Page 1
IN THIS UNPRECEDENTED TIME OF CYBER ATTACKS, INFORMATION ABOUT ATTACKER
METHODS IS DIFFICULT TO OBTAIN UNLESS YOU ARE THE VICTIM, AND THAT IS TOO
LATE.
ANALYSTS AT BIT9 HAVE
FREQUENT
OPPORTUNITIES TO
INVESTIGATE INTRUSIONS
AND WORK WITH
CUSTOMERS TO EXAMINE
THE MALWARE USED BY
ATTACKERS. THIS PAPER DETAILS LESSONS LEARNED
FROM EXTENSIVE INTERVIEWS WITH SECURITY
ANALYSTS AT BIT9, BIT9 CUSTOMERS, AND OTHERS.
A COMMON THREAD THAT EMERGED WAS THE DIFFICULTY OF PREVENTING THE
DELIVERY OF APT MALWARE TO SYSTEMS OR OF QUICKLY DETECTING THE ATTACK
ONCE THE MALWARE WAS ACTIVE. IN BETWEEN THOSE TWO EVENTS, HOWEVER,
THERE IS A GOLDEN OPPORTUNITY TO STOP THE ATTACK IN ITS TRACKS BY LEVERAGING
TRUST-BASED SECURITY TECHNOLOGY.
Sponsored by
APT Confidential:
14 Lessons
Learned from Real
Attacks
Page 2
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
1. YOU ARE UP AGAINST 3 TYPES OF ATTACKERS
To appreciate the level of risk that all organizations
face from cyber-attacks, you need to understand the
three types of attackers, their motivations, and their
methods.
CRIMINAL ORGANIZATIONS
Criminal organizations, often associated with Eastern
Europe, can benefit from breaking into nearly any
organization’s or individual’s network or system.
Criminal organizations are primarily looking for
information that can be used to steal money, the
most obvious being credit card numbers, credentials
to bank accounts, and personal identity information
that can be used to open fraudulent credit accounts.
But there are many other ways to profit via cyber-
attacks. In today’s efficient cyber-crime marketplace, some criminals simply focus on penetrating networks and
selling access to those networks to other criminals, who then use that access for their own purposes. Others
specialize in building malware components.
Nearly any person or organization can be victimized, and criminal organizations cast a wide net using spam and
other broad methods. Generally, their efforts are less targeted than those of the other two types of attackers.
But when presented with opportunities such as inside knowledge, criminals happily change tactics and launch
focused attacks on a single organization or industry. Some industries, such as the financial sector, are responding
by organizing security information-sharing initiatives.
We are late to the race in this regard. Criminals have already built an efficient black market for malware, stolen
credentials, bot networks, vulnerable systems, and information on possible targets. Information-sharing efforts
are crucial to keeping up with advances by attackers.
NATION STATES
Nation states actively target organizations around the world for a host of economic, trade, defense, and political
reasons.
Nation states that are trying to control information about their regimes or treatment of their citizens target any
organization that might have contacts to dissidents and opposition groups. This includes human rights groups as
well as any non-governmental organizations (NGOs) or religious or aids organizations that such states perceive as
threats.
As shown by recent incidents at The New York Times, countries are willing to make relatively overt and aggressive
attacks on news organizations in response to bad publicity and to discover reporter information sources.
Attackers
Criminal
HacktivistNation State
Page 3
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
Defense contractors are obvious targets and are well aware of this fact. But executives of other organizations are
often surprised to learn that they have been targeted and why.
Any organization that does business with certain nation states can expect to be targeted. The prevailing
philosophy apparently holds that the more information one has about one’s business partners, the more effective
one can be at the negotiating table.
Any organization in an industry in which a nation state has economic interest is also a target. Many industries are
included because countries such as China are trying to enter new markets or have a shortage in the many natural
resources and materials necessary to sustain their growth. Nation states might try to steal technology even in
mundane areas, such as rubber formulas for tires. Or they might look for business data to anticipate or influence
market dynamics.
In the final analysis, nearly any organization can come to the attention of a nation state that simply lacks an
expectation of fair play and competition.
HACKTIVISTS
In this paper, the term hacktivists is used to identity groups that launch cyber-attacks against any organization of
which they disapprove in relation to a cause, value, or conflict between groups.
Again, organizations are frequently surprised when they provoke the ire of hacktivists. A corporation might
terminate dealings with a controversial customer, seeking merely to avoid possible criminal charges or public
relations fallout. The corporation might have no agenda other than abiding by its terms of service and making
business decisions that management believes to be in the best interests of shareholders. Nevertheless, hacktivists
might punish the company for not taking up their cause.
