APT Detection Framework – Part 2
January 3, 2014 5 Comments
APT Detection Framework – Part 2
There is a trend underway in the information security field to shift from a prevention mentality — in which organizations try to make the perimeter impenetrable and avoid breaches — to a focus on rapid detection, where they can quickly identify, contain and mitigate threats.
In order to begin to understand and to be able to rapidly defend against targeted attacks a detection matrix is needed for visibility, analysis and, to ensure that all threat scenarios are considered with no gaps in defense. This framework can be used as a tool to relate attack characteristics with analysis methods and business criteria. APT Detection Framework – Part 2 continues our discussion of a proposed matrix with more detailed description and use case examples.
Detection Cost versus Precision
APTs are a complex attack scenario in which different low-level attack methods are used in a multistep approach to achieve a predetermined goal. They are executed with more stealth than normal attacks. The framework presented in this blog can help analyze APT threat scenarios with the purpose of creating a means of detection of APTs and identifying any gaps in detection or response.
Like prevention and defense-in-depth there is an associated Detection Cost versus Precision equation that also needs to consider capability maturity in terms of resources/skills as well as technology – as to whether this is a core competency that needs to be built, to partner to gain the skills and experience or, to outsource.
Detection Framework Sample
The following APT Detection Framework – General Description graphic presents a simplified example, providing general descriptions of the content that the security operations analyst uses to begin to populate the matrix for various use cases.
APT Detection Framework - General Descriptions
Attack Scenario Use Case
A foreign company is interested in a product and the intellectual property of a competitor. They would like to know detailed technical and production information as well as financial information about the production costs of the product. They anonymously contract with a hacker team to gain access to the competitor’s network in order to obtain the desired information. The competitor must remain unaware of the network breach to avoid an investigation and possible lawsuits.
Advanced Persistent Attack Example
Detection of APTs is harder because of the stealthy effort of the attacker to remain undetected but not impossible because there is traffic generated and malware or a Trojan is active on workstations and or servers. It is possible to find traces of attacks which can be put together as an Indicator of Compromise to see if there is an ongoing APT present. For more information see APT Detection Indicators – Part 1
Common Firewalls, HIDS and NIDS systems have a harder time finding an APT because they look mostly to discrete and known attack signatures and do not take the structure of APTs into account. They do not connect different and subtle low level events to each other to form an attack scenario. An approach that does correlate low-level attack elements can detect such attacks.
Network traffic can be used to detect the different steps of APTs. The eight steps each have a different traffic pattern in a network. An example of these patterns is given in the basic network diagram above.
Step 1: Reconnaissance
The first step of the attackers is reconnaissance of the target company. They start by browsing corporate websites for names and mail addresses, check DNS registrations to find public accessible services and check search engines for social media profiles of people claiming to work at the target company. The main goal is to find handles for social engineering approaches and to find version information on servers and website content management systems, to find exploitable vulnerabilities.
Step 2: Gaining Access
After the first step the attackers proceed to use the profile information of employees to construct phishing emails which look legitimate. These emails contain a link to an infected website which uses a zero day exploit to install a malware component on the victims computer. Another approach is to use social media information to create a legitimate looking spreadsheet or PDF as an email attachment about employees benefits or holidays and so on. The possibilities are endless.
Steps 3 & 4: Internal Recon and Expand Access
Once the attackers have gained a foothold in the network through the malware they will try to expand their access to other parts of the network. The malware starts to monitor connections to servers in the network, gather information about installed programs and network users to identify server addresses, network structure and possibilities for expanding access.
Un-patched programs, operating systems, or default configurations create more possibilities for further expansion of the attackers access to network clients and servers. The attackers also perform active reconnaissance on the network themselves by connections performing discovery through the malware clients.
Steps 5 & 6: Gathering and Extracting Data
Un-detected and operating stealthily the attackers are successful and have found the wanted technical documentation and have access to the financial systems of the target. They slowly gather all the information on one of the servers they control and prepare the information for extraction.
Finally they ex-filtrate the information to a legitimate file storage application on the internet to make the extraction look as normal as possible. They also continue snooping around for other data they can sell and extract this as well.
Steps 7 & 8: Command & Control and Erasing Tracks
The attackers have continuously monitored progress through direct access via a backdoor created by the malware and by updates from the malware to servers on the internet. After extraction of the last of the wanted information the attackers start to hide their tracks by uninstalling the malware. Botnet clients are used as proxies to hide the origins of traffic. Logs are erased and housekeeping is performed. A backdoor may be left on Internet-accessible devices for future use which is opened via a command sequence to enable remote access.
Situational Awareness and Managed Connectivity
Typically 20 percent of the connections to a network are unknown, despite the investment in security technology, it is critical to identify all connections within an enterprise. This 80-20 rule requires a solution that defines a network perimeter and validates that unknown connections do not exist. Situational awareness together with knowledge of the structure of high level attack sequences and low level attack elements is crucial for detection.
This knowledge is necessary for the selection of attack features which can be detected, for example in network traffic. The choice of attack features has consequences for the detection framework design and choices of analysis methods and their success in detecting more complex attacks. Approaching the choice of analysis methods from an attack perspective utilizes this knowledge to improve detection and reduce the gaps.
Basic Use Case Example
The following APT Detection Framework – Basic Use Case graphic presents an over-simplified example that applies a mock-up of the use case above.
APT Detection Framework - Basic Use Case
In our core mission to focus on Detection and Response our next series of blogs will cover Incident Response Maturity. In addition, we will add further details to the APT Detection Framework in Part 3 by integrating more closely with APT Detection Indicators and leveraging Indicators of Compromise (IoCs). We will develop increasingly more practical and useful use cases leveraging tools such as, Splunk, RedLine, Snort, Suricata, Bro, Sguil, Squert, Snorby, and many other useful network security monitoring and analysis tools.
Thanks for your Interest!
Nige the Security Guy.