Apt confidential-top-lessons-learned-from-real-attacks

IN THIS UNPRECEDENTED TIME OF CYBER ATTACKS, INFORMATION ABOUT ATTACKER

METHODS IS DIFFICULT TO OBTAIN UNLESS YOU ARE THE VICTIM, AND THAT IS TOO

LATE.

ANALYSTS AT BIT9 HAVE

FREQUENT

OPPORTUNITIES TO

INVESTIGATE INTRUSIONS

AND WORK WITH

CUSTOMERS TO EXAMINE

THE MALWARE USED BY

ATTACKERS. THIS PAPER DETAILS LESSONS LEARNED

FROM EXTENSIVE INTERVIEWS WITH SECURITY

ANALYSTS AT BIT9, BIT9 CUSTOMERS, AND OTHERS.

A COMMON THREAD THAT EMERGED WAS THE DIFFICULTY OF PREVENTING THE

DELIVERY OF APT MALWARE TO SYSTEMS OR OF QUICKLY DETECTING THE ATTACK

ONCE THE MALWARE WAS ACTIVE. IN BETWEEN THOSE TWO EVENTS, HOWEVER,

THERE IS A GOLDEN OPPORTUNITY TO STOP THE ATTACK IN ITS TRACKS BY LEVERAGING

TRUST-BASED SECURITY TECHNOLOGY.

Sponsored by

APT Confidential:

14 Lessons

Learned from Real

Attacks

© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved

1. YOU ARE UP AGAINST 3 TYPES OF ATTACKERS

To appreciate the level of risk that all organizations

face from cyber-attacks, you need to understand the

three types of attackers, their motivations, and their

methods.

CRIMINAL ORGANIZATIONS

Criminal organizations, often associated with Eastern

Europe, can benefit from breaking into nearly any

organization’s or individual’s network or system.

Criminal organizations are primarily looking for

information that can be used to steal money, the

most obvious being credit card numbers, credentials

to bank accounts, and personal identity information

that can be used to open fraudulent credit accounts.

But there are many other ways to profit via cyber-

attacks. In today’s efficient cyber-crime marketplace, some criminals simply focus on penetrating networks and

selling access to those networks to other criminals, who then use that access for their own purposes. Others

specialize in building malware components.

Nearly any person or organization can be victimized, and criminal organizations cast a wide net using spam and

other broad methods. Generally, their efforts are less targeted than those of the other two types of attackers.

But when presented with opportunities such as inside knowledge, criminals happily change tactics and launch

focused attacks on a single organization or industry. Some industries, such as the financial sector, are responding

by organizing security information-sharing initiatives.

We are late to the race in this regard. Criminals have already built an efficient black market for malware, stolen

credentials, bot networks, vulnerable systems, and information on possible targets. Information-sharing efforts

are crucial to keeping up with advances by attackers.

NATION STATES

Nation states actively target organizations around the world for a host of economic, trade, defense, and political

reasons.

Nation states that are trying to control information about their regimes or treatment of their citizens target any

organization that might have contacts to dissidents and opposition groups. This includes human rights groups as

well as any non-governmental organizations (NGOs) or religious or aids organizations that such states perceive as

threats.

As shown by recent incidents at The New York Times, countries are willing to make relatively overt and aggressive

attacks on news organizations in response to bad publicity and to discover reporter information sources.

Attackers

Criminal

HacktivistNation State


Defense contractors are obvious targets and are well aware of this fact. But executives of other organizations are

often surprised to learn that they have been targeted and why.

Any organization that does business with certain nation states can expect to be targeted. The prevailing

philosophy apparently holds that the more information one has about one’s business partners, the more effective

one can be at the negotiating table.

Any organization in an industry in which a nation state has economic interest is also a target. Many industries are

included because countries such as China are trying to enter new markets or have a shortage in the many natural

resources and materials necessary to sustain their growth. Nation states might try to steal technology even in

mundane areas, such as rubber formulas for tires. Or they might look for business data to anticipate or influence

market dynamics.

In the final analysis, nearly any organization can come to the attention of a nation state that simply lacks an

expectation of fair play and competition.

HACKTIVISTS

In this paper, the term hacktivists is used to identity groups that launch cyber-attacks against any organization of

which they disapprove in relation to a cause, value, or conflict between groups.

Again, organizations are frequently surprised when they provoke the ire of hacktivists. A corporation might

terminate dealings with a controversial customer, seeking merely to avoid possible criminal charges or public

relations fallout. The corporation might have no agenda other than abiding by its terms of service and making

business decisions that management believes to be in the best interests of shareholders. Nevertheless, hacktivists

might punish the company for not taking up their cause.