In such an environment, there is no way to be perceived as neutral by all sides nor to avoid making at least one
interest angry. At that point, you might become the target of denial of service (DoS) attacks, data-destruction
efforts, or even attempts to steal your private information so as to post it on public websites, for no other reason
than to punish you. Such nihilistic motivations create risks to information that would not otherwise be targeted by
classic attacker types that are out for some type of traditional gain.
2. PARTNER ORGANIZATIONS CAN BE COLLATERAL DAMAGE
Other organizations are being targeted—organizations that
Do not have the desired information
Are not involved in the targeted industry or activities
Nation states, in particular, are patient and have long-term, strategic
goals. Knowing that their ultimate target is already on its guard and has
shored up its own defenses, many attackers target second- or third-level
organizations that interact with the primary target, whether that is a government
agency, defense contractor, human rights or aid organization, or corporation with
economic value. An example of such a second-level organization is an ordinary company
that provides maintenance supplies to the organization of interest.
Page 4
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
Note the phrase “interact with” in the previous paragraph, an action that is more generic than “doing business
with” in the commercial sense. Firms in the financial sector, for example, have been targeted through emails that
were apparently sent from compromised PCs in state or municipal regulatory agencies.
Attackers target second-level organizations with many possible goals—both technical and otherwise:
1. Exploit the list of contacts that the second-level organization has at the primary target.
2. Send spear-phishing emails that appear to be from a business partner or other trusted entity.
3. Gain access to the primary target’s network through trusted network links or remote access credentials.
4. Gain any possible information about the primary target.
5. Plant malware that will be picked up when individuals at the primary target access the website or extranet
of the second-level organization.
3. YOU DON’T NEED NUCLEAR WARHEADS TO BE TARGETED
Vendors of traditional security technologies point out that most of us aren’t running centrifuges for refining
uranium or building strong authentication tokens that protect defense secrets. We are thus unlikely, they say, to
be targeted by the types of malware that have grabbed headlines in the past couple years.
But after this project, the author of this paper is convinced that those attacks are merely the tip of the iceberg
made public. The quantity and variety of attackers and their widely differing goals and motivations is staggering.
Combine that with the fact that you might be targeted even though you have no direct stake in their game
(whatever it might be), other than a trusted relationship with someone who does. It is not an overstatement to
say that any organization is a target and might already be compromised.
4. ALL IT TAKES IS ONE
To establish a beachhead inside an organization, attackers need to compromise only one
system. Ironically, this means that organizations must protect every system.
Confidential discussions with victim organizations show that in the aftermath of an
attack, victim organizations often identify a single unprotected system that enabled the
attack to proceed to fruition.
The same thing is borne out in public incidents such as the code-signing debacle at
Adobe. That attack was blamed on a single server used to digitally sign certain
applications; this code signing server was overlooked in terms of applying the
corporate standard security configuration.
Organizations must implement controls and processes to verify and re-verify that every
system—even those that seem unimportant—are fully protected. Doing so requires a
defense-in-depth mentality and brings into question the wisdom of overreliance on
“compensating controls” to justify leaving some systems less protected. For instance,
supposedly air-gapped networks have been compromised by flash memory and
removable media. Other systems have been left unhardened because they are on a
“trusted” network.
Page 5
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
5. APTS USE MANY METHODS TO ADVANCE ALONG THE KILL CHAIN
Once an advanced persistent threat (APT) embeds on the initial system and activates, it becomes much more
difficult to stop the attack because of the confounding array of methods it can use to spread. Here are just a few
examples, ranging from the highly advanced to the painfully simple:
1. The malware named Flame posed as a proxy server and Windows Update site to intercept attempts by
other network computers to obtain security patches. Flame subsequently tricked those computers into
installing malware that was digitally signed to look like legitimate updates.
2. One victim organization reported that an APT spread by dropping an autorun file into a shared folder that
was the root of a mapped drive. The file was automatically executed by users who accessed the file
server.
Thorough security configuration and attack-surface reduction can slow down embedded APTs, but there is no way
to plug every hole through which they can spread. The key is to prevent untrusted software from executing in the
first place.
6. YOUR EMPLOYEE HOME PCs ARE A THREAT
Plenty of attention is paid to the mobile-security risks of bring your own device (BYOD) computing. However, the
threat of employees' home PCs predates mobile devices and continues to be exploited by attackers. I discussed
cases in which employees were specifically targeted via their social networking profile or simply fell victim to a
broadcast attack and then compromised their employers through their remote access.
This is a difficult vector to protect against, but organizations can take certain measures:
1. Limit remote access to trusted devices that are owned and controlled by the employer or through mobile-
security technologies to which employees opt-in.
