APT Detection Indicators – Part 1

APT Detection Indicators – Part 1

APT Detection Indicators – Part 2
APT Detection Indicators – Part 3
APT Detection Indicators – Part 4

In a world where organizations need to be watching or monitoring their networks continuously knowing what to look out for is critical. In this blog we discuss how to detect incidents early by identifying “attack precursors” and other leading indicators that help protect your organization from compromise and can stop an attack in its tracks.

Attack Threat Types

There are various sources of threat actors, for example, as follows:

• Nuisance –
  • Attacks are opportunistic
    • Organization is targeted because it is vulnerable
• Insider –
  • Trusted insider steals data
    • Difficult to prevent but detection and attribution is possible
• Hacktivists –
  • Motivated by a cause
    • Determined but not always sophisticated
• Financial & Intellectual Property (IP) –
  • More sophisticated attacks
    • Typically target information for financial or competitive gain
• State-sponsored –
  • Persistent and Targeted
    • Attacks continue until targeted data is obtained

Anatomy of an Attack

Given enough time and resources, a skilled attacker will always find a way in. So how do companies deal with this? Companies need to have an Incident Response Program (IRP) in place. A successful IRP is required to bring the needed resources together in an organized manner to detect and deal with an adverse event related to the safety and security of personnel, systems, and data. An IRP should also be tested thoroughly to evaluate an organization’s response to incidents that occur in their environment. We will discuss IRP in more detail in a future blog.

Most organizations are unprepared to detect and respond to targeted intrusions, most often because …

• Traditional defenses do not work
• Security tunnel vision on vulnerabilities and preventing zero-day
• Under-developed Rapid Incident Response processes
• Human resource commitment to needed skills, training and, readiness

Detect, Contain, Investigate, Eradicate, Recover

Organizations need a new defense-in-depth strategy, “Defense-in-Depth+” architected and deployed as a Defensible Security Posture that enables the ability to …

• Detect,
• Contain,
• Investigate,
• Eradicate, and
• Recover

No one product or products alone can stop innovative human attackers who can evolve as the need arises, altering tactics and developing increasing levels of sophistication.

Indicators of Compromise

In the current threat environment, rapid communication of threat information is the key to quickly detecting, responding and containing targeted attacks. Hunting for Indicators of Compromise (IOCs) is an effective way to combat advanced attackers. IOCs are forensic artifacts of an intrusion that can be identified on a host or network.

IOCs tie to observables and observables tie to measurable events or stateful properties which can represent anything from the creation of a registry key on a host (measurable event) to the presence of a mutex (stateful property). For example, after using the APT Detection Framework to optimize and check for any gaps an organization should continuously monitor and detect things like:

• Unusual Outbound Network Traffic
• Geographical or cross country activity with unusual log-ins or access patterns
• People trying to cover their tracks or obscure their presence on your systems
• Signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks
• Suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks
• Anomalies in Privileged User Account Activity or permission changes
• Changes in local Firewall configurations and local user accounts
• Changes in DNS servers or IP routing
• Symptoms or presence of root kits
• and so on…

All of these items can provide early indications of bad actors, and help you identify and contain security incidents before they result in loss. Though not present in all incident response scenarios, IOCs are present more often than not should the security analyst have the cycles and opportunity to learn where and how to identify them. The ability for a security analyst, incident responder or threat researcher to collect, record and notate IOCs in a detailed manner is a critical success factor.

Hunting for Indicators of Compromise

The high-level formula is, as follows:

• Detection –
  • Document attacker tools and methodology (a.k.a. intelligence)
    • Network DNS, IP, and traffic protocol patterns (outbound)
    • Log file entries
    • Host forensic artifacts and live memory
    • Metadata is efficient for hunting
    • Analyze attacker tools to create highly effective IOCs
  • Use the intelligence to proactively hunt for attacker activity
• Containment –
  • Quarantine on network
  • Perform live Incident Response to identify what happened and related activity
  • See: Defensible Security Posture and future APT Incident Response blog
• Investigate –
  • Investigate incidents to increase intelligence & scope compromise
  • Conduct threat scenario sessions based on intelligence gathered
• Eradicate & Recover –
  • Identify all:
    • Compromised hosts and accounts (user, service, all of AD, etc.)
    • Active (beaconing) and passive (listening) backdoors
    • Other entry points like web servers, VPN, & terminal services
  • Perform the following:
    • Reset passwords
    • Remove backdoors
    • Fix vulnerable systems they’re exploiting for access
  • Continue hunting for IOCs to ensure remediation worked and to identify when/if the attacker returns
  • Conduct lessons learned and post mortem sessions
• Rinse & Repeat

Indicators start with simply looking for signature of specific artifacts. These can be the traditional forensic artifacts such as MD5 checksums, compile times, file size, name, path locations, registry keys, and so on. Many different types of specific indicators can be combined together in one IOC, so that any of several sets of signatures of differing types of complexity could apply within one particular IOC.

APT Detection Framework

Simple use cases allow querying for forensic artifacts such as:

• Looking for a specific file by MD5 sum (hash), file name, size, create date, or other file attributes
• Looking for a specific entity in Memory (process information, running service information)
• Looking for a specific entry or set of entries in the Windows Registry
• Combining these together in various combinations to provide better matching and less false positives than searches for individual artifacts.

Like many security practices, IOC authoring is an art. Practice with a creative mindset. Ultimately, the best IOCs have these properties:

• The IOC identifies only attacker activity
• The IOC is inexpensive to evaluate, it is typically simple and evaluates information that is less expensive to collect or calculate
• The IOC is expensive for the attacker to evade. In other words, to evade the IOC the attacker has to drastically change tactics, tools, or approach.

Conclusion

There are also several emerging, would be standards for what has previously been an ad-hoc at worst and organizational at best approach to developing IOCs. In future series we will go into greater detail about how to develop and leverage IOCs together with emerging tools as well as discuss the emerging standards and R&D performed by CyBox (cybox.mitre.org), OpenIOC (openioc.org), and IODEF (IETF RFC 5070).

Key takeaways …

• Accept that attackers will maneuver past your defenses
• Hire or train people to hunt for IOCs and investigate alerts
• Invest in technologies to support those people
• If this is not a core competency, partner with a trusted security services provider

In APT Detection Indicators – Part 2 we will present recognizable attributes and patterns that can be monitored by readily available, open source tools. These tools can enable early detection of APT behavior, especially by monitoring unusual inter-zone or outbound traffic.

Thanks for your interest!

Nige the Security Guy.