In such an environment, there is no way to be perceived as neutral by all sides nor to avoid making at least one

interest angry. At that point, you might become the target of denial of service (DoS) attacks, data-destruction

efforts, or even attempts to steal your private information so as to post it on public websites, for no other reason

than to punish you. Such nihilistic motivations create risks to information that would not otherwise be targeted by

classic attacker types that are out for some type of traditional gain.

2. PARTNER ORGANIZATIONS CAN BE COLLATERAL DAMAGE

Other organizations are being targeted—organizations that

Do not have the desired information

Are not involved in the targeted industry or activities

Nation states, in particular, are patient and have long-term, strategic

goals. Knowing that their ultimate target is already on its guard and has

shored up its own defenses, many attackers target second- or third-level

organizations that interact with the primary target, whether that is a government

agency, defense contractor, human rights or aid organization, or corporation with

economic value. An example of such a second-level organization is an ordinary company

that provides maintenance supplies to the organization of interest.


Note the phrase “interact with” in the previous paragraph, an action that is more generic than “doing business

with” in the commercial sense. Firms in the financial sector, for example, have been targeted through emails that

were apparently sent from compromised PCs in state or municipal regulatory agencies.

Attackers target second-level organizations with many possible goals—both technical and otherwise:

1. Exploit the list of contacts that the second-level organization has at the primary target.

2. Send spear-phishing emails that appear to be from a business partner or other trusted entity.

3. Gain access to the primary target’s network through trusted network links or remote access credentials.

4. Gain any possible information about the primary target.

5. Plant malware that will be picked up when individuals at the primary target access the website or extranet

of the second-level organization.

3. YOU DON’T NEED NUCLEAR WARHEADS TO BE TARGETED

Vendors of traditional security technologies point out that most of us aren’t running centrifuges for refining

uranium or building strong authentication tokens that protect defense secrets. We are thus unlikely, they say, to

be targeted by the types of malware that have grabbed headlines in the past couple years.

But after this project, the author of this paper is convinced that those attacks are merely the tip of the iceberg

made public. The quantity and variety of attackers and their widely differing goals and motivations is staggering.

Combine that with the fact that you might be targeted even though you have no direct stake in their game

(whatever it might be), other than a trusted relationship with someone who does. It is not an overstatement to

say that any organization is a target and might already be compromised.

4. ALL IT TAKES IS ONE

To establish a beachhead inside an organization, attackers need to compromise only one

system. Ironically, this means that organizations must protect every system.

Confidential discussions with victim organizations show that in the aftermath of an

attack, victim organizations often identify a single unprotected system that enabled the

attack to proceed to fruition.

The same thing is borne out in public incidents such as the code-signing debacle at

Adobe. That attack was blamed on a single server used to digitally sign certain

applications; this code signing server was overlooked in terms of applying the

corporate standard security configuration.

Organizations must implement controls and processes to verify and re-verify that every

system—even those that seem unimportant—are fully protected. Doing so requires a

defense-in-depth mentality and brings into question the wisdom of overreliance on

“compensating controls” to justify leaving some systems less protected. For instance,

supposedly air-gapped networks have been compromised by flash memory and

removable media. Other systems have been left unhardened because they are on a

“trusted” network.


5. APTS USE MANY METHODS TO ADVANCE ALONG THE KILL CHAIN

Once an advanced persistent threat (APT) embeds on the initial system and activates, it becomes much more

difficult to stop the attack because of the confounding array of methods it can use to spread. Here are just a few

examples, ranging from the highly advanced to the painfully simple:

1. The malware named Flame posed as a proxy server and Windows Update site to intercept attempts by

other network computers to obtain security patches. Flame subsequently tricked those computers into

installing malware that was digitally signed to look like legitimate updates.

2. One victim organization reported that an APT spread by dropping an autorun file into a shared folder that

was the root of a mapped drive. The file was automatically executed by users who accessed the file

server.

Thorough security configuration and attack-surface reduction can slow down embedded APTs, but there is no way

to plug every hole through which they can spread. The key is to prevent untrusted software from executing in the

first place.

6. YOUR EMPLOYEE HOME PCs ARE A THREAT

Plenty of attention is paid to the mobile-security risks of bring your own device (BYOD) computing. However, the

threat of employees' home PCs predates mobile devices and continues to be exploited by attackers. I discussed

cases in which employees were specifically targeted via their social networking profile or simply fell victim to a

broadcast attack and then compromised their employers through their remote access.

This is a difficult vector to protect against, but organizations can take certain measures:

1. Limit remote access to trusted devices that are owned and controlled by the employer or through mobile-

security technologies to which employees opt-in.