2. Provide remote access to information via web or remote desktop instead of VPN, and require one-time
passwords. This limits, to some extent, the options and access that are available to an attacker with
control of an employee’s home PC.
3. Use network access-protection technologies that quarantine and verify the health of systems before they
are allowed to connect to the internal network.
7. YOU DON’T REALIZE HOW DIRTY YOUR PCS ARE
Every organization that I spoke with at some point expressed surprise at how much software they found, after
deploying application control technology, to be resident on their systems. This was even true for a firm with a
mature governance program, centralized software distribution, and managed endpoints. After activating
application-control technology, this organization “found all kinds of crazy stuff.”
The lesson is that without hard technology controls, users will install software regardless of written policy.
Uncontrolled software installation not only allows APTs to directly embed but also expands the attack surface
through which they can initially infect an organization.
Page 6
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
8. SERVERS NEED ADVANCED THREAT PROTECTION TOO
Initially, application control seems to be a user endpoint issue, based on the assumption that servers are less
vulnerable because of two reasons:
The assumption that IT staff can be trusted not to install unneeded software and to refrain from
dangerous activities such as browsing the web from servers.
Servers are on the protected internal network.
And it’s true that sometimes attackers can realize their ultimate goal exclusively through using compromised end-
user systems and normal network protocols to obtain desired information from relevant servers.
But several successful attacks that I had the opportunity to discuss depended on the execution of malicious code
on the server itself—not just pulling information from that server. Moreover, public-facing websites are being
targeted by attackers but for different reasons than the rampant defacement in the 1990s. Preventing untrusted
software from executing is the crucial second-level defense that can stop attacks from progressing past the initial
exploitation of misconfigured systems and zero-day vulnerabilities.
Also, in security audits I have repeatedly seen servers on which inappropriate or vulnerable and unnecessary
software was installed. The lesson here is the same as in the previous point: Without hard technology controls,
users will install software regardless of written policy – including IT staff.
9. NEW TARGETING METHOD: “WATERING HOLES”
Spear phishing has been around for years and is still working well for attackers. But that hasn’t stopped them from
developing new techniques for targeting users of targeted organizations.
In Africa, predators lie in wait around watering holes, knowing that sooner or later
prey will need to come and drink. Similarly, attackers have realized that
employees at a given organization will come sooner or later visit certain
predictable websites—the most obvious being the organization’s own
website.
Therefore, it becomes desirable to compromise a company’s
website. This is true even when the server is owned by some hosting
provider, has no connection to the company’s network, or has no confidential
information on it. The goal is simply to plant an APT loader and wait for
members of the website’s organization to browse by.
The organization’s website is just one example of how watering holes can be used. Although that website might
be under the control of the targeted organization, other potential watering holes (e.g., industry association
websites) are not.
Page 7
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
10. TRUSTING PERSONAL EMAIL ACCOUNTS FOR BUSINESS IS DANGEROUS
As users become aware of spear-phishing attacks, they are more careful about
opening attachments or clicking on links in email messages. Attackers must trick
users into thinking that an email message is safe. One way to do this is by taking
advantage of the fact that many people use personal email accounts for
business communication; for example, when their business email account is
unavailable or inconvenient.
How can this practice be exploited? Users might not be surprised to
receive an email from a colleague’s personal email account. They might
willingly open attachments or follow links, which is the first crucial step in
getting an APT started.
Through social networking sites, it’s easy to learn the names of workers and their colleagues. Even though
personal email account passwords are often easy to guess, it isn't even necessary for attackers to compromise a
user’s real account. Attackers simply open a new account at Yahoo, Gmail, or Hotmail, using an email address that
is similar to the name of the person they want to spoof. Attackers have gone so far as to note that the employee is
on vacation from her posts on FaceBook or Twitter and used that as an opportune time and plausible reason to
email a business associate from the fake "personal" email account.
11. WANT TO GET HACKED? FOCUS TOO MUCH ON HIGH-VALUE TARGETS
I’ve often heard chief information security officers (CISOs) talk about optimizing their defenses by concentrating on
protecting “high-value targets”: servers with crucial information or executives with access to it. As logical as this
might seem, it’s dangerous.
Most of the intrusions that I examined both privately and in the
news were largely successful because the attackers began with
low-value targets and worked along a kill chain of progressively
higher value assets.
You obviously want to identity and protect your most valuable
assets, but no employee or system is an island. Every element
is vulnerable to neighboring elements.
This lesson is similar to lesson #4. Today, you must do everything
right.
12. APPLICATION CONTROL STOPS APTS; ANTIVIRUS DOESN’T
Signature-based antivirus might protect you against undirected attacks that use a wide net of known methods. But
signature-based antivirus is reactive and increasingly outpaced by today’s attackers.
