APT to measure the current success rate. The screenshot below shows an attack toolkit, which is similar to an APT attack console. User Interface of Attack Toolkit Crimepack Page 2

3 Stages of an APT Attack Each attack is different and customized to its target for maximum success. Page 3

4 Example below: How APTs spread through an organization and how they are controlled The attacker s C&C server is the external point which controls the overall attack. It can be a single server or multiple cascading servers, which are difficult to track and neutralize. Case Study of an APT: Operation Aurora Widely reported in the press, operation Aurora was the first major disclosure of a widespread series of APT attacks. We believe Operation Aurora started in mid-2009 and was first publicly disclosed by Google in a blog post on Jan. 12, Other organizations, including Juniper, Adobe and Rackspace followed with their own disclosures. The goal of the attack was to access and potentially modify source code repositories at the affected high-tech, security and defense companies. The ability to modify and infect a backdoor into the source code could be a larger prize for cybercriminals than financial or design documents. Operation Aurora followed the typical stages of an APT (as previously defined). Detailed steps in this case include: 1. Employees with the most access to proprietary data were identified first, after which their social networks were investigated and compromised. This enabled cybercriminals to send blended threats s to them from trusted friends, improving chances that they would click on links inside the messages. 2. links led to an infected website, initiating the initial malware infection. This occurred through a vulnerability in Internet Explorer versions 6, 7 and 8 that allowed remote code to be executed on the target machine. 3. With a backdoor into the organization, the attackers were able to move laterally from the infected workstation, identifying other vulnerable targets that could be compromised and infected to eliminate a single point of failure. 4. They began to scan systems to obtain higher level security privileges. 5. In the discovery phase, the compromised credentials were used to try to access the master details of selected Gmail accounts of known Chinese dissidents. Now that the attackers were inside the network of target organizations, vulnerabilities found in the Perforce source code system were used to directly access source code for the organizations products. This was a potentially serious problem because the source code could have been deployed to thousands of the organization s customers, giving the attackers a backdoor to those as well. 6. There is only conjecture as to how long this attack was active, but many reports put the elapsed period at more than four months of sustained, multiple attacks and infections with un-measurable data flowing back out. The source of these attacks was traced to two technical institutes based in China. Page 4

5 REMEDIATION: PROTECTING AGAINST ADVANCED PERSISTENT THREATS Today, APTs are widespread and frequently used. Organizations need to determine their risk levels and note their most valuable resources to plan how to defend themselves effectively. The following diagram provides a basic outline for protecting your organization. Best Practices Multi-faceted attacks require multi-faceted responses. Ideally, solutions that can correlate threat information to maximize attack intelligence will provide an optimal defense. 1. Layer multiple technologies for the best possible defense. 2. Combine proactive and reactive security controls to maximize coverage. 3. Deploy security controls as early as possible at the network perimeter or in the cloud before threat infiltrates your network. 4. Deploy coverage against blended threats at the security gateway to prevent compromised s from reaching user inboxes. 5. Deploy appropriate security controls at the Web gateway. 6. Use solutions that correlate threat information between and Web gateways as well as vendors who use collective intelligence to share information on attacks. 7. Establish baseline network activity so you can recognize irregular behavior and traffic earlier. Layer Security Technologies Build as many defenses as possible by layering security technologies such as desktop malware protection and and Web gateway security. Look for suspicious network activity especially to unknown external hosts. Though you might not block the initial infection, awareness of the threat will go a long way to stopping an APT as soon as possible. A great pre-emptive step includes having an effective way to process log information and spot unusual activity across all layers. Be Proactive Today s threats involve dynamically-created malware or Polymorphic viruses that are designed to evade reactive security controls. Highly innovative proactive controls can detect and block suspicious behavior exhibited through or the Web to successfully detect new and emerging threats. Best-in-class security solutions layer reactive controls for speed with proactive controls to close the threat window. Look for technologies such as M86 s patented Real-time Code Analysis and behavioral analysis. Ensure proactive controls are running on all the data your users access, as they are accessing it, to maximize coverage. A high proportion of malware comes from legitimate websites. Protect the Initial Attack Point: (Blended Threats) Typically, the first vector tried in an attack is . Are proactive security controls on your gateway scanning specifically for blended threats? Page 5