2. Provide remote access to information via web or remote desktop instead of VPN, and require one-time

passwords. This limits, to some extent, the options and access that are available to an attacker with

control of an employee’s home PC.

3. Use network access-protection technologies that quarantine and verify the health of systems before they

are allowed to connect to the internal network.

7. YOU DON’T REALIZE HOW DIRTY YOUR PCS ARE

Every organization that I spoke with at some point expressed surprise at how much software they found, after

deploying application control technology, to be resident on their systems. This was even true for a firm with a

mature governance program, centralized software distribution, and managed endpoints. After activating

application-control technology, this organization “found all kinds of crazy stuff.”

The lesson is that without hard technology controls, users will install software regardless of written policy.

Uncontrolled software installation not only allows APTs to directly embed but also expands the attack surface

through which they can initially infect an organization.


8. SERVERS NEED ADVANCED THREAT PROTECTION TOO

Initially, application control seems to be a user endpoint issue, based on the assumption that servers are less

vulnerable because of two reasons:

The assumption that IT staff can be trusted not to install unneeded software and to refrain from

dangerous activities such as browsing the web from servers.

Servers are on the protected internal network.

And it’s true that sometimes attackers can realize their ultimate goal exclusively through using compromised end-

user systems and normal network protocols to obtain desired information from relevant servers.

But several successful attacks that I had the opportunity to discuss depended on the execution of malicious code

on the server itself—not just pulling information from that server. Moreover, public-facing websites are being

targeted by attackers but for different reasons than the rampant defacement in the 1990s. Preventing untrusted

software from executing is the crucial second-level defense that can stop attacks from progressing past the initial

exploitation of misconfigured systems and zero-day vulnerabilities.

Also, in security audits I have repeatedly seen servers on which inappropriate or vulnerable and unnecessary

software was installed. The lesson here is the same as in the previous point: Without hard technology controls,

users will install software regardless of written policy – including IT staff.

9. NEW TARGETING METHOD: “WATERING HOLES”

Spear phishing has been around for years and is still working well for attackers. But that hasn’t stopped them from

developing new techniques for targeting users of targeted organizations.

In Africa, predators lie in wait around watering holes, knowing that sooner or later

prey will need to come and drink. Similarly, attackers have realized that

employees at a given organization will come sooner or later visit certain

predictable websites—the most obvious being the organization’s own

website.

Therefore, it becomes desirable to compromise a company’s

website. This is true even when the server is owned by some hosting

provider, has no connection to the company’s network, or has no confidential

information on it. The goal is simply to plant an APT loader and wait for

members of the website’s organization to browse by.

The organization’s website is just one example of how watering holes can be used. Although that website might

be under the control of the targeted organization, other potential watering holes (e.g., industry association

websites) are not.


10. TRUSTING PERSONAL EMAIL ACCOUNTS FOR BUSINESS IS DANGEROUS

As users become aware of spear-phishing attacks, they are more careful about

opening attachments or clicking on links in email messages. Attackers must trick

users into thinking that an email message is safe. One way to do this is by taking

advantage of the fact that many people use personal email accounts for

business communication; for example, when their business email account is

unavailable or inconvenient.

How can this practice be exploited? Users might not be surprised to

receive an email from a colleague’s personal email account. They might

willingly open attachments or follow links, which is the first crucial step in

getting an APT started.

Through social networking sites, it’s easy to learn the names of workers and their colleagues. Even though

personal email account passwords are often easy to guess, it isn't even necessary for attackers to compromise a

user’s real account. Attackers simply open a new account at Yahoo, Gmail, or Hotmail, using an email address that

is similar to the name of the person they want to spoof. Attackers have gone so far as to note that the employee is

on vacation from her posts on FaceBook or Twitter and used that as an opportune time and plausible reason to

email a business associate from the fake "personal" email account.

11. WANT TO GET HACKED? FOCUS TOO MUCH ON HIGH-VALUE TARGETS

I’ve often heard chief information security officers (CISOs) talk about optimizing their defenses by concentrating on

protecting “high-value targets”: servers with crucial information or executives with access to it. As logical as this

might seem, it’s dangerous.

Most of the intrusions that I examined both privately and in the

news were largely successful because the attackers began with

low-value targets and worked along a kill chain of progressively

higher value assets.

You obviously want to identity and protect your most valuable

assets, but no employee or system is an island. Every element

is vulnerable to neighboring elements.

This lesson is similar to lesson #4. Today, you must do everything

right.

12. APPLICATION CONTROL STOPS APTS; ANTIVIRUS DOESN’T

Signature-based antivirus might protect you against undirected attacks that use a wide net of known methods. But

signature-based antivirus is reactive and increasingly outpaced by today’s attackers.