This is especially true with zero-day exploits. Software vendors sometimes seek to minimize the perceived risk of a
new exploit by pointing out that it is not being widely exploited; rather, it is being used only in certain limited,
targeted attacks. That is no comfort if your industry or organization is the one being targeted.
OptimizeProtect
Everything
[email protected]
[email protected] @yahoo.com
Page 8
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
Application control is more effective because it stops APTs because it employees a completely different method to
prevent malware from executing. This method is proactive and affective against unknown malware, not just those
attacks that have been identified.
One interview in particular drove home the effectiveness of application control. A Bit9 customer commented that
they see malware (caught by whitelisting) that isn’t detected by their antivirus solution for days or even weeks
afterwards.
13. APPLICATION CONTROL IS INCOMPLETE WITHOUT RMI DEFENSE
Originally, application control simply needed to prevent .exe files, DLLs, and other executable files from being
executed by the operating system through normal application programming interfaces (APIs). Application control
solutions could simply hook into those APIs, verify the executable’s provenance and integrity, and block it if
necessary.
In response, attackers developed new techniques to avoid dropping an executable file on the file system and
loading it through normal means. One of the most effective is currently reflective memory attacks, which allow
the attacker to inject malicious code into the memory of a trusted process and trigger its execution without any
operations that give traditional application control or antivirus a chance to check the code.
To counter this approach, application-control vendors, including Bit9, have developed techniques for detecting and
terminating processes that are compromised by reflective memory injection.
14. APPLICATION CONTROL CAN BE SUCCESSFUL IN ANY ENVIRONMENT
Early attempts at whitelisting technology gave application control a bad name because of these problems:
The arduous task of cataloging all legitimate software and building rules to allow each file to run
The unsustainable burden of keeping rules up to date as programs are patched and new software added
The backlash from users who are unable to get their work done due to applications that are blocked by
incomplete rules
The ever-present problem of how to handle the innumerable exceptions that inevitably arise
Those problems are solved by modern application-control solutions such as Bit9. Solutions come in the form of
policy-based whitelisting, which includes grandfathered applications, phased implementation, extensive catalogs
of known good software, support for digital signatures, and the concept of trusted updaters.
One conversation that I had with a Bit9 customer proves that whitelisting can be successful in any environment
with modern application control such as Bit9. This organization has a large software-development staff that
generates tens of thousands of new files every week. The challenge of implementing whitelisting on developer PCs
and other computers that run production copies of frequently updated, internally developed software would
frighten many infosec professionals, leading to exceptions and a population of unprotected systems.
This organization, however, carefully identified the compilers and developer tools that were used to generate
executables. It created trusted updater rules that cause Bit9 to automatically trust new programs created and
executed on developer systems. To allow the same programs to run on other systems, the organization worked
with developers to ensure that their compilers were configured to digitally sign executables when built for release
Page 9
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
to production. In this way, the company enjoys 100-percent coverage with application control and thus prevents
untrusted software from executing on any system.
Another Bit9 customer was sensitive to the fact it has a large population of knowledge workers and power users
who need the ability to run many more tools than average users. To successfully implement whitelisting without
alienating users or hurting productivity, this organization has implemented an internal “app store” in which it
endeavors to provide approved, trusted tools for any job. Whenever a user comes to IT with a legitimate need for
an application that isn’t yet available, IT doesn’t just vet the tool and grant that user an exception. Rather, IT
publishes the tool through the app store to pre-empt the same process from occurring when the next user
encounters the same need. Modern application control is effective and practical and stays out of the way of
business.
THE BIT9 TRUST-BASED SECURITY PLATFORM
The Bit9 Security Platform is the
only next-generation endpoint and
server security solution that
continuously monitors and records
all activity on endpoints and
servers and stops cyber threats
that evade traditional security
defenses. Bit9’s real-time sensor
and recorder and cloud-based
services provide actionable
intelligence within days of
implementation, and Bit9’s real-
time enforcement engine delivers
the most proactive and reliable
form of endpoint and server
security. This combination gives
organizations immediate visibility
to everything running on their
endpoints and servers; real-time
signature-less detection of and protection against advanced threats; and a recorded history of all endpoint and
server activity for deep forensics. Security teams use Bit9’s integration with network security devices such as
FireEye and Palo Alto Networks to accelerate incident response and ensure all files arriving on endpoints and
servers are safe. Bit9 has stopped the most advanced attacks, including Flame, Gauss and the malware responsible
for the RSA breach. 1,000 organizations worldwide – from 25 Fortune 100 companies to small businesses – use
Bit9 to increase security, reduce operational costs and improve compliance.