6 Blended Threats are blocked at the gateway, or correlated information is sent to the Web gateway for blocking. Cover the Major Threat Vector: the Web Gateway When an unsuspecting user clicks a link in a blended threat , the actual attack occurs through the Web, necessitating a secure Web gateway (SWG) solution. The SWG should include proactive security controls that analyze all content moving through the Web gateway, like are within the M86 SWG. All users, whether on the network at headquarters and remote workers should be covered. Hybrid Web services extend 100% of the security coverage offered on-premises to remote and external users. Security solutions that reside on the desktop provide few, if any, proactive security controls. So catching threats earlier at the gateway is ideal (though these solutions aren t always used). Evaluate your current endpoint security solutions. How many proactive capabilities do they have? How effective are they in independent tests? Correlate Threat Information between and the Web Consider a scenario in which an gateway detected low levels of activity that could be a possible attack. The Web gateway also detected low levels of suspicious traffic. Individually, these solutions might not act on this information (to prevent overblocking). But correlating this data between both gateways would trigger a block. The power of correlation moves to a whole new level if a vendor is able to correlate across an entire customer base. Page 6

7 Cycle of threat data received from customer installations and third party feeds, correlated and analyzed at M86 Security Labs and then fed back out to installed products. An organization running and Web security solutions from a single vendor doubles the advantage they get from this threat data correlation. It can use the updated threat data to maximize coverage, minimize attack windows and secure the organization from coordinated APTs. Set Network Activity Baselines APTs will generate irregular network traffic from internal computers to external command and control (C&C) servers. C&C traffic can use a number of ports and applications. Traditionally RPC channels have been used, Google groups, Twitter and other seemingly legitimate protocols and applications have been used as well. Recognizing this C&C traffic is an important step in mitigating APTs. So knowing the volume of your traffic and the external hosts/applications typically used will help you spot abnormal activity possibly an infected internal workstation that s communicating externally. Analyzing firewall logs is a good way to get started, but there are many tools and products that can assist. Additional Preventative Steps Ways an administrator can help prevent APTs include: 1. Keep applications up to date Most vulnerabilities target outdated browsers like Internet Explorer 6 and 7, and old versions of applications like Adobe Flash and Adobe Reader. Most recent updates to these applications address many of the vulnerabilities that continue to be exploited. 2. Disable administrative rights for most users It s been proven that by eliminating user administrative privileges, 90% of Windows 7 vulnerabilities would be mitigated. 3. Conduct sensitive tasks such as financial transactions on another system If members of your organization conduct e-banking on your network, we strongly encourage they do so on a separate computer on a separate network. Many of the headline-making e-banking business thefts occur when a user account is compromised by an information-stealing Trojan. Another option is to arm employees with a Linux live CD for use with sensitive transactions. 4. Educate users Never underestimate the power of user education. Ensure your employees can recognize social engineering, Phishing, Man-in-the-middle malware, etc. And institute a policy regarding external devices such as USB sticks. Page 7

8 ABOUT M86 SECURITY M86 Security is the global expert in real-time threat protection and the industry s leading Secure Web Gateway provider. The company s appliance, software, and Software as a Service (SaaS) solutions for Web and security protect more than 24,000 customers and over 17 million users worldwide. M86 products use patented real-time code analysis and behavior-based malware detection technologies as well as threat intelligence from M86 Security Labs to protect networks against new and advanced threats, secure confidential information, and ensure regulatory compliance. The company is based in Orange, California with international headquarters in London and development centers in California, Israel, and New Zealand. TRY BEFORE YOU BUY M86 Security offers free product trials and evaluations. Simply contact us or visit Corporate Headquarters 828 West Taft Avenue Orange, CA United States Phone: +1 (714) Fax: +1 (714) International Headquarters Renaissance 2200 Basing View, Basingstoke Hampshire RG21 4EQ United Kingdom Phone: +44 (0) Fax: +44 (0) Asia-Pacific Millennium Centre, Bldg C, Level Great South Road Ellerslie, Auckland, 1051 New Zealand Phone: +64 (0) Fax: +64 (0) Version 08/20/10 Copyright 2010 M86 Security. All rights reserved. M86 Security is a registered trademark of M86 Security. All other product and company names mentioned herein are trademarks or registered trademarks of their respective companies.