This is especially true with zero-day exploits. Software vendors sometimes seek to minimize the perceived risk of a

new exploit by pointing out that it is not being widely exploited; rather, it is being used only in certain limited,

targeted attacks. That is no comfort if your industry or organization is the one being targeted.

OptimizeProtect

Everything

[email protected]

[email protected]@yahoo.com


Application control is more effective because it stops APTs because it employees a completely different method to

prevent malware from executing. This method is proactive and affective against unknown malware, not just those

attacks that have been identified.

One interview in particular drove home the effectiveness of application control. A Bit9 customer commented that

they see malware (caught by whitelisting) that isn’t detected by their antivirus solution for days or even weeks

afterwards.

13. APPLICATION CONTROL IS INCOMPLETE WITHOUT RMI DEFENSE

Originally, application control simply needed to prevent .exe files, DLLs, and other executable files from being

executed by the operating system through normal application programming interfaces (APIs). Application control

solutions could simply hook into those APIs, verify the executable’s provenance and integrity, and block it if

necessary.

In response, attackers developed new techniques to avoid dropping an executable file on the file system and

loading it through normal means. One of the most effective is currently reflective memory attacks, which allow

the attacker to inject malicious code into the memory of a trusted process and trigger its execution without any

operations that give traditional application control or antivirus a chance to check the code.

To counter this approach, application-control vendors, including Bit9, have developed techniques for detecting and

terminating processes that are compromised by reflective memory injection.

14. APPLICATION CONTROL CAN BE SUCCESSFUL IN ANY ENVIRONMENT

Early attempts at whitelisting technology gave application control a bad name because of these problems:

The arduous task of cataloging all legitimate software and building rules to allow each file to run

The unsustainable burden of keeping rules up to date as programs are patched and new software added

The backlash from users who are unable to get their work done due to applications that are blocked by

incomplete rules

The ever-present problem of how to handle the innumerable exceptions that inevitably arise

Those problems are solved by modern application-control solutions such as Bit9. Solutions come in the form of

policy-based whitelisting, which includes grandfathered applications, phased implementation, extensive catalogs

of known good software, support for digital signatures, and the concept of trusted updaters.

One conversation that I had with a Bit9 customer proves that whitelisting can be successful in any environment

with modern application control such as Bit9. This organization has a large software-development staff that

generates tens of thousands of new files every week. The challenge of implementing whitelisting on developer PCs

and other computers that run production copies of frequently updated, internally developed software would

frighten many infosec professionals, leading to exceptions and a population of unprotected systems.

This organization, however, carefully identified the compilers and developer tools that were used to generate

executables. It created trusted updater rules that cause Bit9 to automatically trust new programs created and

executed on developer systems. To allow the same programs to run on other systems, the organization worked

with developers to ensure that their compilers were configured to digitally sign executables when built for release


to production. In this way, the company enjoys 100-percent coverage with application control and thus prevents

untrusted software from executing on any system.

Another Bit9 customer was sensitive to the fact it has a large population of knowledge workers and power users

who need the ability to run many more tools than average users. To successfully implement whitelisting without

alienating users or hurting productivity, this organization has implemented an internal “app store” in which it

endeavors to provide approved, trusted tools for any job. Whenever a user comes to IT with a legitimate need for

an application that isn’t yet available, IT doesn’t just vet the tool and grant that user an exception. Rather, IT

publishes the tool through the app store to pre-empt the same process from occurring when the next user

encounters the same need. Modern application control is effective and practical and stays out of the way of

business.

THE BIT9 TRUST-BASED SECURITY PLATFORM

The Bit9 Security Platform is the

only next-generation endpoint and

server security solution that

continuously monitors and records

all activity on endpoints and

servers and stops cyber threats

that evade traditional security

defenses. Bit9’s real-time sensor

and recorder and cloud-based

services provide actionable

intelligence within days of

implementation, and Bit9’s real-

time enforcement engine delivers

the most proactive and reliable

form of endpoint and server

security. This combination gives

organizations immediate visibility

to everything running on their

endpoints and servers; real-time

signature-less detection of and protection against advanced threats; and a recorded history of all endpoint and

server activity for deep forensics. Security teams use Bit9’s integration with network security devices such as

FireEye and Palo Alto Networks to accelerate incident response and ensure all files arriving on endpoints and

servers are safe. Bit9 has stopped the most advanced attacks, including Flame, Gauss and the malware responsible

for the RSA breach. 1,000 organizations worldwide – from 25 Fortune 100 companies to small businesses – use

Bit9 to increase security, reduce operational costs and improve compliance.