CORE TECHNOLOGIES
TRUST
At the core of the Bit9 solution is a policy-driven trust engine, in which you specify the software that you trust to
run in your enterprise; everything else is suspect or denied by default. You define the software that you trust,
Page 10
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
using a policy-based approach that includes trusted publishers, software-distribution systems, users, updaters, and
more. You also can use the file trust ratings in the Bit9 Software Reputation Service to set thresholds if you allow
users to download and install their own software. These trust policies drive the application-control and whitelisting
engine in Bit9. This engine detects any untrusted software that enters your environment and protects you by
stopping its execution.
REAL-TIME SENSOR AND RECORDER
After you place Bit9’s lightweight real-time sensor and recorder on every endpoint, server, and fixed-function
device, you’ll have immediate visibility from a single console into the files, executions, devices, and crucial system
resources on every machine. Bit9’s always-on sensor watches the arrival and (attempted) execution of files,
memory violations, process behavior, registry settings, attached devices, file changes, and more. This sensor is the
key to Bit9’s real-time detection, protection, and forensics.
BIT9 CLOUD SERVICES
Bit9′s cloud-based Software Reputation Service constantly crawls the Internet looking for software and calculates
a trust rating for it, based on attributes such as its age, prevalence, publisher, source, results of antivirus scans, and
more. Bit9 also uses threat-intelligence feeds, including one from a leading Internet research company’s malware
hash registry, to identify malicious and suspicious files. You’ll have access to all this information through the cloud-
based Bit9 Software Reputation Service, which contains billions of records and is the world’s most reliable source
of software trust.
Bit9’s Threat Indicator Service provides updates and additions to the Advanced Threat Indicators (ATI) that the Bit9
Security Platform uses to detect advanced threats and zero-day attacks. These ATIs detect advanced threats by
using a completely different approach than signature-based blacklisting technology, which is inadequate in today’s
environment.
FOUR MAJOR CAPABILITIES
VISIBILITY
Know what’s running on every computer—right now.
From a single console, Bit9 gives you immediate visibility—without any scanning or polling—into the files,
executions, and crucial system resources on every machine that is protected by Bit9. This visibility increases your
security posture by giving you the confidence that comes from knowing what has arrived and executed on every
system in your company.
DETECTION
Use real-time detection of advanced threats and zero-day attacks.
Bit9 detects advanced threats, zero-day attacks, and other malware that evades blacklisting and signature-based
detection tools. Bit9’s trust-based approach combines real-time sensors, ATI, and the Bit9 Software Reputation
Page 11
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
Service to immediately detect advanced threats and malware. No waiting for signature file updates. No testing and
updating .dat files. Just immediate, proactive detection.
PROTECTION
Stop all untrusted software from executing.
Bit9’s proactive, trust-based security solution enables you to define the software that you trust to run in your
organization. Everything else is denied by default. This stops advanced threats and other forms of malware—
including targeted, customized attacks that are unique to your organization.
FORENSICS
A full audit trail accelerates analysis and response.
When you suspect a threat incident, Bit9 provides the information that you need to analyze, scope, contain, and
remediate the problem. You can “go back in time” to see what happened, understand what is happening right
now, isolate untrusted software, and determine the trust rating for any file.
Methods for preventing malware from being delivered to endpoints are limited and will only be partially
successful. Detecting APTs once they are operational on the network is equally problematic. But between those 2
events is a golden opportunity to leverage application whitelisting. Bit9 enables you to seize this opportunity and
stop APTs in their tracks before they execute – without getting in the way of business.
Page 12
© 2013 Bit9 Inc. and Monterey Technology Group, Inc. All rights reserved
ABOUT RANDY FRANKLIN SMITH
Randy Franklin Smith is an internationally recognized expert on the security and control of Windows and Active
Directory security who specializes in Windows and Active Directory security. Randy publishes
www.UltimateWindowsSecurity.com and wrote The Windows Server 2008 Security Log Revealed – the only book
devoted to the Windows security log. Randy is the creator of LOGbinder software, which makes cryptic application
logs understandable and available to log-management and SIEM solutions. As a Certified Information Systems
Auditor, Randy performs security reviews for clients ranging from small, privately held firms to Fortune 500
companies, national, and international organizations. Randy is also a Microsoft Security Most Valuable
Professional.
DISCLAIMER
UltimateWindowsSecurity.com is operated by Monterey Technology Group, Inc. Monterey Technology Group, Inc.
and Bit9 make no claim that use of this whitepaper will assure a successful outcome. Readers use all information
within this document at their own risk.