CORE TECHNOLOGIES

TRUST

At the core of the Bit9 solution is a policy-driven trust engine, in which you specify the software that you trust to

run in your enterprise; everything else is suspect or denied by default. You define the software that you trust,


using a policy-based approach that includes trusted publishers, software-distribution systems, users, updaters, and

more. You also can use the file trust ratings in the Bit9 Software Reputation Service to set thresholds if you allow

users to download and install their own software. These trust policies drive the application-control and whitelisting

engine in Bit9. This engine detects any untrusted software that enters your environment and protects you by

stopping its execution.

REAL-TIME SENSOR AND RECORDER

After you place Bit9’s lightweight real-time sensor and recorder on every endpoint, server, and fixed-function

device, you’ll have immediate visibility from a single console into the files, executions, devices, and crucial system

resources on every machine. Bit9’s always-on sensor watches the arrival and (attempted) execution of files,

memory violations, process behavior, registry settings, attached devices, file changes, and more. This sensor is the

key to Bit9’s real-time detection, protection, and forensics.

BIT9 CLOUD SERVICES

Bit9′s cloud-based Software Reputation Service constantly crawls the Internet looking for software and calculates

a trust rating for it, based on attributes such as its age, prevalence, publisher, source, results of antivirus scans, and

more. Bit9 also uses threat-intelligence feeds, including one from a leading Internet research company’s malware

hash registry, to identify malicious and suspicious files. You’ll have access to all this information through the cloud-

based Bit9 Software Reputation Service, which contains billions of records and is the world’s most reliable source

of software trust.

Bit9’s Threat Indicator Service provides updates and additions to the Advanced Threat Indicators (ATI) that the Bit9

Security Platform uses to detect advanced threats and zero-day attacks. These ATIs detect advanced threats by

using a completely different approach than signature-based blacklisting technology, which is inadequate in today’s

environment.

FOUR MAJOR CAPABILITIES

VISIBILITY

Know what’s running on every computer—right now.

From a single console, Bit9 gives you immediate visibility—without any scanning or polling—into the files,

executions, and crucial system resources on every machine that is protected by Bit9. This visibility increases your

security posture by giving you the confidence that comes from knowing what has arrived and executed on every

system in your company.

DETECTION

Use real-time detection of advanced threats and zero-day attacks.

Bit9 detects advanced threats, zero-day attacks, and other malware that evades blacklisting and signature-based

detection tools. Bit9’s trust-based approach combines real-time sensors, ATI, and the Bit9 Software Reputation


Service to immediately detect advanced threats and malware. No waiting for signature file updates. No testing and

updating .dat files. Just immediate, proactive detection.

PROTECTION

Stop all untrusted software from executing.

Bit9’s proactive, trust-based security solution enables you to define the software that you trust to run in your

organization. Everything else is denied by default. This stops advanced threats and other forms of malware—

including targeted, customized attacks that are unique to your organization.

FORENSICS

A full audit trail accelerates analysis and response.

When you suspect a threat incident, Bit9 provides the information that you need to analyze, scope, contain, and

remediate the problem. You can “go back in time” to see what happened, understand what is happening right

now, isolate untrusted software, and determine the trust rating for any file.

Methods for preventing malware from being delivered to endpoints are limited and will only be partially

successful. Detecting APTs once they are operational on the network is equally problematic. But between those 2

events is a golden opportunity to leverage application whitelisting. Bit9 enables you to seize this opportunity and

stop APTs in their tracks before they execute – without getting in the way of business.


ABOUT RANDY FRANKLIN SMITH

Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active

Directory security who specializes in Windows and Active Directory security. Randy publishes

www.UltimateWindowsSecurity.com and wrote The Windows Server 2008 Security Log Revealed – the only book

devoted to the Windows security log. Randy is the creator of LOGbinder software, which makes cryptic application

logs understandable and available to log-management and SIEM solutions. As a Certified Information Systems

Auditor, Randy performs security reviews for clients ranging from small, privately held firms to Fortune 500

companies, national, and international organizations. Randy is also a Microsoft Security Most Valuable

Professional.

DISCLAIMER

UltimateWindowsSecurity.com is operated by Monterey Technology Group, Inc. Monterey Technology Group, Inc.

and Bit9 make no claim that use of this whitepaper will assure a successful outcome. Readers use all information

within this document at their own risk.

http://www.ultimatewindowssecurity.com/

Apt confidential-top-lessons-learned-from-real-attacks

News & Politics

monterey technology

hard technology

randy franklin

modern application

advanced threats

watering holes

untrusted

primary target